Virtual Infrastructure Guest Alias Manager APIs

Virtual Infrastructure Guest Alias Manager APIs

The GuestAliasManager supports single sign-on for virtual machine access to perform guest operations.

The GuestAliasManager provides methods to create and access aliases.

A guest alias defines an association between a guest user account on a virtual machine and an external vSphere user account. The vSphere account is represented by credentials consisting of an X.509 certificate and a subject name. The certificate and subject name are encoded in SAML tokens that are provided by the VMware SSO Server. The SAML tokens are attached to guest operation requests. If the credentials in a SAML token match an alias that is defined for a virtual machine, the ESXi Server guest components grant access for execution of the guest operation in the context of the user account on the virtual machine.

To create a guest alias, use the AddGuestAlias method. AddGuestAlias establishes the association between a guest user account, certificate, and SAML token subject.

  • The username parameter identifies the guest account.
  • The base64Cert parameter specifies the X.509 certificate.
  • The aliasInfo parameter identifies the SAML token subject (GuestAuthAliasInfo. subject. name).

If there are no aliases defined for a virtual machine, the ESXi Server will perform standard authentication using the credentials associated with a guest operation request. If one or more aliases are defined for a virtual machine, any guest operation request that uses SAML token authentication SAMLTokenAuthentication must specify a token that corresponds to one of the defined aliases.

After defining one or more guest aliases, you can specify SAMLTokenAuthentication for the auth parameter to guest operation methods:

For information about obtaining a SAML token from a VMware SSO Server, see VMware Single Sign-On Programming Guide.

You can define multiple aliases for a guest account. You can also map the credentials to an alias by setting mapCert to "true" in the call to the AddGuestAlias method. When an alias has a mapped credential, requests using that alias do not need to identify the guest account.

Operations
POST
Guest Alias Manager Add Guest Alias
Defines an alias for a guest account in a virtual machine.
POST
Guest Alias Manager List Guest Aliases
Lists the *GuestAliases* for a specified user in the guest that can be used for authentication of guest operations.
POST
Guest Alias Manager List Guest Mapped Aliases
Lists the *GuestMappedAliases* in the guest that can be used for authentication of guest operations.
POST
Guest Alias Manager Remove Guest Alias
Removes an alias from the guest so it can no longer be used for authentication of guest operations.
POST
Guest Alias Manager Remove Guest Alias By Cert
Removes a VMware SSO Server's certificate and all associated aliases from the guest so it can no longer be used for authentication of guest operations.