Identity Providers APIs
APIs for managing Identity Providers
Table of Contents
1. Get all Identity Providers
- This API is used to get a list of all Identity Providers
Tip : Please refer to IdentityProvider.
1.1. Prerequisites API
None
When ADFS is configured
1.2. Steps API
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1682
{
"elements" : [ {
"id" : "1a9bd081-40c4-434d-af78-33a162522100",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "82ce7b07-f878-41af-9ac3-e343bcb347dc",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "45e1aba4-9c17-4e97-85ca-d302db142f4a",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
} ]
}
When OKTA is configured
1.3. Steps API
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1705
{
"elements" : [ {
"id" : "3262279b-09b0-44eb-a3be-f4bded4f0851",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "159498c4-6e0e-4757-ae4b-dcb6aaa93216",
"name" : "Okta",
"type" : "FEDERATED_IDP_BROKER",
"status" : "active",
"fedIdp" : {
"name" : "Okta",
"source" : "OKTA",
"directoryList" : {
"name" : "OktaDirectory",
"defaultDomain" : "external-okta-idp.com",
"domains" : [ "external-okta-idp.com" ]
},
"oidcInfo" : {
"clientId" : "b118c606-4229-4653-85eb-a7dbabe8e804",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"syncClientTokenTTL" : 263000,
"syncClientTokenInfo" : {
"expireAt" : "2024-06-21T02:43:21.998Z",
"scimUrl" : "https://domain.com/usergroup/t/CUSTOMER/scim/v2"
}
}
} ]
}
1.4. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API
2. Get Identity Provider
Retrieve detailed information of the specified identity provider.
2.1. Prerequisites API
The following data is required
- Identifier of the provider
2.2. Steps API
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/be12eb48-11ea-486a-bb7d-756d2e0e4ade' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers/be12eb48-11ea-486a-bb7d-756d2e0e4ade HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 684
{
"id" : "be12eb48-11ea-486a-bb7d-756d2e0e4ade",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "b084174f-256b-4cae-aee3-3584659915f1",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
}
2.3. Related APIs API
[_getidentityproviders] API
3. Add an embedded Identity Source
3.1. Prerequisites API
The following data is required
- Identifier of the embedded Identity Provider
Tip : Please refer to IdentitySourceSpec.
3.2. Steps API
- Fetch the ID for the embedded identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to add an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/a43695f0-ccf8-42d3-9965-0de89a70bb7f/identity-sources' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
POST /v1/identity-providers/a43695f0-ccf8-42d3-9965-0de89a70bb7f/identity-sources HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 68
Added Identity source with domain name embedded-ids.com successfully
3.3. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API [_deleteidentitysource] API
4. Update an embedded Identity Source
4.1. Prerequisites API
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
Tip : Please refer to IdentitySourceSpec.
4.2. Steps API
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
Note : Please note that the domainName and domainAlias fields cannot be modified
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/578ec94c-ee0a-46de-9c67-faa5554a35b6/identity-sources/embedded-ids.com' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
PATCH /v1/identity-providers/578ec94c-ee0a-46de-9c67-faa5554a35b6/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 204 No Content
4.3. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API Add an embedded Identity Source [_addembeddedidentitysource] API [_deleteidentitysource] API
5. Delete an embedded Identity Source
5.1. Prerequisites API
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
5.2. Steps API
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/287b3b49-baf5-46d0-8da5-a738f8490bf1/identity-sources/embedded-ids.com' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/287b3b49-baf5-46d0-8da5-a738f8490bf1/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
5.3. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API
6. Add an external Identity Provider
6.1. Prerequisites API
The following data is needed:
- Identity Provider Spec details
Tip : Please refer to IdentityProviderSpec.
Configure ADFS
6.2. Steps API
- Invoke the API to add an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "9f7e2073-d6f8-4198-b636-9f20c5728789",
"clientSecret" : "b306ff6f-3a10-4c59-ae87-26e90718866b",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "9f7e2073-d6f8-4198-b636-9f20c5728789",
"clientSecret" : "b306ff6f-3a10-4c59-ae87-26e90718866b",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
74d6b815-78a4-40d7-8245-847469628460
Configure OKTA
6.3. Steps API
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=OKTA' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type=OKTA HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure OKTA as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "9adeb6c4-a101-4407-926e-c19732eaeff6",
"clientSecret" : "94f20f6d-c9f0-4e95-9c1e-5fd42b5eda99",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "9adeb6c4-a101-4407-926e-c19732eaeff6",
"clientSecret" : "94f20f6d-c9f0-4e95-9c1e-5fd42b5eda99",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
34e29540-6e7b-4c24-bc71-cc14f823c21c
Configure Microsoft Entra ID
6.4. Steps API
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure Microsoft Entra ID as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "c1d05ba4-08fa-4666-9b3f-5b6bd2b26911",
"clientSecret" : "40428503-6053-4278-9716-374f1498c71a",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "c1d05ba4-08fa-4666-9b3f-5b6bd2b26911",
"clientSecret" : "40428503-6053-4278-9716-374f1498c71a",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
aadd13f5-c05e-491b-9312-23e743175904
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated
6.5. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_updateexternalidentityprovider] API [_deleteexternalidentityprovider] API [_getidentityprecheckresult] API
7. Update an external Identity Provider
7.1. Prerequisites API
The following data is required
- Identifier of the external Identity Provider
Tip : Please refer to IdentityProviderSpec.
When ADFS is configured
7.2. Steps API
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/c3548bff-fb80-41af-824e-36bf70af6873' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "20d617c4-01db-41c3-b2fa-d0bee65f0756",
"clientSecret" : "a54093d5-5f44-4551-80ef-d5d4233f4915",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
PATCH /v1/identity-providers/c3548bff-fb80-41af-824e-36bf70af6873 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "20d617c4-01db-41c3-b2fa-d0bee65f0756",
"clientSecret" : "a54093d5-5f44-4551-80ef-d5d4233f4915",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 204 No Content
When OKTA is configured
7.3. Steps API
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/867eddfb-2e93-4b94-adb5-70679d112b4b' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "627cf43f-3101-4c6e-a223-7567795a5499",
"clientSecret" : "62f5546e-821d-48d0-92a8-749d0ba12ec8",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/867eddfb-2e93-4b94-adb5-70679d112b4b HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "627cf43f-3101-4c6e-a223-7567795a5499",
"clientSecret" : "62f5546e-821d-48d0-92a8-749d0ba12ec8",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
When Microsoft Entra ID is configured
7.4. Steps API
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/0d83b6b3-e747-4ab1-8af5-f781570ab70b' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "6bf58703-4318-4e24-bb9a-f5f26978f4af",
"clientSecret" : "19521bd1-478f-4ee7-86d8-aa0d7879c182",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/0d83b6b3-e747-4ab1-8af5-f781570ab70b HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "6bf58703-4318-4e24-bb9a-f5f26978f4af",
"clientSecret" : "19521bd1-478f-4ee7-86d8-aa0d7879c182",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated
7.5. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_deleteexternalidentityprovider] API
8. Delete an external Identity Provider
8.1. Prerequisites API
The following data is required
- Identifier of the external Identity Provider
8.2. Steps API
- Invoke the API to delete an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/2e31e126-470c-47dc-af86-3270c8d2ab0b' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/2e31e126-470c-47dc-af86-3270c8d2ab0b HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
8.3. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_updateexternalidentityprovider] API
9. Generate sync client token
The sync client token is used by the IDP administrator to push users and groups into the WS1B. Only the users / groups synced to the vCenter/WS1B can login to VCF. Please refer to https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-88933505-9299-49FB-9C30-56E43683099B.html and https://kb.vmware.com/s/article/90835 for more information.
9.1. Prerequisites API
The following data is required
Identifier of the external Identity Provider
Sync client token TTL
9.2. Steps API
- Fetch the ID for the external identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to generate the sync client token.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/1cff4094-022d-46c3-b13a-82185e1260a6/sync-client?syncClientTokenTTL=263000' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
POST /v1/identity-providers/1cff4094-022d-46c3-b13a-82185e1260a6/sync-client?syncClientTokenTTL=263000 HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1370
{
"expireIn" : 1718937801,
"token" : "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTM2AAzMjksImlhdCI6MTY4MzU4MDMyOSwic3ViIjoiZDZjYjEyN2EtN2Q3Yi00NDRhLTg1MWUtODI1Mjk3YjA2OTQyIiwiYXV0aF90aW1lIjoxNjgzNTgwMzI5LCJzY3AiOiJhZG1pbiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvU0FBUy9hdXRoL29hdXRodG9rZW4iLCJhenAiOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzLyIsInJ1bGVzIjp7ImV4cGlyeSI6MTY4MzU4MjEyOSwibGluayI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzL3J1bGVzL21lIiwicnVsZXMiOlt7InJlc291cmNlcyI6WyJ2cm46dWc6KiJdLCJhY3Rpb25zIjpbInVnOioiXSwiY29uZGl0aW9ucyI6bnVsbCwiYWR2aWNlIjpudWxsfV19LCJwaWQiOiI0ODNmZmY1Yy1iYjg1LTQ2MTgtOWVmMi01MWYwZWFiYjBjMzMiLCJwcm5fdHlwZSI6IlNFUlZJQ0UiLCJwcm4iOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUUBDVVNUT01FUiIsImp0aSI6IjQ4M2ZmZjVjLWJiODUtNDYxOC05ZWYyLTUxZjBlYWJiMGMzMyIsImNpZCI6InN5bmNDbGllbnRJZDNJWVFoV3BWU1o1VGRQOWhkV2hodm9mYm53c1JzOENRIn0.OiZ6nHiFy9hTuU09fT2BUGzbD3XWH-XBoAOCFG3sC8-Pk2FXAn4oZ5fQ9zJHRMDTapAbhfzOF7hCgQ2klhIk_RAnuneey3pUJKotB-DoExU6v6DS3-4C1YBhvMYqezytfE0zcw--ZZbJxFjCwHMIHCf-t6LPLBoEpRZbhB5ZewscYACI0hYcSpseU2hWD9cSkCJr8w7j1zWowIQ1KJxkfdoTdjLuAIH_vesKVcSXirsuOeDiPng93Rx-umMyCzQ8-og64JK1C3XdzdfTsN1-gporUclgawcgFlZgyQFkeL0h8B6j61MzUYHBvwBU_a6jm97BUjSBeu86ipk39o29Og",
"scimUrl" : "https://sfo01-m01-vc01.rainpole.io/usergroup/t/tenantType/scim/v2"
}
Note : Please note that the sync client token TTL needs to be passed as a query parameter to the API. Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated (Please refer to [_addexternalidentityprovider] API)
9.3. Related APIs API
[_getidentityproviders] API [_getidentityproviderbyid] API [_generatesyncclienttoken] API
Last updated 2024-06-21 01:22:12 -0700