Vcenter Identity Providers create

Vcenter Identity Providers create

Create a vCenter Server identity provider.

This operation was added in vSphere API 7.0.0.0.

Returns an authorization error if you do not have all of the privileges described as follows:

  • Operation execution requires VcIdentityProviders.Create and VcIdentityProviders.Manage.
Request
URI
POST
https://{api_host}/api/vcenter/identity/providers
COPY
Request Body

the CreateSpec contains the information used to create the provider

Vcenter Identity Providers CreateSpec of type(s) application/json
Required

Show optional properties

{
    "config_tag": "string"
}
{
    "config_tag": "string",
    "oauth2": {
        "auth_endpoint": "string",
        "token_endpoint": "string",
        "public_key_uri": "string",
        "client_id": "string",
        "client_secret": "string",
        "claim_map": {
            "claim_map": {
                "claim_map": [
                    "string"
                ]
            }
        },
        "issuer": "string",
        "authentication_method": "string",
        "auth_query_params": {
            "auth_query_params": [
                "string"
            ]
        }
    },
    "oidc": {
        "discovery_endpoint": "string",
        "client_id": "string",
        "client_secret": "string",
        "claim_map": {
            "claim_map": {
                "claim_map": [
                    "string"
                ]
            }
        }
    },
    "org_ids": [
        "string"
    ],
    "is_default": false,
    "name": "string",
    "domain_names": [
        "string"
    ],
    "auth_query_params": {
        "auth_query_params": [
            "string"
        ]
    },
    "idm_protocol": "string",
    "idm_endpoints": [
        "string"
    ],
    "active_directory_over_ldap": {
        "user_name": "string",
        "password": "string",
        "users_base_dn": "string",
        "groups_base_dn": "string",
        "server_endpoints": [
            "string"
        ],
        "cert_chain": {
            "cert_chain": [
                "string"
            ]
        }
    },
    "upn_claim": "string",
    "groups_claim": "string",
    "federation_type": "string"
}
string
config_tag
Required

The config type of the identity provider

For more information see: Vcenter Identity Providers ConfigType.

This property was added in vSphere API 7.0.0.0.

oauth2
Optional

OAuth2 CreateSpec

This property was added in vSphere API 7.0.0.0.

This property is optional and it is only relevant when the value of config_tag is Vcenter Identity Providers ConfigType.oauth2.

oidc
Optional

OIDC CreateSpec

This property was added in vSphere API 7.0.0.0.

This property is optional and it is only relevant when the value of config_tag is Vcenter Identity Providers ConfigType.oidc.

array of string
org_ids
Optional

The set of orgIds as part of SDDC creation which provides the basis for tenancy

This property was added in vSphere API 7.0.0.0.

If missing or null, the set will be empty.

boolean
is_default
Optional

Specifies whether the provider is the default provider. Setting is_default of current provider to True makes all other providers non-default.

This property was added in vSphere API 7.0.0.0.

If missing or null the provider will be the default provider if it is the first provider that is created, and will not be the default provider otherwise.

string
name
Optional

The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers.

This property was added in vSphere API 7.0.0.0.

If missing or null, the name will be the empty string

array of string
domain_names
Optional

Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains.

This property was added in vSphere API 7.0.0.0.

If missing or null, domainNames will be the empty set and the domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens.

object
auth_query_params
Optional

key/value pairs that are to be appended to the authEndpoint request.

How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details:

  • If the value contains only one string, then the key is added with "k=v".
  • If the value is an empty list, then the key is added without a "=v".
  • If the value contains multiple strings, then the key is repeated in the query-string for each string in the value.

This property was added in vSphere API 7.0.0.0.

If missing or null, the map will be empty.

string
idm_protocol
Optional

Communication protocol to the identity management endpoints.

For more information see: Vcenter Identity Providers IdmProtocol.

This property was added in vSphere API 7.0.0.0.

If missing or null, no communication protocol will be configured for the identity provider.

array of string
idm_endpoints
Optional

Identity management endpoints. When specified, at least one endpoint must be provided.

This property was added in vSphere API 7.0.0.0.

This property is optional and it is only relevant when the value of idm_protocol is one of Vcenter Identity Providers IdmProtocol.REST, Vcenter Identity Providers IdmProtocol.SCIM, or Vcenter Identity Providers IdmProtocol.scim2_0.

active_directory_over_ldap
Optional

Identity management configuration. If the protocol is LDAP, the configuration must be set, else InvalidArgument is thrown.

This property was added in vSphere API 7.0.0.0.

This property is optional and it is only relevant when the value of idm_protocol is Vcenter Identity Providers IdmProtocol.LDAP.

string
upn_claim
Optional

Specifies which claim provides the user principal name (UPN) for the user.

This property was added in vSphere API 7.0.0.0.

If missing or null, the claim named 'acct' will be used to provide backwards compatibility with CSP.

string
groups_claim
Optional

Specifies which claim provides the group membership for the token subject. These groups will be used for mapping to local groups per the claim map.

This property was added in vSphere API 7.0.0.0.

If missing or null, the default behavior will be CSP backwards compatiblility. The groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims.

string
federation_type
Optional

The type of the identity provider

For more information see: Vcenter Identity FederationType.

This property was added in vSphere API 8.0.1.0.

If missing or null, the federation type value will not be set.

Authentication
This operation uses the following authentication methods.
Responses
201

The identifier of the created identity provider.

The response will be an identifier for the resource type: com.vmware.vcenter.identity.Providers.

Returns string of type(s) application/json
Operation doesn't return any data structure

400

Vapi Std Errors InvalidArgument if invalid arguments are provided in createSpec.

Vapi Std Errors AlreadyExists if provider exists for provider ID in given spec.

Returns Vapi Std Errors Error of type(s) application/json
"Vapi Std Errors Error Object"
array of object
messages
Required

Stack of one or more localizable messages for human error consumers.

The message at the top of the stack (first in the list) describes the error from the perspective of the operation the client invoked.

Each subsequent message in the stack describes the "cause" of the prior message.

object
data
Optional

Data to facilitate clients responding to the operation reporting a standard error to indicating that it was unable to complete successfully.

Operations may provide data that clients can use when responding to errors. Since the data that clients need may be specific to the context of the operation reporting the error, different operations that report the same error may provide different data in the error. The documentation for each each operation will describe what, if any, data it provides for each error it reports.

The Vapi Std Errors ArgumentLocations, Vapi Std Errors FileLocations, and Vapi Std Errors TransientIndication schemas are intended as possible values for this property. Vapi Std DynamicID may also be useful as a value for this property (although that is not its primary purpose). Some resources may provide their own specific schemas for use as the value of this property when reporting errors from their operations.

Some operations will not set this property when reporting errors.

string
error_type
Required

Discriminator field to help API consumers identify the structure type.

For more information see: Vapi Std Errors Error Type.

This property was added in vSphere API 6.7.2.

Can be missing or null for compatibility with preceding implementations.


403

if authorization is not given to caller.

Returns Vapi Std Errors Unauthorized of type(s) application/json
This response body class contains all of the following: InlineVapi Std Errors Unauthorized0
"Vapi Std Errors Unauthorized Object"

Code Samples
COPY
                    curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '{"config_tag:"string"}' https://{api_host}/api/vcenter/identity/providers