Vcenter NamespaceManagement Supervisors Identity Providers Info
The Vcenter NamespaceManagement Supervisors Identity Providers Info schema provides details about an identity provider configured with a Supervisor.
This schema was added in vSphere API 8.0.0.1.
{
"provider": "string",
"display_name": "string",
"issuer_url": "string",
"username_claim": "string",
"groups_claim": "string",
"client_id": "string",
"certificate_authority_data": "string",
"additional_scopes": [
"string"
],
"additional_authorize_parameters": {
"additional_authorize_parameters": "string"
},
"credentials_exchange_jwt_authenticator": "string",
"allow_credentials_exchange": false,
"prefix": "string",
"extra_claims": [
"string"
],
"enable_kubernetes_jwt_authentication": false
}The immutable identifier of an identity provider generated when an identity provider is registered for a Supervisor.
This property was added in vSphere API 8.0.0.1.
When clients pass a value of this schema as a parameter, the property must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider. When operations return a value of this schema as a response, the property will be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.
A name to be used for the given identity provider. This name will be displayed in the vCenter UI.
This property was added in vSphere API 8.0.0.1.
The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme.
This property was added in vSphere API 8.0.0.1.
The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user.
This property was added in vSphere API 8.0.0.1.
If missing or null, the upstream issuer URL will be concatenated with the 'sub' claim to generate the username to be used with Kubernetes.
The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user.
This property was added in vSphere API 8.0.0.1.
If missing or null, no groups will be used from the upstream identity provider.
The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor.
This property was added in vSphere API 8.0.0.1.
The certificate authority data holds the trusted roots to be used to establish HTTPS connections with the identity provider.
This property was added in vSphere API 8.0.0.1.
If missing or null, HTTPS connections with the upstream identity provider will rely on a default set of system trusted roots.
Additional scopes to be requested in tokens issued by this identity provider. The 'openid' scope will always be requested.
This property was added in vSphere API 8.0.0.1.
If missing or null, no additional scopes will be requested.
Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware's Cloud Services Platform, if your organization ID is 'long-form-org-id', the 'orgLink' parameter can be set to "/csp/gateway/am/api/orgs/long-form-org-id" to allow users logging in to leverage that organization.
This property was added in vSphere API 8.0.0.1.
If missing or null, no additional parameters will be sent to the upstream identity provider.
Name of the 'JWTAuthenticator' Supervisor object created when Vcenter NamespaceManagement Supervisors Identity Providers Info.allow_credentials_exchange is set to true.
This property was added in vSphere API 9.0.0.0.
if missing or null, no 'JWTAuthenticator' object created on the Supervisor.
If true client can exchange an identity provider issued ID token for an mTLS client certificate key pair by using the Supervisor 'TokenCredentialRequest' API.
This property was added in vSphere API 9.0.0.0.
Defaults to false if missing or null.
The prefix applied to the usernames and group names originating from the upstream identity provider to disambiguate the identities originating from various identity providers configured. The system automatically appends a colon (:) to the specified prefix. This prefix must be unique within a Supervisor.
This property was added in vSphere API 9.1.0.0.
If missing or null, usernames and group names from the upstream identity provider will be used without a prefix.
A list of claims from the upstream identity provider's ID token to propagate to the Kubernetes UserInfo object upon successful authentication.
For each claim name in this list, a corresponding entry will be added to the UserInfo.Extra map. The key will be formatted as "vcf.vmware.com/<claim-name>", and the value will be the corresponding claim value from the ID token.
Each claim name must consist of valid HTTP path characters as defined in RFC3986. If a claim is not present in the ID token, it will not be included in the UserInfo.Extra map.
This functionality is available only if the GET /vcenter/namespace-management/supervisors/{supervisor}/capabilities operation reports that the supports_supervisor_privileged_labels capability is enabled for the Supervisor.
This property was added in vSphere API 9.1.0.0.
If missing or null, no extra claims will be propagated to the UserInfo object.
If set to true, enables direct JSON Web Token (JWT) authentication with the Supervisor API server.
This allows clients, such as kubectl, to use ID tokens issued by the upstream identity provider for direct authentication against the Supervisor API server.
This functionality is available only if the GET /vcenter/namespace-management/supervisors/{supervisor}/capabilities operation reports that the supports_supervisor_privileged_labels capability is enabled for the Supervisor.
This property was added in vSphere API 9.1.0.0.
Defaults to false if missing or null.