Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec
The Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec schema contains the specification required to update the configuration of an identity provider used with a Supervisor.
This schema was added in vSphere API 8.0.0.1.
{
"display_name": "string",
"issuer_url": "string",
"username_claim": "string",
"unset_username_claim": false,
"groups_claim": "string",
"unset_groups_claim": false,
"client_id": "string",
"client_secret": "string",
"certificate_authority_data": "string",
"unset_certificate_authority_data": false,
"additional_scopes": [
"string"
],
"additional_authorize_parameters": {
"additional_authorize_parameters": "string"
},
"allow_credentials_exchange": false,
"extra_claims_to_add": [
"string"
],
"extra_claims_to_remove": [
"string"
],
"enable_kubernetes_jwt_authentication": false
}A name to be used for the given identity provider. This name will be displayed in the vCenter UI.
This property was added in vSphere API 8.0.0.1.
if missing or null, the name will remained unchanged.
The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme.
This property was added in vSphere API 8.0.0.1.
If missing or null, the issuer URL will not be updated.
The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user.
This property was added in vSphere API 8.0.0.1.
If missing or null, the username claim will not be updated.
This represents the intent of the change to Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.username_claim. If this field is set to true, the existing 'usernameClaim' value will be removed. If this field is set to false, the existing username claim will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.username_claim, if any.
This property was added in vSphere API 8.0.0.1.
If missing or null, the existing 'usernameClaim' value will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.username_claim, if any.
The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user.
This property was added in vSphere API 8.0.0.1.
If missing or null, the groups claim will not be updated.
This represents the intent of the change to Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.groups_claim. If this field is set to true, the existing 'groupsClaim' value will be removed. If this field is set to false, the existing groups claim will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.groups_claim, if any.
This property was added in vSphere API 8.0.0.1.
If missing or null, the existing 'groupsClaim' value will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.groups_claim, if any.
The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor.
This property was added in vSphere API 8.0.0.1.
If missing or null, the client ID will not be updated.
The OAuth 2.0 client secret to be used by the Supervisor when authenticating to the upstream identity provider.
This property was added in vSphere API 8.0.0.1.
If missing or null, the client secret will not be updated.
Certificate authority data to be used to establish HTTPS connections with the identity provider. This must be a PEM-encoded value.
This property was added in vSphere API 8.0.0.1.
If missing or null, the certificate authority data will not be updated.
This represents the intent of the change to Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.certificate_authority_data. If this field is set to true, the existing 'certificateAuthorityData' value will be removed. If this field is set to false, the existing certificate authority data will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.certificate_authority_data, if any.
This property was added in vSphere API 8.0.0.1.
If missing or null, the existing 'certificateAuthorityData' value will be changed to the value specified in Vcenter NamespaceManagement Supervisors Identity Providers UpdateSpec.certificate_authority_data, if any.
Additional scopes to be requested in tokens issued by this identity provider.
This property was added in vSphere API 8.0.0.1.
If missing or null, the additional scopes will not be updated.
Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware's Cloud Services Platform, if your organization ID is 'long-form-org-id', the 'orgLink' parameter can be set to "/csp/gateway/am/api/orgs/long-form-org-id" to allow users logging in to leverage that organization.
This property was added in vSphere API 8.0.0.1.
If missing or null, the additional parameters will not be updated.
Enables a client to exchange an identity provider issued ID token for an mTLS client certificate key pair using the Supervisor 'TokenCredentialRequest' API. Note: Supervisor only supports public OAuth 2.0 clients, which do not require client secrets.
This property was added in vSphere API 9.0.0.0.
Defaults to false if missing or null.
A list of additional claims from the upstream identity provider's ID token to propagate to the Kubernetes UserInfo object upon successful authentication.
For each claim name in this list, a corresponding entry will be added to the UserInfo.Extra map. The key will be formatted as "vcf.vmware.com/<claim-name>", and the value will be the corresponding claim value from the ID token.
Each claim name must consist of valid HTTP path characters as defined in RFC3986. If a claim is not present in the ID token, it will not be included in the UserInfo.Extra map.
This functionality is available only if the GET /vcenter/namespace-management/supervisors/{supervisor}/capabilities operation reports that the supports_supervisor_privileged_labels capability is enabled for the Supervisor.
This property was added in vSphere API 9.1.0.0.
If missing or null, no extra claims will be added.
A list of claims from the upstream identity provider's ID token to not propagate to the Kubernetes UserInfo object upon successful authentication.
This functionality is available only if the GET /vcenter/namespace-management/supervisors/{supervisor}/capabilities operation reports that the supports_supervisor_privileged_labels capability is enabled for the Supervisor.
This property was added in vSphere API 9.1.0.0.
If missing or null, no extra claims will be removed.
If set to true, enables direct JSON Web Token (JWT) authentication with the Supervisor API server.
This allows clients, such as kubectl, to use ID tokens issued by the identity provider for direct authentication against the Supervisor API server.
This functionality is available only if the GET /vcenter/namespace-management/supervisors/{supervisor}/capabilities operation reports that the supports_supervisor_privileged_labels capability is enabled for the Supervisor.
This property was added in vSphere API 9.1.0.0.
If missing or null, this setting will not be updated.