Update Provider Identity
Update a vCenter Server identity provider. if you do not have all of the privileges described as follows:
- Operation execution requires VcIdentityProviders.Manage.
the identifier of the provider to update The parameter must be an identifier for the resource type: com.vmware.vcenter.identity.Providers.
Show optional properties
{
"config_tag": "string"
}
{
"config_tag": "string",
"oauth2": {
"auth_endpoint": "string",
"token_endpoint": "string",
"public_key_uri": "string",
"client_id": "string",
"client_secret": "string",
"claim_map": {
"claim_map": {
"claim_map": [
"string"
]
}
},
"issuer": "string",
"authentication_method": "string",
"auth_query_params": {
"auth_query_params": [
"string"
]
}
},
"oidc": {
"discovery_endpoint": "string",
"client_id": "string",
"client_secret": "string",
"claim_map": {
"claim_map": {
"claim_map": [
"string"
]
}
}
},
"org_ids": [
"string"
],
"make_default": false,
"name": "string",
"domain_names": [
"string"
],
"auth_query_params": {
"auth_query_params": [
"string"
]
},
"idm_protocol": "string",
"idm_endpoints": [
"string"
],
"active_directory_over_ldap": {
"user_name": "string",
"password": "string",
"users_base_dn": "string",
"groups_base_dn": "string",
"server_endpoints": [
"string"
],
"cert_chain": {
"cert_chain": [
"string"
]
}
},
"upn_claim": "string",
"reset_upn_claim": false,
"groups_claim": "string",
"reset_groups_claim": false,
"federation_type": "string"
}
The Providers.ConfigType structure contains the possible types of vCenter Server identity providers.
Oauth2 : Config for OAuth2
Oidc : Config for OIDC
The Providers.Oauth2UpdateSpec structure contains the information used to update the OAuth2 identity provider.
The Providers.OidcUpdateSpec structure contains the information used to update the OIDC identity provider.
The set orgIds as part of SDDC creation which provides the basis for tenancy If unset, leaves value unchanged.
Specifies whether to make this the default provider. If Providers.UpdateSpec.make-default is set to true, this provider will be flagged as the default provider and any other providers that had previously been flagged as the default will be made non-default. If Providers.UpdateSpec.make-default is set to false, this provider's default flag will not be modified. If unset, leaves value unchanged.
The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers. If unset, leaves value unchanged.
Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains. If unset, leaves value unchanged. If domainNames is an empty set, domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens.
key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. If the map is empty, deletes all params. If unset, leaves value unchanged.
The Providers.IdmProtocol structure contains the possible types of communication protocols to the identity management endpoints.
REST : REST protocol based identity management endpoints
SCIM : SCIM V1.1 protocol based identity management endpoints
SCIM2_0 : SCIM V2.0 protocol based identity management endpoints
LDAP : LDAP protocol based identity management endpoints
Identity management endpoints. When specified, at least one endpoint must be provided. This field is optional and it is only relevant when the value of Providers.UpdateSpec.idm-protocol is one of REST, SCIM, or SCIM2_0.
The Providers.ActiveDirectoryOverLdap structure contains the information about to how to use an Active Directory over LDAP connection to allow searching for users and groups if the identity provider is an On-Prem service.
Specifies which claim provides the user principal name (UPN) for the subject of the token. If unset, leaves value unchanged.
Flag indicating whether the user principal name (UPN) claim should be set back to its default value. If this field is set to true, the user principal name (UPN) claim will be set to 'acct', which is used for backwards compatibility with CSP. If this field is set to false, the existing user principal name (UPN) claim will be changed to the value specified in Providers.UpdateSpec.upn-claim, if any. If unset, the existing user principal name (UPN) claim will be changed to the value specified in Providers.UpdateSpec.upn-claim, if any.
Specifies which claim provides the group membership for the token subject. If unset, leaves value unchanged.
Flag indicating whether any existing groups claim value should be removed. If this field is set to true, the existing groups claim value is removed which defaults to backwards compatibility with CSP. In this case, the groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims. If this field is set to false, the existing groups claim will be changed to the value specified in Providers.UpdateSpec.groups-claim, if any. If unset, the existing groups claim will be changed to the value specified in Providers.UpdateSpec.groups-claim, if any.
The FederationType enumerated type contains the possible types of federation paths for, vCenter Server identity providers configuration.
DIRECT_FEDERATION : vCenter Server federated directly to the external identity provider.
INDIRECT_FEDERATION : vCenter Server federated indirectly to the external identity provider, by means of an intermediary federation broker.
com.vmware.vapi.std.errors.invalid_argument : if invalid arguments are provided in updateSpec.
{
"messages": [
{
"id": "string",
"default_message": "string",
"args": [
"string"
],
"params": {
"params": {
"s": "string",
"dt": "string",
"i": 0,
"d": "number",
"l": {
"id": "string",
"params": {
"params": "Std_LocalizationParam Object"
}
},
"format": "string",
"precision": 0
}
},
"localized": "string"
}
],
"data": {},
"error_type": "string"
}
Stack of one or more localizable messages for human error consumers. The message at the top of the stack (first in the list) describes the error from the perspective of the operation the client invoked.
Each subsequent message in the stack describes the "cause" of the prior message.
Data to facilitate clients responding to the operation reporting a standard error to indicating that it was unable to complete successfully. Operations may provide data that clients can use when responding to errors. Since the data that clients need may be specific to the context of the operation reporting the error, different operations that report the same error may provide different data in the error. The documentation for each each operation will describe what, if any, data it provides for each error it reports.
The ArgumentLocations, FileLocations, and TransientIndication structures are intended as possible values for this field. DynamicID may also be useful as a value for this field (although that is not its primary purpose). Some services may provide their own specific structures for use as the value of this field when reporting errors from their operations.
Some operations will not set this field when reporting errors.
Enumeration of all standard errors. Used as discriminator in protocols that have no standard means for transporting the error type, e.g. REST.
ERROR : Discriminator for the Error type.
ALREADY_EXISTS : Discriminator for the AlreadyExists type.
ALREADY_IN_DESIRED_STATE : Discriminator for the AlreadyInDesiredState type.
CANCELED : Discriminator for the Canceled type.
CONCURRENT_CHANGE : Discriminator for the ConcurrentChange type.
FEATURE_IN_USE : Discriminator for the FeatureInUse type.
INTERNAL_SERVER_ERROR : Discriminator for the InternalServerError type.
INVALID_ARGUMENT : Discriminator for the InvalidArgument type.
INVALID_ELEMENT_CONFIGURATION : Discriminator for the InvalidElementConfiguration type.
INVALID_ELEMENT_TYPE : Discriminator for the InvalidElementType type.
INVALID_REQUEST : Discriminator for the InvalidRequest type.
NOT_ALLOWED_IN_CURRENT_STATE : Discriminator for the NotAllowedInCurrentState type.
NOT_FOUND : Discriminator for the NotFound type.
OPERATION_NOT_FOUND : Discriminator for the OperationNotFound type.
RESOURCE_BUSY : Discriminator for the ResourceBusy type.
RESOURCE_IN_USE : Discriminator for the ResourceInUse type.
RESOURCE_INACCESSIBLE : Discriminator for the ResourceInaccessible type.
SERVICE_UNAVAILABLE : Discriminator for the ServiceUnavailable type.
TIMED_OUT : Discriminator for the TimedOut type.
UNABLE_TO_ALLOCATE_RESOURCE : Discriminator for the UnableToAllocateResource type.
UNAUTHENTICATED : Discriminator for the Unauthenticated type.
UNAUTHORIZED : Discriminator for the Unauthorized type.
UNEXPECTED_INPUT : Discriminator for the UnexpectedInput type.
UNSUPPORTED : Discriminator for the Unsupported type.
UNVERIFIED_PEER : Discriminator for the UnverifiedPeer type.
com.vmware.vapi.std.errors.unauthorized : if authorization is not given to caller.
{
"messages": [
{
"id": "string",
"default_message": "string",
"args": [
"string"
],
"params": {
"params": {
"s": "string",
"dt": "string",
"i": 0,
"d": "number",
"l": {
"id": "string",
"params": {
"params": "Std_LocalizationParam Object"
}
},
"format": "string",
"precision": 0
}
},
"localized": "string"
}
],
"data": {},
"error_type": "string"
}
Stack of one or more localizable messages for human error consumers. The message at the top of the stack (first in the list) describes the error from the perspective of the operation the client invoked.
Each subsequent message in the stack describes the "cause" of the prior message.
Data to facilitate clients responding to the operation reporting a standard error to indicating that it was unable to complete successfully. Operations may provide data that clients can use when responding to errors. Since the data that clients need may be specific to the context of the operation reporting the error, different operations that report the same error may provide different data in the error. The documentation for each each operation will describe what, if any, data it provides for each error it reports.
The ArgumentLocations, FileLocations, and TransientIndication structures are intended as possible values for this field. DynamicID may also be useful as a value for this field (although that is not its primary purpose). Some services may provide their own specific structures for use as the value of this field when reporting errors from their operations.
Some operations will not set this field when reporting errors.
Enumeration of all standard errors. Used as discriminator in protocols that have no standard means for transporting the error type, e.g. REST.
ERROR : Discriminator for the Error type.
ALREADY_EXISTS : Discriminator for the AlreadyExists type.
ALREADY_IN_DESIRED_STATE : Discriminator for the AlreadyInDesiredState type.
CANCELED : Discriminator for the Canceled type.
CONCURRENT_CHANGE : Discriminator for the ConcurrentChange type.
FEATURE_IN_USE : Discriminator for the FeatureInUse type.
INTERNAL_SERVER_ERROR : Discriminator for the InternalServerError type.
INVALID_ARGUMENT : Discriminator for the InvalidArgument type.
INVALID_ELEMENT_CONFIGURATION : Discriminator for the InvalidElementConfiguration type.
INVALID_ELEMENT_TYPE : Discriminator for the InvalidElementType type.
INVALID_REQUEST : Discriminator for the InvalidRequest type.
NOT_ALLOWED_IN_CURRENT_STATE : Discriminator for the NotAllowedInCurrentState type.
NOT_FOUND : Discriminator for the NotFound type.
OPERATION_NOT_FOUND : Discriminator for the OperationNotFound type.
RESOURCE_BUSY : Discriminator for the ResourceBusy type.
RESOURCE_IN_USE : Discriminator for the ResourceInUse type.
RESOURCE_INACCESSIBLE : Discriminator for the ResourceInaccessible type.
SERVICE_UNAVAILABLE : Discriminator for the ServiceUnavailable type.
TIMED_OUT : Discriminator for the TimedOut type.
UNABLE_TO_ALLOCATE_RESOURCE : Discriminator for the UnableToAllocateResource type.
UNAUTHENTICATED : Discriminator for the Unauthenticated type.
UNAUTHORIZED : Discriminator for the Unauthorized type.
UNEXPECTED_INPUT : Discriminator for the UnexpectedInput type.
UNSUPPORTED : Discriminator for the Unsupported type.
UNVERIFIED_PEER : Discriminator for the UnverifiedPeer type.
com.vmware.vapi.std.errors.not_found : if no provider found with the given provider identifier.
{
"messages": [
{
"id": "string",
"default_message": "string",
"args": [
"string"
],
"params": {
"params": {
"s": "string",
"dt": "string",
"i": 0,
"d": "number",
"l": {
"id": "string",
"params": {
"params": "Std_LocalizationParam Object"
}
},
"format": "string",
"precision": 0
}
},
"localized": "string"
}
],
"data": {},
"error_type": "string"
}
Stack of one or more localizable messages for human error consumers. The message at the top of the stack (first in the list) describes the error from the perspective of the operation the client invoked.
Each subsequent message in the stack describes the "cause" of the prior message.
Data to facilitate clients responding to the operation reporting a standard error to indicating that it was unable to complete successfully. Operations may provide data that clients can use when responding to errors. Since the data that clients need may be specific to the context of the operation reporting the error, different operations that report the same error may provide different data in the error. The documentation for each each operation will describe what, if any, data it provides for each error it reports.
The ArgumentLocations, FileLocations, and TransientIndication structures are intended as possible values for this field. DynamicID may also be useful as a value for this field (although that is not its primary purpose). Some services may provide their own specific structures for use as the value of this field when reporting errors from their operations.
Some operations will not set this field when reporting errors.
Enumeration of all standard errors. Used as discriminator in protocols that have no standard means for transporting the error type, e.g. REST.
ERROR : Discriminator for the Error type.
ALREADY_EXISTS : Discriminator for the AlreadyExists type.
ALREADY_IN_DESIRED_STATE : Discriminator for the AlreadyInDesiredState type.
CANCELED : Discriminator for the Canceled type.
CONCURRENT_CHANGE : Discriminator for the ConcurrentChange type.
FEATURE_IN_USE : Discriminator for the FeatureInUse type.
INTERNAL_SERVER_ERROR : Discriminator for the InternalServerError type.
INVALID_ARGUMENT : Discriminator for the InvalidArgument type.
INVALID_ELEMENT_CONFIGURATION : Discriminator for the InvalidElementConfiguration type.
INVALID_ELEMENT_TYPE : Discriminator for the InvalidElementType type.
INVALID_REQUEST : Discriminator for the InvalidRequest type.
NOT_ALLOWED_IN_CURRENT_STATE : Discriminator for the NotAllowedInCurrentState type.
NOT_FOUND : Discriminator for the NotFound type.
OPERATION_NOT_FOUND : Discriminator for the OperationNotFound type.
RESOURCE_BUSY : Discriminator for the ResourceBusy type.
RESOURCE_IN_USE : Discriminator for the ResourceInUse type.
RESOURCE_INACCESSIBLE : Discriminator for the ResourceInaccessible type.
SERVICE_UNAVAILABLE : Discriminator for the ServiceUnavailable type.
TIMED_OUT : Discriminator for the TimedOut type.
UNABLE_TO_ALLOCATE_RESOURCE : Discriminator for the UnableToAllocateResource type.
UNAUTHENTICATED : Discriminator for the Unauthenticated type.
UNAUTHORIZED : Discriminator for the Unauthorized type.
UNEXPECTED_INPUT : Discriminator for the UnexpectedInput type.
UNSUPPORTED : Discriminator for the Unsupported type.
UNVERIFIED_PEER : Discriminator for the UnverifiedPeer type.
'Default' means this response is used for all HTTP codes that are not covered individually for this operation.
{
"messages": [
{
"id": "string",
"default_message": "string",
"args": [
"string"
],
"params": {
"params": {
"s": "string",
"dt": "string",
"i": 0,
"d": "number",
"l": {
"id": "string",
"params": {
"params": "Std_LocalizationParam Object"
}
},
"format": "string",
"precision": 0
}
},
"localized": "string"
}
],
"data": {},
"error_type": "string"
}
Stack of one or more localizable messages for human error consumers. The message at the top of the stack (first in the list) describes the error from the perspective of the operation the client invoked.
Each subsequent message in the stack describes the "cause" of the prior message.
Data to facilitate clients responding to the operation reporting a standard error to indicating that it was unable to complete successfully. Operations may provide data that clients can use when responding to errors. Since the data that clients need may be specific to the context of the operation reporting the error, different operations that report the same error may provide different data in the error. The documentation for each each operation will describe what, if any, data it provides for each error it reports.
The ArgumentLocations, FileLocations, and TransientIndication structures are intended as possible values for this field. DynamicID may also be useful as a value for this field (although that is not its primary purpose). Some services may provide their own specific structures for use as the value of this field when reporting errors from their operations.
Some operations will not set this field when reporting errors.
Enumeration of all standard errors. Used as discriminator in protocols that have no standard means for transporting the error type, e.g. REST.
ERROR : Discriminator for the Error type.
ALREADY_EXISTS : Discriminator for the AlreadyExists type.
ALREADY_IN_DESIRED_STATE : Discriminator for the AlreadyInDesiredState type.
CANCELED : Discriminator for the Canceled type.
CONCURRENT_CHANGE : Discriminator for the ConcurrentChange type.
FEATURE_IN_USE : Discriminator for the FeatureInUse type.
INTERNAL_SERVER_ERROR : Discriminator for the InternalServerError type.
INVALID_ARGUMENT : Discriminator for the InvalidArgument type.
INVALID_ELEMENT_CONFIGURATION : Discriminator for the InvalidElementConfiguration type.
INVALID_ELEMENT_TYPE : Discriminator for the InvalidElementType type.
INVALID_REQUEST : Discriminator for the InvalidRequest type.
NOT_ALLOWED_IN_CURRENT_STATE : Discriminator for the NotAllowedInCurrentState type.
NOT_FOUND : Discriminator for the NotFound type.
OPERATION_NOT_FOUND : Discriminator for the OperationNotFound type.
RESOURCE_BUSY : Discriminator for the ResourceBusy type.
RESOURCE_IN_USE : Discriminator for the ResourceInUse type.
RESOURCE_INACCESSIBLE : Discriminator for the ResourceInaccessible type.
SERVICE_UNAVAILABLE : Discriminator for the ServiceUnavailable type.
TIMED_OUT : Discriminator for the TimedOut type.
UNABLE_TO_ALLOCATE_RESOURCE : Discriminator for the UnableToAllocateResource type.
UNAUTHENTICATED : Discriminator for the Unauthenticated type.
UNAUTHORIZED : Discriminator for the Unauthorized type.
UNEXPECTED_INPUT : Discriminator for the UnexpectedInput type.
UNSUPPORTED : Discriminator for the Unsupported type.
UNVERIFIED_PEER : Discriminator for the UnverifiedPeer type.
curl -X PATCH -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '{"config_tag:"string"}'
# Module 'VMware.Sdk.vSphere.vCenter.Identity'
$IdentityProvidersUpdateSpec = Initialize-IdentityProvidersUpdateSpec -ConfigTag "Oauth2"
Invoke-UpdateProviderIdentity -Provider "MyProvider" -IdentityProvidersUpdateSpec $IdentityProvidersUpdateSpec
# Module 'VMware.Sdk.vSphere.vCenter.Identity'
$IdentityProvidersOauth2UpdateSpec = Initialize-IdentityProvidersOauth2UpdateSpec -AuthEndpoint "MyAuthEndpoint" -TokenEndpoint "MyTokenEndpoint" -PublicKeyUri "MyPublicKeyUri" -ClientId "MyClientId" -ClientSecret "MyClientSecret" -ClaimMap @{ key_example = @{ key_example = "MyInner" } } -Issuer "MyIssuer" -AuthenticationMethod "CLIENT_SECRET_BASIC" -AuthQueryParams @{ key_example = "MyInner" }
$IdentityProvidersOidcUpdateSpec = Initialize-IdentityProvidersOidcUpdateSpec -DiscoveryEndpoint "MyDiscoveryEndpoint" -ClientId "MyClientId" -ClientSecret "MyClientSecret" -ClaimMap @{ key_example = @{ key_example = "MyInner" } }
$CertificateManagementX509CertChain = Initialize-CertificateManagementX509CertChain -CertChain "MyCertChain"
$IdentityProvidersActiveDirectoryOverLdap = Initialize-IdentityProvidersActiveDirectoryOverLdap -UserName "MyUserName" -Password "MyPassword" -UsersBaseDn "MyUsersBaseDn" -GroupsBaseDn "MyGroupsBaseDn" -ServerEndpoints "MyServerEndpoints" -CertChain $CertificateManagementX509CertChain
$IdentityProvidersUpdateSpec = Initialize-IdentityProvidersUpdateSpec -ConfigTag "Oauth2" -Oauth2 $IdentityProvidersOauth2UpdateSpec -Oidc $IdentityProvidersOidcUpdateSpec -OrgIds "MyOrgIds" -MakeDefault $false -Name "MyName" -DomainNames "MyDomainNames" -AuthQueryParams @{ key_example = "MyInner" } -IdmProtocol "REST" -IdmEndpoints "MyIdmEndpoints" -ActiveDirectoryOverLdap $IdentityProvidersActiveDirectoryOverLdap -UpnClaim "MyUpnClaim" -ResetUpnClaim $false -GroupsClaim "MyGroupsClaim" -ResetGroupsClaim $false
Invoke-UpdateProviderIdentity -Provider "MyProvider" -IdentityProvidersUpdateSpec $IdentityProvidersUpdateSpec