Identity_Providers_CreateSpec
The Providers.CreateSpec structure contains the information used to create an identity provider.
{
"config_tag": "string",
"oauth2": {
"auth_endpoint": "string",
"token_endpoint": "string",
"public_key_uri": "string",
"client_id": "string",
"client_secret": "string",
"issuer": "string",
"authentication_method": "string"
},
"oidc": {
"discovery_endpoint": "string",
"client_id": "string",
"client_secret": "string"
},
"org_ids": [
"string"
],
"is_default": false,
"name": "string",
"domain_names": [
"string"
],
"idm_protocol": "string",
"idm_endpoints": [
"string"
],
"active_directory_over_ldap": {
"user_name": "string",
"password": "string",
"users_base_dn": "string",
"groups_base_dn": "string",
"server_endpoints": [
"string"
],
"cert_chain": {
"cert_chain": [
"string"
]
}
},
"upn_claim": "string",
"groups_claim": "string"
}
The Providers.ConfigType structure contains the possible types of vCenter Server identity providers.
Oauth2 : Config for OAuth2
Oidc : Config for OIDC
The Providers.Oauth2CreateSpec structure contains the information used to create an OAuth2 identity provider.
The Providers.OidcCreateSpec structure contains the information used to create an OIDC identity provider.
The set of orgIds as part of SDDC creation which provides the basis for tenancy If unset, the set will be empty.
Specifies whether the provider is the default provider. Setting Providers.CreateSpec.is-default of current provider to True makes all other providers non-default. If no other providers created in this vCenter Server before, this parameter will be disregarded, and the provider will always be set to the default. If unset the provider will be the default provider if it is the first provider that is created, and will not be the default provider otherwise.
The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers. If unset, the name will be the empty string
Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains. If unset, domainNames will be the empty set and the domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens.
key/value pairs that are to be appended to the authEndpoint request.
How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details:
- If the value contains only one string, then the key is added with "k=v".
- If the value is an empty list, then the key is added without a "=v".
- If the value contains multiple strings, then the key is repeated in the query-string for each string in the value.
If unset, the map will be empty.
The Providers.IdmProtocol structure contains the possible types of communication protocols to the identity management endpoints.
REST : REST protocol based identity management endpoints
SCIM : SCIM V1.1 protocol based identity management endpoints
SCIM2_0 : SCIM V2.0 protocol based identity management endpoints
LDAP : LDAP protocol based identity management endpoints
Identity management endpoints. When specified, at least one endpoint must be provided. This field is optional and it is only relevant when the value of Providers.CreateSpec.idm-protocol is one of REST, SCIM, or SCIM2_0.
The Providers.ActiveDirectoryOverLdap structure contains the information about to how to use an Active Directory over LDAP connection to allow searching for users and groups if the identity provider is an On-Prem service.
Specifies which claim provides the user principal name (UPN) for the user. If unset, the claim named 'acct' will be used to provide backwards compatibility with CSP.
Specifies which claim provides the group membership for the token subject. These groups will be used for mapping to local groups per the claim map. If unset, the default behavior will be CSP backwards compatiblility. The groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims.