Create a Session Using SAML Authentication
Users defined in an organization that specifies a SAML identity provider must acquire and process a security assertion from that identity provider and include the processed assertion and other attributes in the request to create a VMware Cloud Director API Session.
- Bearer assertions, which make no guarantees about message integrity and claimed client identity.
- Holder-of-key assertions, which guarantee subject identity by including a signature generated with the subject's private key.
- Verify that you know the API login URL. See Retrieve the Login URL and List of Supported API Versions
- Verify that you are logging in as a user whose identity is managed by the SAML identity provider defined by your organization.
Example: Create a Login Session Using a SAML Identity Provider
This example shows a SAML login request and response for a user logging in to the Finance organization of a cloud whose API login URL is This example shows two varieties of the request.
POST Authorization: Sign token="compressed-encoded-credentials", org="Finance" Accept: application/*;version=9.0
When using a SAML assertion
that provides holder-of-key (HOK) subject confirmation, the request header must
attributes, as shown in this example,
which assumes a signature created with a SHA encoding and RSA encryption
POST Authorization: Sign token="compressed-encoded-credentials", org="Finance", signature="encoded-signature" signature_alg="SHA1withRSA" Accept: application/*;version=9.0
The response is the same in both cases.
200 OK ... <Session xmlns="" userUrn="urn:vcloud:user:fe50b0b5-..." user="bob" org="Finance" ... > <Link rel="down" type="application/" name="System" href="" /> <Link rel="down" type="application/vnd.vmware.vcloud.query.queryList+xml" href="" /> <Link rel="entityResolver" type="application/vnd.vmware.vcloud.entity+xml" href="" /> <Link rel="down:extensibility" type="application/vnd.vmware.vcloud.apiextensibility+xml" href="" /> </Session>The response includes several Link types, including:
- org
- A link to your organization. See Retrieve a List of Organizations Accessible to You.
- queryList
- A link to the set of typed queries the user can run. See Using the Query Service.
- entity
- A link to the entity resolver. See Retrieve an Object as an Entity.
- extensibility
- A link to the extensibility framework entry point. See VMware Cloud Director Extension Services.