Managed Object - GuestAliasManager(vim.vm.guest.AliasManager)

Property of
GuestOperationsManager
See also
GuestAliases, GuestAuthAliasInfo, GuestAuthentication, GuestAuthSubject, GuestMappedAliases, VirtualMachine
Since
vSphere API 6.0


Managed Object Description

The GuestAliasManager supports single sign-on for virtual machine access to perform guest operations. The GuestAliasManager provides methods to create and access aliases.

A guest alias defines an association between a guest user account on a virtual machine and an external vSphere user account. The vSphere account is represented by credentials consisting of an X.509 certificate and a subject name. The certificate and subject name are encoded in SAML tokens that are provided by the VMware SSO Server. The SAML tokens are attached to guest operation requests. If the credentials in a SAML token match an alias that is defined for a virtual machine, the ESXi Server guest components grant access for execution of the guest operation in the context of the user account on the virtual machine.

To create a guest alias, use the AddGuestAlias method. AddGuestAlias establishes the association between a guest user account, certificate, and SAML token subject.

If there are no aliases defined for a virtual machine, the ESXi Server will perform standard authentication using the credentials associated with a guest operation request. If one or more aliases are defined for a virtual machine, any guest operation request that uses SAML token authentication SAMLTokenAuthentication must specify a token that corresponds to one of the defined aliases.

After defining one or more guest aliases, you can specify SAMLTokenAuthentication for the auth parameter to guest operation methods:

For information about obtaining a SAML token from a VMware SSO Server, see VMware Single Sign-On Programming Guide.

You can define multiple aliases for a guest account. You can also map the credentials to an alias by setting mapCert to "true" in the call to the AddGuestAlias method. When an alias has a mapped credential, requests using that alias do not need to identify the guest account.

Properties

Name Type Description
None

Methods

Methods defined in this Managed Object
AddGuestAlias, ListGuestAliases, ListGuestMappedAliases, RemoveGuestAlias, RemoveGuestAliasByCert

AddGuestAlias(addAlias)

Defines an alias for a guest account in a virtual machine. After the alias is defined, the ESXi Server will use the alias to authenticate guest operations requests.

This will add the given VMware SSO Server's certificate and a subject to the alias store of the specified user in the guest.

In order to add an alias to the guest, you must supply an existing valid credential. This can be any instance of GuestAuthentication, but must be valid for the specified guest username.

Required Privileges
None

Parameters

NameTypeDescription
_thisManagedObjectReference A reference to the GuestAliasManager used to make the method call.
vm PManagedObjectReference
to a VirtualMachine

Virtual machine to perform the operation on.

Since vSphere API 6.0
auth PGuestAuthentication

The guest authentication data for this operation. See GuestAuthentication. These credentials must satisfy authentication requirements for a guest account on the specified virtual machine.

Since vSphere API 6.0
username Pxsd:string

Username for the guest account on the virtual machine.

Since vSphere API 6.0
mapCert Pxsd:boolean

Indicates whether the certificate associated with the alias should be mapped. If an alias certificate is mapped, guest operation requests that use that alias do not have to specify the guest account username in the SAMLTokenAuthentication object. If mapCert is false, the request must specify the username.

Since vSphere API 6.0
base64Cert Pxsd:string

X.509 certificate from the VMware SSO Server, in base64 encoded DER format. The ESXi Server uses this certificate to authenticate guest operation requests.

Since vSphere API 6.0
aliasInfo PGuestAuthAliasInfo

Specifies the subject name for authentication. The subject name (when present) corresponds to the value of the Subject element in SAML tokens. The ESXi Server uses the subject name to authenticate guest operation requests.

Since vSphere API 6.0
PRequired privilege - see tooltip for details

Return Value

Type Description
None

Faults

Type Description
GuestComponentsOutOfDateThrown if the guest agent is too old to support the operation.
GuestMultipleMappingsThrown if the operation fails because mapCert is set and the certificate already exists in the mapping file for a different user.
GuestOperationsFaultThrown if there is an error processing a guest operation.
GuestOperationsUnavailableThrown if the VM agent for guest operations is not running.
GuestPermissionDeniedThrown if there are insufficient permissions in the guest OS.
InvalidGuestLoginThrown if the the guest authentication information was not accepted.
InvalidPowerStateThrown if the VM is not powered on.
InvalidStateThrown if the operation cannot be performed because of the virtual machine's current state.
OperationDisabledByGuestThrown if the operation is not enabled due to guest agent configuration.
OperationNotSupportedByGuestThrown if the operation is not supported by the guest OS.
RuntimeFaultThrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error.
TaskInProgressThrown if the virtual machine is busy.

Events

Type
None

Show WSDL type definition



ListGuestAliases(listAliases)

Lists the GuestAliases for a specified user in the guest that can be used for authentication of guest operations.

Required Privileges
None

Parameters

NameTypeDescription
_thisManagedObjectReference A reference to the GuestAliasManager used to make the method call.
vm PManagedObjectReference
to a VirtualMachine

Virtual machine to perform the operation on.

Since vSphere API 6.0
auth PGuestAuthentication

The guest authentication data for this operation. See GuestAuthentication. These credentials must satisfy authentication requirements for a guest account on the specified virtual machine.

Since vSphere API 6.0
username Pxsd:string

The guest user whose Alias store is being queried.

Since vSphere API 6.0
PRequired privilege - see tooltip for details

Return Value

Type Description
GuestAliases[]

Faults

Type Description
GuestComponentsOutOfDateThrown if the guest agent is too old to support the operation.
GuestOperationsFaultThrown if there is an error processing a guest operation.
GuestOperationsUnavailableThrown if the agent for guest operations is not running.
GuestPermissionDeniedThrown if there are insufficient permissions in the guest OS.
InvalidGuestLoginThrown if the the guest authentication information was not accepted.
InvalidPowerStateThrown if the VM is not powered on.
InvalidStateThrown if the operation cannot be performed because of the virtual machine's current state.
OperationDisabledByGuestThrown if the operation is not enabled due to guest agent configuration.
OperationNotSupportedByGuestThrown if the operation is not supported by the guest OS.
RuntimeFaultThrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error.
TaskInProgressThrown if the virtual machine is busy.

Events

Type
None

Show WSDL type definition



ListGuestMappedAliases(listMappedAliases)

Lists the GuestMappedAliases in the guest that can be used for authentication of guest operations.

Required Privileges
None

Parameters

NameTypeDescription
_thisManagedObjectReference A reference to the GuestAliasManager used to make the method call.
vm PManagedObjectReference
to a VirtualMachine

Virtual machine to perform the operation on.

Since vSphere API 6.0
auth PGuestAuthentication

The guest authentication data for this operation. See GuestAuthentication. These credentials must satisfy authentication requirements for a guest account on the specified virtual machine.

Since vSphere API 6.0
PRequired privilege - see tooltip for details

Return Value

Type Description
GuestMappedAliases[]

Faults

Type Description
GuestComponentsOutOfDateThrown if the guest agent is too old to support the operation.
GuestOperationsFaultThrown if there is an error processing a guest operation.
GuestOperationsUnavailableThrown if the VM agent for guest operations is not running.
GuestPermissionDeniedThrown if there are insufficient permissions in the guest OS.
InvalidGuestLoginThrown if the the guest authentication information was not accepted.
InvalidPowerStateThrown if the VM is not powered on.
InvalidStateThrown if the operation cannot be performed because of the virtual machine's current state.
OperationDisabledByGuestThrown if the operation is not enabled due to guest agent configuration.
OperationNotSupportedByGuestThrown if the operation is not supported by the guest OS.
RuntimeFaultThrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error.
TaskInProgressThrown if the virtual machine is busy.

Events

Type
None

Show WSDL type definition



RemoveGuestAlias(removeAlias)

Removes an alias from the guest so it can no longer be used for authentication of guest operations. It will also be removed from the mapped credentials.

Required Privileges
None

Parameters

NameTypeDescription
_thisManagedObjectReference A reference to the GuestAliasManager used to make the method call.
vm PManagedObjectReference
to a VirtualMachine

Virtual machine to perform the operation on.

Since vSphere API 6.0
auth PGuestAuthentication

The guest authentication data for this operation. See GuestAuthentication. These credentials must satisfy authentication requirements for a guest account on the specified virtual machine.

Since vSphere API 6.0
username Pxsd:string

Username for the guest account on the virtual machine.

Since vSphere API 6.0
base64Cert Pxsd:string

The X.509 certificate associated with the alias to be removed, in base64 encoded DER format.

Since vSphere API 6.0
subject PGuestAuthSubject

The subject of the alias.

Since vSphere API 6.0
PRequired privilege - see tooltip for details

Return Value

Type Description
None

Faults

Type Description
GuestComponentsOutOfDateThrown if the guest agent is too old to support the operation.
GuestOperationsFaultThrown if there is an error processing a guest operation.
GuestOperationsUnavailableThrown if the VM agent for guest operations is not running.
GuestPermissionDeniedThrown if there are insufficient permissions in the guest OS.
InvalidGuestLoginThrown if the the guest authentication information was not accepted.
InvalidPowerStateThrown if the VM is not powered on.
InvalidStateThrown if the operation cannot be performed because of the virtual machine's current state.
OperationDisabledByGuestThrown if the operation is not enabled due to guest agent configuration.
OperationNotSupportedByGuestThrown if the operation is not supported by the guest OS.
RuntimeFaultThrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error.
TaskInProgressThrown if the virtual machine is busy.

Events

Type
None

Show WSDL type definition



RemoveGuestAliasByCert(removeAliasByCert)

Removes a VMware SSO Server's certificate and all associated aliases from the guest so it can no longer be used for authentication of guest operations. It will also be removed from the global certificate-to-user mapping file in the guest.

Required Privileges
None

Parameters

NameTypeDescription
_thisManagedObjectReference A reference to the GuestAliasManager used to make the method call.
vm PManagedObjectReference
to a VirtualMachine

Virtual machine to perform the operation on.

Since vSphere API 6.0
auth PGuestAuthentication

The guest authentication data for this operation. See GuestAuthentication. These credentials must satisfy authentication requirements for a guest account on the specified virtual machine.

Since vSphere API 6.0
username Pxsd:string

Username for the guest account on the virtual machine.

Since vSphere API 6.0
base64Cert Pxsd:string

The X.509 certificate to be removed, in base64 encoded DER format.

Since vSphere API 6.0
PRequired privilege - see tooltip for details

Return Value

Type Description
None

Faults

Type Description
GuestComponentsOutOfDateThrown if the guest agent is too old to support the operation.
GuestOperationsFaultThrown if there is an error processing a guest operation.
GuestOperationsUnavailableThrown if the VM agent for guest operations is not running.
GuestPermissionDeniedThrown if there are insufficient permissions in the guest OS.
InvalidGuestLoginThrown if the the guest authentication information was not accepted.
InvalidPowerStateThrown if the VM is not powered on.
InvalidStateThrown if the operation cannot be performed because of the virtual machine's current state.
OperationDisabledByGuestThrown if the operation is not enabled due to guest agent configuration.
OperationNotSupportedByGuestThrown if the operation is not supported by the guest OS.
RuntimeFaultThrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error.
TaskInProgressThrown if the virtual machine is busy.

Events

Type
None

Show WSDL type definition