REST API - create

vcenter identity providers: create

Create a vCenter Server identity provider. This operation was added in vSphere API 7.0.0.0.

Request:

HTTP request

POST https://{server}/rest/vcenter/identity/providers

Request Body Structure:

{
    "spec" : {
        "idm_protocol" : "REST",
        "config_tag" : "Oauth2",
        "org_ids" : [
            "string",
            "string"
        ],
        "upn_claim" : "string",
        "oauth2" : {
            "authentication_method" : "CLIENT_SECRET_BASIC",
            "public_key_uri" : "http://myurl.com",
            "claim_map" : [
                {
                    "value" : [
                        {
                            "value" : [
                                "string",
                                "string"
                            ],
                            "key" : "string"
                        }
                    ],
                    "key" : "string"
                }
            ],
            "auth_endpoint" : "http://myurl.com",
            "client_secret" : "string",
            "auth_query_params" : [
                {
                    "value" : [
                        "string",
                        "string"
                    ],
                    "key" : "string"
                }
            ],
            "client_id" : "string",
            "issuer" : "string",
            "token_endpoint" : "http://myurl.com"
        },
        "is_default" : true,
        "auth_query_params" : [
            {
                "value" : [
                    "string",
                    "string"
                ],
                "key" : "string"
            }
        ],
        "oidc" : {
            "claim_map" : [
                {
                    "value" : [
                        {
                            "value" : [
                                "string",
                                "string"
                            ],
                            "key" : "string"
                        }
                    ],
                    "key" : "string"
                }
            ],
            "client_secret" : "string",
            "discovery_endpoint" : "http://myurl.com",
            "client_id" : "string"
        },
        "idm_endpoints" : [
            "http://myurl.com",
            "http://myurl.com"
        ],
        "domain_names" : [
            "string",
            "string"
        ],
        "groups_claim" : "string",
        "active_directory_over_ldap" : {
            "groups_base_dn" : "string",
            "password" : "secret string",
            "user_name" : "string",
            "users_base_dn" : "string",
            "server_endpoints" : [
                "http://myurl.com",
                "http://myurl.com"
            ],
            "cert_chain" : {
                "cert_chain" : [
                    "string",
                    "string"
                ]
            }
        },
        "provider" : "obj-103",
        "name" : "string"
    }
}

Request Body Parameters:

Name	Type	Description
bold = required
spec	create_spec	the CreateSpec contains the information used to create the provider.
spec.provider	string	Unique identifier for this provider. Client can specify at creation as long as it is unique, otherwise one will be generated. For example, if the UI receives a login request via a URL that includes '?idp=operators', it will redirect the user to the log-on page for the 'operators' provider. Warning: This attribute is part of a new feature in development. It may be changed at any time and may not have all supported functionality implemented. Optional. A unique id will be generated if not given.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: `com.vmware.vcenter.identity.Providers`. When operations return a value of this structure as a result, the field will be an identifier for the resource type: `com.vmware.vcenter.identity.Providers`.
spec.config_tag	string	The config type of the identity provider. This attribute was added in vSphere API 7.0.0.0. The `config_type` structure contains the possible types of vCenter Server identity providers. This enumeration was added in vSphere API 7.0.0.0. Value is one of: Oauth2: Config for OAuth2. This constant was added in vSphere API 7.0.0.0. Oidc: Config for OIDC. This constant was added in vSphere API 7.0.0.0.
spec.oauth2	oauth2_create_spec	OAuth2 CreateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oauth2. This field is optional and it is only relevant when the value of `config_tag` is oauth2.
spec.oauth2.auth_endpoint	URI	Authentication/authorization endpoint of the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.token_endpoint	URI	Token endpoint of the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.public_key_uri	URI	Endpoint to retrieve the provider public key for validation. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.client_id	string	Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.client_secret	string	The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.claim_map	list	The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. List of {"key": string, "value": list}
spec.oauth2.claim_map[].key	string
spec.oauth2.claim_map[].value	list	List of {"key": string, "value": string[]}
spec.oauth2.claim_map[].value[].key	string
spec.oauth2.claim_map[].value[].value	string[]
spec.oauth2.issuer	string	The identity provider namespace. It is used to validate the issuer in the acquired OAuth2 token. This attribute was added in vSphere API 7.0.0.0.
spec.oauth2.authentication_method	string	Authentication method used by the provider. This attribute was added in vSphere API 7.0.0.0. The `oauth2_authentication_method` structure contains the possible types of OAuth2 authentication methods. This enumeration was added in vSphere API 7.0.0.0. Value is one of: CLIENT_SECRET_BASIC: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_POST: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_JWT: Clients that have received a client_secret value from the Authorization Server, create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. This constant was added in vSphere API 7.0.0.0. PRIVATE_KEY_JWT: Clients that have registered a public key sign a JWT using that key. The client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions]. This constant was added in vSphere API 7.0.0.0.
spec.oauth2.auth_query_params	list	key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. . This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the map will be empty.
spec.oidc	oidc_create_spec	OIDC CreateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oidc. This field is optional and it is only relevant when the value of `config_tag` is oidc.
spec.oidc.discovery_endpoint	URI	Endpoint to retrieve the provider metadata. This attribute was added in vSphere API 7.0.0.0.
spec.oidc.client_id	string	Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oidc.client_secret	string	The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0.
spec.oidc.claim_map	list	The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. List of {"key": string, "value": list}
spec.org_ids	string[]	The set of orgIds as part of SDDC creation which provides the basis for tenancy. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the set will be empty.
spec.is_default	boolean	Specifies whether the provider is the default provider. Setting `is_default` of current provider to True makes all other providers non-default. If no other providers created in this vCenter Server before, this parameter will be disregarded, and the provider will always be set to the default. This attribute was added in vSphere API 7.0.0.0. Optional. If unset the provider will be the default provider if it is the first provider that is created, and will not be the default provider otherwise.
spec.name	string	The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the name will be the empty string.
spec.domain_names	string[]	Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, domainNames will be the empty set and the domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens.
spec.auth_query_params	list	key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. . This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the map will be empty.
spec.idm_protocol	string	Communication protocol to the identity management endpoints. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, no communication protocol will be configured for the identity provider.
spec.idm_endpoints	URI[]	Identity management endpoints. When specified, at least one endpoint must be provided. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value [REST, SCIM, SCIM2_0]. This field is optional and it is only relevant when the value of `idm_protocol` is one of REST, SCIM, or scim2_0.
spec.active_directory_over_ldap	active_directory_over_ldap	Identity management configuration. If the protocol is LDAP, the configuration must be set, else InvalidArgument is thrown. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value LDAP. This field is optional and it is only relevant when the value of `idm_protocol` is LDAP.
spec.active_directory_over_ldap.user_name	string	User name to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0.
spec.active_directory_over_ldap.password	secret	Password to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0.
spec.active_directory_over_ldap.users_base_dn	string	Base distinguished name for users. This attribute was added in vSphere API 7.0.0.0.
spec.active_directory_over_ldap.groups_base_dn	string	Base distinguished name for groups. This attribute was added in vSphere API 7.0.0.0.
spec.active_directory_over_ldap.server_endpoints	URI[]	Active directory server endpoints. At least one active directory server endpoint must be set. This attribute was added in vSphere API 7.0.0.0.
spec.active_directory_over_ldap.cert_chain	x509_cert_chain	SSL certificate chain in base64 encoding. This attribute was added in vSphere API 7.0.0.0. Optional. This field can be unset only, if all the active directory server endpoints use the LDAP (not LDAPS) protocol.
spec.active_directory_over_ldap.cert_chain.cert_chain	string[]	Certificate chain in base64 format. This attribute was added in vSphere API 6.7.2.
spec.upn_claim	string	Specifies which claim provides the user principal name (UPN) for the user. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the claim named 'acct' will be used to provide backwards compatibility with CSP.
spec.groups_claim	string	Specifies which claim provides the group membership for the token subject. These groups will be used for mapping to local groups per the claim map. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the default behavior will be CSP backwards compatiblility. The groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims.

Response:

HTTP Status Code: 200

Representation:

{
"value" : "obj-103"
}

Response Type:

Name	Type	Description
bold = required
value	string	The identifier of the created identity provider.

Errors:

HTTP Status Code	Type	Description
403	unauthorized	if authorization is not given to caller.
400	invalid_argument	if invalid arguments are provided in createSpec.
400	already_exists	if provider exists for provider ID in given spec.