vcenter identity providers: update spec
The
update_spec
structure contains the information used to update the identity provider. This structure was added in vSphere API 7.0.0.0.Representation:
{
"idm_protocol" : "REST",
"reset_upn_claim" : true,
"config_tag" : "Oauth2",
"org_ids" : [
"string",
"string"
],
"upn_claim" : "string",
"oauth2" : {
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"auth_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
},
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"oidc" : {
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"client_secret" : "string",
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string"
},
"idm_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"domain_names" : [
"string",
"string"
],
"make_default" : true,
"reset_groups_claim" : true,
"groups_claim" : "string",
"active_directory_over_ldap" : {
"groups_base_dn" : "string",
"password" : "secret string",
"user_name" : "string",
"users_base_dn" : "string",
"server_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"cert_chain" : {
"cert_chain" : [
"string",
"string"
]
}
},
"name" : "string"
}
"idm_protocol" : "REST",
"reset_upn_claim" : true,
"config_tag" : "Oauth2",
"org_ids" : [
"string",
"string"
],
"upn_claim" : "string",
"oauth2" : {
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"auth_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
},
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"oidc" : {
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"client_secret" : "string",
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string"
},
"idm_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"domain_names" : [
"string",
"string"
],
"make_default" : true,
"reset_groups_claim" : true,
"groups_claim" : "string",
"active_directory_over_ldap" : {
"groups_base_dn" : "string",
"password" : "secret string",
"user_name" : "string",
"users_base_dn" : "string",
"server_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"cert_chain" : {
"cert_chain" : [
"string",
"string"
]
}
},
"name" : "string"
}
{
"idm_protocol" : "REST",
"reset_upn_claim" : true,
"config_tag" : "Oauth2",
"org_ids" : [
"string",
"string"
],
"upn_claim" : "string",
"oauth2" : {
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"auth_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
},
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"oidc" : {
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"client_secret" : "string",
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string"
},
"idm_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"domain_names" : [
"string",
"string"
],
"make_default" : true,
"reset_groups_claim" : true,
"groups_claim" : "string",
"active_directory_over_ldap" : {
"groups_base_dn" : "string",
"password" : "secret string",
"user_name" : "string",
"users_base_dn" : "string",
"server_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"cert_chain" : {
"cert_chain" : [
"string",
"string"
]
}
},
"name" : "string"
}
"idm_protocol" : "REST",
"reset_upn_claim" : true,
"config_tag" : "Oauth2",
"org_ids" : [
"string",
"string"
],
"upn_claim" : "string",
"oauth2" : {
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"auth_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
},
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"oidc" : {
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"client_secret" : "string",
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string"
},
"idm_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"domain_names" : [
"string",
"string"
],
"make_default" : true,
"reset_groups_claim" : true,
"groups_claim" : "string",
"active_directory_over_ldap" : {
"groups_base_dn" : "string",
"password" : "secret string",
"user_name" : "string",
"users_base_dn" : "string",
"server_endpoints" : [
"http://myurl.com",
"http://myurl.com"
],
"cert_chain" : {
"cert_chain" : [
"string",
"string"
]
}
},
"name" : "string"
}
Attributes:
Name | Type | Description |
---|---|---|
Required | ||
-.config_tag | string | The config type of the identity provider. This attribute was added in vSphere API 7.0.0.0. The config_type structure contains the possible types of vCenter Server identity providers. This enumeration was added in vSphere API 7.0.0.0. Value is one of:Oauth2: Config for OAuth2. This constant was added in vSphere API 7.0.0.0. Oidc: Config for OIDC. This constant was added in vSphere API 7.0.0.0. |
-.oauth2.claim_map.* | object | Object with element values of type string[]. |
-.oauth2.claim_map.*.* | string[] | |
-.oauth2.auth_query_params.* | string[] | |
-.oidc.claim_map.* | object | Object with element values of type string[]. |
-.oidc.claim_map.*.* | string[] | |
-.auth_query_params.* | string[] | |
-.active_directory_over_ldap.user_name | string | User name to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0. |
-.active_directory_over_ldap.password | secret | Password to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0. |
-.active_directory_over_ldap.users_base_dn | string | Base distinguished name for users. This attribute was added in vSphere API 7.0.0.0. |
-.active_directory_over_ldap.groups_base_dn | string | Base distinguished name for groups. This attribute was added in vSphere API 7.0.0.0. |
-.active_directory_over_ldap.server_endpoints | URI[] | Active directory server endpoints. At least one active directory server endpoint must be set. This attribute was added in vSphere API 7.0.0.0. |
-.active_directory_over_ldap.cert_chain.cert_chain | string[] | Certificate chain in base64 format. This attribute was added in vSphere API 6.7.2. |
Optional | ||
-.oauth2 | oauth2_update_spec | OAuth2 UpdateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oauth2. This field is optional and it is only relevant when the value of config_tag is oauth2. |
-.oauth2.auth_endpoint | URI | Authentication/authorization endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.token_endpoint | URI | Token endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.public_key_uri | URI | Endpoint to retrieve the provider public key for validation. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.client_secret | string | Shared secret between identity provider and client. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.claim_map | object | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.issuer | string | The identity provider namespace. It is used to validate the issuer in the acquired OAuth2 token. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.authentication_method | string | Authentication method used by the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oauth2.auth_query_params | object | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. If the map is empty, deletes all params. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oidc | oidc_update_spec | OIDC UpdateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oidc. This field is optional and it is only relevant when the value of config_tag is oidc. |
-.oidc.discovery_endpoint | URI | Endpoint to retrieve the provider metadata. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oidc.client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oidc.client_secret | string | The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.oidc.claim_map | object | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.org_ids | string[] | The set orgIds as part of SDDC creation which provides the basis for tenancy. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.make_default | boolean | Specifies whether to make this the default provider. If make_default is set to true, this provider will be flagged as the default provider and any other providers that had previously been flagged as the default will be made non-default. If make_default is set to false, this provider's default flag will not be modified. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.name | string | The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.domain_names | string[] | Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. If domainNames is an empty set, domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens. |
-.auth_query_params | object | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. If the map is empty, deletes all params. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.idm_protocol | string | The protocol to communicate to the identity management endpoints. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leave value unchanged. |
-.idm_endpoints | URI[] | Identity management endpoints. When specified, at least one endpoint must be provided. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value [REST, SCIM, SCIM2_0]. This field is optional and it is only relevant when the value of idm_protocol is one of REST, SCIM, or scim2_0. |
-.active_directory_over_ldap | active_directory_over_ldap | Identity management configuration. If the protocol is LDAP, the configuration must be set, else InvalidArgument is thrown. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value LDAP. This field is optional and it is only relevant when the value of idm_protocol is LDAP. |
-.active_directory_over_ldap.cert_chain | x509_cert_chain | SSL certificate chain in base64 encoding. This attribute was added in vSphere API 7.0.0.0. Optional. This field can be unset only, if all the active directory server endpoints use the LDAP (not LDAPS) protocol. |
-.upn_claim | string | Specifies which claim provides the user principal name (UPN) for the subject of the token. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.reset_upn_claim | boolean | Flag indicating whether the user principal name (UPN) claim should be set back to its default value. If this field is set to true , the user principal name (UPN) claim will be set to 'acct', which is used for backwards compatibility with CSP. If this field is set to false , the existing user principal name (UPN) claim will be changed to the value specified in vcenter.identity.providers.update_spec.upn_claim, if any. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the existing user principal name (UPN) claim will be changed to the value specified in vcenter.identity.providers.update_spec.upn_claim, if any. |
-.groups_claim | string | Specifies which claim provides the group membership for the token subject. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
-.reset_groups_claim | boolean | Flag indicating whether any existing groups claim value should be removed. If this field is set to true , the existing groups claim value is removed which defaults to backwards compatibility with CSP. In this case, the groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims. If this field is set to false , the existing groups claim will be changed to the value specified in vcenter.identity.providers.update_spec.groups_claim, if any. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the existing groups claim will be changed to the value specified in vcenter.identity.providers.update_spec.groups_claim, if any. |
Attributes:
Name | Type | Description |
---|---|---|
Required | ||
config_tag | string | The config type of the identity provider. This attribute was added in vSphere API 7.0.0.0. The config_type structure contains the possible types of vCenter Server identity providers. This enumeration was added in vSphere API 7.0.0.0. Value is one of:Oauth2: Config for OAuth2. This constant was added in vSphere API 7.0.0.0. Oidc: Config for OIDC. This constant was added in vSphere API 7.0.0.0. |
oauth2.claim_map[].key | string | |
oauth2.claim_map[].value | list | List of {"key": string, "value": string[]} |
oauth2.claim_map[].value[].key | string | |
oauth2.claim_map[].value[].value | string[] | |
active_directory_over_ldap.user_name | string | User name to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0. |
active_directory_over_ldap.password | secret | Password to connect to the active directory server. This attribute was added in vSphere API 7.0.0.0. |
active_directory_over_ldap.users_base_dn | string | Base distinguished name for users. This attribute was added in vSphere API 7.0.0.0. |
active_directory_over_ldap.groups_base_dn | string | Base distinguished name for groups. This attribute was added in vSphere API 7.0.0.0. |
active_directory_over_ldap.server_endpoints | URI[] | Active directory server endpoints. At least one active directory server endpoint must be set. This attribute was added in vSphere API 7.0.0.0. |
active_directory_over_ldap.cert_chain.cert_chain | string[] | Certificate chain in base64 format. This attribute was added in vSphere API 6.7.2. |
Optional | ||
oauth2 | oauth2_update_spec | OAuth2 UpdateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oauth2. This field is optional and it is only relevant when the value of config_tag is oauth2. |
oauth2.auth_endpoint | URI | Authentication/authorization endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.token_endpoint | URI | Token endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.public_key_uri | URI | Endpoint to retrieve the provider public key for validation. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.client_secret | string | Shared secret between identity provider and client. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.claim_map | list | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.issuer | string | The identity provider namespace. It is used to validate the issuer in the acquired OAuth2 token. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.authentication_method | string | Authentication method used by the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oauth2.auth_query_params | list | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. If the map is empty, deletes all params. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oidc | oidc_update_spec | OIDC UpdateSpec. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when config_tag has value Oidc. This field is optional and it is only relevant when the value of config_tag is oidc. |
oidc.discovery_endpoint | URI | Endpoint to retrieve the provider metadata. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oidc.client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oidc.client_secret | string | The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
oidc.claim_map | list | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
org_ids | string[] | The set orgIds as part of SDDC creation which provides the basis for tenancy. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
make_default | boolean | Specifies whether to make this the default provider. If make_default is set to true, this provider will be flagged as the default provider and any other providers that had previously been flagged as the default will be made non-default. If make_default is set to false, this provider's default flag will not be modified. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
name | string | The user friendly name for the provider. This name can be used for human-readable identification purposes, but it does not have to be unique, as the system will use internal UUIDs to differentiate providers. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
domain_names | string[] | Set of fully qualified domain names to trust when federating with this identity provider. Tokens from this identity provider will only be validated if the user belongs to one of these domains, and any domain-qualified groups in the tokens will be filtered to include only those groups that belong to one of these domains. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. If domainNames is an empty set, domain validation behavior at login with this identity provider will be as follows: the user's domain will be parsed from the User Principal Name (UPN) value that is found in the tokens returned by the identity provider. This domain will then be implicitly trusted and used to filter any groups that are also provided in the tokens. |
auth_query_params | list | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details: If the value contains only one string, then the key is added with "k=v". If the value is an empty list, then the key is added without a "=v". If the value contains multiple strings, then the key is repeated in the query-string for each string in the value. If the map is empty, deletes all params. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
idm_protocol | string | The protocol to communicate to the identity management endpoints. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leave value unchanged. |
idm_endpoints | URI[] | Identity management endpoints. When specified, at least one endpoint must be provided. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value [REST, SCIM, SCIM2_0]. This field is optional and it is only relevant when the value of idm_protocol is one of REST, SCIM, or scim2_0. |
active_directory_over_ldap | active_directory_over_ldap | Identity management configuration. If the protocol is LDAP, the configuration must be set, else InvalidArgument is thrown. This attribute was added in vSphere API 7.0.0.0. Optional. It is only relevant when idm_protocol has value LDAP. This field is optional and it is only relevant when the value of idm_protocol is LDAP. |
active_directory_over_ldap.cert_chain | x509_cert_chain | SSL certificate chain in base64 encoding. This attribute was added in vSphere API 7.0.0.0. Optional. This field can be unset only, if all the active directory server endpoints use the LDAP (not LDAPS) protocol. |
upn_claim | string | Specifies which claim provides the user principal name (UPN) for the subject of the token. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
reset_upn_claim | boolean | Flag indicating whether the user principal name (UPN) claim should be set back to its default value. If this field is set to true , the user principal name (UPN) claim will be set to 'acct', which is used for backwards compatibility with CSP. If this field is set to false , the existing user principal name (UPN) claim will be changed to the value specified in vcenter.identity.providers.update_spec.upn_claim, if any. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the existing user principal name (UPN) claim will be changed to the value specified in vcenter.identity.providers.update_spec.upn_claim, if any. |
groups_claim | string | Specifies which claim provides the group membership for the token subject. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, leaves value unchanged. |
reset_groups_claim | boolean | Flag indicating whether any existing groups claim value should be removed. If this field is set to true , the existing groups claim value is removed which defaults to backwards compatibility with CSP. In this case, the groups for the subject will be comprised of the groups in 'group_names' and 'group_ids' claims. If this field is set to false , the existing groups claim will be changed to the value specified in vcenter.identity.providers.update_spec.groups_claim, if any. This attribute was added in vSphere API 7.0.0.0. Optional. If unset, the existing groups claim will be changed to the value specified in vcenter.identity.providers.update_spec.groups_claim, if any. |