How Do I Use VMware Cloud Services as an Identity Provider for VMware Cloud Director Service

You can use your VMware Cloud organization's single sign-on (SSO) to access your VMware Cloud Director instance.

Prerequisites

Verify that a trust relationship has been established between VMware Cloud Director service and VMware Cloud services. When you log in to VMware Cloud Director service console, if trust has not been established already, you are prompted to either establish an OAuth trust relationship or to contact your system administrator. See How Do I Establish a Trust Relationship Between VMware Cloud services and VMware Cloud Director service.

Procedure

Log in to VMware Cloud Director service.
- If you are an enterprise customer, log in at https://console.cloud.vmware.com.
- If you are a Managed Service Provider (MSP) partner, log in at https://navigator.vmware.com.
Click Cloud Director Instances.
In the card of the VMware Cloud Director instance, click Actions > Configure VMware Cloud Services as instance IDP.
Click Configure IDP.

To verify that you configured VMware Cloud Director to use VMware Cloud services as an identity provider, run a GET request.

GET https://operatorUrl/environment/environmentUrn/instances/vcdInstanceUrn

Here operatorUrl is the operator URL, for example vcdc-operator-prod-us-west-2.vdp.vmware.com.

This example retrieves information about the VMware Cloud Director instance deployed in the environment.

GET https://vcdc-operator-prod-us-west-2.vdp.vmware.com/environments/urn:vcdc:environment:00000000-0000-0000-0000-00000000000/instances/urn:vcdc:vcdInstance:0000000-0000-0000-00000-000000000000

Use the bearer token in the Authorization header of the request.

Authorization: 
Bearer eyJh…I1NiIs

The response returns information about the VMware Cloud Director instance. If the OAuthClientId parameter is populated with a specific value, that means that the configuration was successful and an OAuth app was created in your VMware Cloud organization .

 {
      "id": "urn:vcdc:vcdInstance:00000000-0000-0000-0000-00000000000",
      "name": "johnsmith-test1",
      "ownerId": "urn:vcdc:organization:00000000-0000-0000-0000-00000000000",
      "templateId": null,
      "environmentId": "urn:vcdc:environment:00000000-0000-0000-0000-00000000000",
      ...
      "environmentSettings": null,
      "statistics": [],
      "upgradeAfter": "2020-10-15T13:50:21.720159Z",
      "upgradeCategory": "sp-main:alpha",
      "oauthClientId": "123ALLeShqk1BmU4Kc4sFDM0LuqVSX4LmHf"
    }

To log in to VMware Cloud Director by using the API, run a POST request.
```
POST https://VMware-Cloud-Director-instance-URL/api/sessions
```
Use the bearer token in the Authorization header of the request and add ;org=system at the end of the token.
```
Authorization: 
Bearer eyJh…I1NiIs;org=system
```
Depending on the version of the VMware Cloud Director instance, use either application/*;version=34.0 or application/*;version=35.0 in the Accept header of the request.
The request establishes an API session. The response header contains X-VMWARE-VCLOUD-ACCESS-TOKEN, which you can use as a bearer token in the Authorization header of further API calls to the VMware Cloud Director instance.
(Optional) To retrieve information about the API session that you established, run a GET request.
```
GET https://VMware_Cloud_Director_instance_URL/api/sessions
```
Depending on the version of the VMware Cloud Director instance, use either application/*;version=34.0 or application/*;version=35.0 in the Accept header of the request.

Use application/*+xml; in the Content-Type header.
Use the value of the token X-VMWARE-VCLOUD-ACCESS-TOKEN that you acquired in the previous step as a bearer token in the Authorization header.
```
Authorization: 
Bearer eyAi…J2LiTi
```