Identity Providers APIs

Identity Providers APIs

APIs for managing Identity Providers

Table of Contents

1. Get all Identity Providers

  • This API is used to get a list of all Identity Providers

Tip : Please refer to IdentityProvider.

1.1. Prerequisites API

None
When ADFS is configured

1.2. Steps API

  • Invoke the API.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1682

{
  "elements" : [ {
    "id" : "bbba6d53-37a6-47df-b4ae-42cad9b3c521",
    "name" : "Embedded IDP",
    "type" : "Embedded",
    "identitySources" : [ {
      "name" : "vsphere.local",
      "type" : "SystemDomain",
      "domainNames" : [ "vsphere.local" ]
    }, {
      "name" : "localos",
      "type" : "LocalOs",
      "domainNames" : [ "localos" ]
    }, {
      "name" : "embedded-ids-name",
      "type" : "ActiveDirectory",
      "domainNames" : [ "embedded-ids.com" ],
      "ldap" : {
        "type" : "ActiveDirectory",
        "domainName" : "embedded-ids.com",
        "domainAlias" : "embedded-ids",
        "username" : "test-user@domain.com",
        "sourceDetails" : {
          "usersBaseDn" : "users-base-dn",
          "groupsBaseDn" : "groups-base-dn",
          "certChain" : [ ],
          "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
        }
      }
    } ],
    "status" : "inactive"
  }, {
    "id" : "a03e8580-f3b0-4fd2-8d42-370007271ea4",
    "name" : "My AD Identity Source",
    "type" : "Microsoft ADFS",
    "domainNames" : [ "external-idp.com" ],
    "ldap" : {
      "type" : "Oidc",
      "domainName" : "external-idp.com",
      "domainAlias" : "external-idp",
      "username" : "test-user@domain.com",
      "sourceDetails" : {
        "usersBaseDn" : "users-base-dn",
        "groupsBaseDn" : "groups-base-dn",
        "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
      }
    },
    "oidc" : {
      "clientId" : "4b6a8f57-7324-4f17-a396-342b32e84830",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    },
    "status" : "active"
  } ]
}

When OKTA is configured

1.3. Steps API

  • Invoke the API.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1705

{
  "elements" : [ {
    "id" : "240e8941-0735-462c-9510-726ef072a0ac",
    "name" : "Embedded IDP",
    "type" : "Embedded",
    "identitySources" : [ {
      "name" : "vsphere.local",
      "type" : "SystemDomain",
      "domainNames" : [ "vsphere.local" ]
    }, {
      "name" : "localos",
      "type" : "LocalOs",
      "domainNames" : [ "localos" ]
    }, {
      "name" : "embedded-ids-name",
      "type" : "ActiveDirectory",
      "domainNames" : [ "embedded-ids.com" ],
      "ldap" : {
        "type" : "ActiveDirectory",
        "domainName" : "embedded-ids.com",
        "domainAlias" : "embedded-ids",
        "username" : "test-user@domain.com",
        "sourceDetails" : {
          "usersBaseDn" : "users-base-dn",
          "groupsBaseDn" : "groups-base-dn",
          "certChain" : [ ],
          "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
        }
      }
    } ],
    "status" : "inactive"
  }, {
    "id" : "e0642dfa-47ae-4fcd-ae23-8c5e1f6f80eb",
    "name" : "Okta",
    "type" : "FEDERATED_IDP_BROKER",
    "status" : "active",
    "fedIdp" : {
      "name" : "Okta",
      "source" : "OKTA",
      "directoryList" : {
        "name" : "OktaDirectory",
        "defaultDomain" : "external-okta-idp.com",
        "domains" : [ "external-okta-idp.com" ]
      },
      "oidcInfo" : {
        "clientId" : "e14c6b59-37ce-4cf3-873e-642b3fbeccd9",
        "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
      },
      "syncClientTokenTTL" : 263000,
      "syncClientTokenInfo" : {
        "expireAt" : "2024-08-27T20:07:22.092Z",
        "scimUrl" : "https://domain.com/usergroup/t/CUSTOMER/scim/v2"
      }
    }
  } ]
}

[_getidentityproviders] API [_getidentityproviderbyid] API

2. Get Identity Provider

Retrieve detailed information of the specified identity provider.

2.1. Prerequisites API

The following data is required

  • Identifier of the provider

2.2. Steps API

  • Invoke the API.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/0e225d52-298d-4f3c-8dfc-029702cd2484' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/identity-providers/0e225d52-298d-4f3c-8dfc-029702cd2484 HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 684

{
  "id" : "0e225d52-298d-4f3c-8dfc-029702cd2484",
  "name" : "My AD Identity Source",
  "type" : "Microsoft ADFS",
  "domainNames" : [ "external-idp.com" ],
  "ldap" : {
    "type" : "Oidc",
    "domainName" : "external-idp.com",
    "domainAlias" : "external-idp",
    "username" : "test-user@domain.com",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  },
  "oidc" : {
    "clientId" : "b9248871-a60c-41d4-b541-ddcd01d5eb80",
    "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
  },
  "status" : "active"
}

[_getidentityproviders] API

3. Add an embedded Identity Source

3.1. Prerequisites API

The following data is required

  • Identifier of the embedded Identity Provider

Tip : Please refer to IdentitySourceSpec.

3.2. Steps API

  • Fetch the ID for the embedded identity provider from the list Identity Providers Response.

Tip : Refer to Get all Identity Providers

  • Invoke the API to add an embedded identity source.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/0be84122-75b9-4cf1-be3b-87d79dd545cd/identity-sources' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "name" : "My AD Identity Source",
  "ldap" : {
    "type" : "ActiveDirectory",
    "domainName" : "embedded-ids.com",
    "domainAlias" : "embedded-ids",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  }
}'

HTTP Request

POST /v1/identity-providers/0be84122-75b9-4cf1-be3b-87d79dd545cd/identity-sources HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "name" : "My AD Identity Source",
  "ldap" : {
    "type" : "ActiveDirectory",
    "domainName" : "embedded-ids.com",
    "domainAlias" : "embedded-ids",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  }
}

HTTP Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 68

Added Identity source with domain name embedded-ids.com successfully

[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API [_deleteidentitysource] API

4. Update an embedded Identity Source

4.1. Prerequisites API

The following data is required

  • Identifier of the embedded Identity Provider

  • The domain name associated with the identity source

Tip : Please refer to IdentitySourceSpec.

4.2. Steps API

  • Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.

Tip : Refer to Get all Identity Providers

  • Invoke the API to delete an embedded identity source.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

Note : Please note that the domainName and domainAlias fields cannot be modified

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/fa201d87-32d1-41d7-8c87-3d5590156fd7/identity-sources/embedded-ids.com' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "name" : "My AD Identity Source",
  "ldap" : {
    "type" : "ActiveDirectory",
    "domainName" : "embedded-ids.com",
    "domainAlias" : "embedded-ids",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  }
}'

HTTP Request

PATCH /v1/identity-providers/fa201d87-32d1-41d7-8c87-3d5590156fd7/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "name" : "My AD Identity Source",
  "ldap" : {
    "type" : "ActiveDirectory",
    "domainName" : "embedded-ids.com",
    "domainAlias" : "embedded-ids",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  }
}

HTTP Response

HTTP/1.1 204 No Content

[_getidentityproviders] API [_getidentityproviderbyid] API Add an embedded Identity Source [_addembeddedidentitysource] API [_deleteidentitysource] API

5. Delete an embedded Identity Source

5.1. Prerequisites API

The following data is required

  • Identifier of the embedded Identity Provider

  • The domain name associated with the identity source

5.2. Steps API

  • Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.

Tip : Refer to Get all Identity Providers

  • Invoke the API to delete an embedded identity source.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/ac7f9c98-b93b-41f8-8fa7-1149bd2b0270/identity-sources/embedded-ids.com' -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

DELETE /v1/identity-providers/ac7f9c98-b93b-41f8-8fa7-1149bd2b0270/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 204 No Content

[_getidentityproviders] API [_getidentityproviderbyid] API [_addembeddedidentitysource] API [_updateembeddedidentitysource] API

6. Add an external Identity Provider

6.1. Prerequisites API

The following data is needed:

  • Identity Provider Spec details

Tip : Please refer to IdentityProviderSpec.

Configure ADFS

6.2. Steps API

  • Invoke the API to add an external identity provider.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "name" : "My ADFS",
  "type" : "AD_FS",
  "certChain" : [ ],
  "ldap" : {
    "domainName" : "external-idp.com",
    "domainAlias" : "external-idp",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  },
  "oidc" : {
    "clientId" : "a8d1c76f-a65f-46b2-ae30-71fd6a44be7d",
    "clientSecret" : "8e9cdb51-4556-41aa-bd0b-2bf0a0ad4394",
    "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
  }
}'

HTTP Request

POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "name" : "My ADFS",
  "type" : "AD_FS",
  "certChain" : [ ],
  "ldap" : {
    "domainName" : "external-idp.com",
    "domainAlias" : "external-idp",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  },
  "oidc" : {
    "clientId" : "a8d1c76f-a65f-46b2-ae30-71fd6a44be7d",
    "clientSecret" : "8e9cdb51-4556-41aa-bd0b-2bf0a0ad4394",
    "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
  }
}

HTTP Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36

a63ef67a-993a-4977-930e-bd3f726f09f5

Configure OKTA

6.3. Steps API

  • Invoke the precheck API

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=OKTA' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/identity-broker/prechecks?type=OKTA HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26

{
  "status" : "SUCCESS"
}
  • If the status from the above API is "SUCCESS", invoke the following API to configure OKTA as an external identity provider.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "okta",
    "directory" : {
      "name" : "okta_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "OKTA"
    },
    "oidcSpec" : {
      "clientId" : "5573f67e-b031-4f67-960a-a8be1576b7db",
      "clientSecret" : "9780f93d-6fde-4e35-81ff-ba516892fedf",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}'

HTTP Request

POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "okta",
    "directory" : {
      "name" : "okta_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "OKTA"
    },
    "oidcSpec" : {
      "clientId" : "5573f67e-b031-4f67-960a-a8be1576b7db",
      "clientSecret" : "9780f93d-6fde-4e35-81ff-ba516892fedf",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}

HTTP Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36

7de624c7-0371-4339-b61c-e878e1318562

Configure Microsoft Entra ID

6.4. Steps API

  • Invoke the precheck API

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/identity-broker/prechecks?type=MICROSOFT_ENTRA_ID HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26

{
  "status" : "SUCCESS"
}
  • If the status from the above API is "SUCCESS", invoke the following API to configure Microsoft Entra ID as an external identity provider.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "Entra ID",
    "directory" : {
      "name" : "entra_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
    },
    "oidcSpec" : {
      "clientId" : "7422f225-0ed2-4307-a04c-d07a2d172240",
      "clientSecret" : "1aaf63ec-39f5-4584-b870-fa66a1693c90",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}'

HTTP Request

POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "Entra ID",
    "directory" : {
      "name" : "entra_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
    },
    "oidcSpec" : {
      "clientId" : "7422f225-0ed2-4307-a04c-d07a2d172240",
      "clientSecret" : "1aaf63ec-39f5-4584-b870-fa66a1693c90",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}

HTTP Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36

e3689ba7-bb1d-41ac-89ac-0d684796cb85

Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated

[_getidentityproviders] API [_getidentityproviderbyid] API [_updateexternalidentityprovider] API [_deleteexternalidentityprovider] API [_getidentityprecheckresult] API

7. Update an external Identity Provider

7.1. Prerequisites API

The following data is required

  • Identifier of the external Identity Provider

Tip : Please refer to IdentityProviderSpec.

When ADFS is configured

7.2. Steps API

  • Invoke the API to update an external identity provider.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/c91573fa-ee05-4166-9979-1b72fc88fc60' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "name" : "My ADFS",
  "type" : "AD_FS",
  "certChain" : [ ],
  "ldap" : {
    "domainName" : "external-idp.com",
    "domainAlias" : "external-idp",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  },
  "oidc" : {
    "clientId" : "84d4dda0-c544-4301-a29a-5407febc87f7",
    "clientSecret" : "b5baa418-65b4-4d59-8c45-eb0077973ea9",
    "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
  }
}'

HTTP Request

PATCH /v1/identity-providers/c91573fa-ee05-4166-9979-1b72fc88fc60 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "name" : "My ADFS",
  "type" : "AD_FS",
  "certChain" : [ ],
  "ldap" : {
    "domainName" : "external-idp.com",
    "domainAlias" : "external-idp",
    "username" : "test-user@domain.com",
    "password" : "xxxxxxxxx",
    "sourceDetails" : {
      "usersBaseDn" : "users-base-dn",
      "groupsBaseDn" : "groups-base-dn",
      "certChain" : [ ],
      "serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
    }
  },
  "oidc" : {
    "clientId" : "84d4dda0-c544-4301-a29a-5407febc87f7",
    "clientSecret" : "b5baa418-65b4-4d59-8c45-eb0077973ea9",
    "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
  }
}

HTTP Response

HTTP/1.1 204 No Content

When OKTA is configured

7.3. Steps API

  • Invoke the API to update an external identity provider.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/8abb9794-c0e4-4028-b756-73188915df54' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "okta",
    "directory" : {
      "name" : "okta_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "OKTA"
    },
    "oidcSpec" : {
      "clientId" : "1a90a5b2-cce0-4eba-b803-81b097b6162e",
      "clientSecret" : "28473e12-a37e-4e81-9159-66daceef0f0e",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}'

HTTP Request

PATCH /v1/identity-providers/8abb9794-c0e4-4028-b756-73188915df54 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "okta",
    "directory" : {
      "name" : "okta_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "OKTA"
    },
    "oidcSpec" : {
      "clientId" : "1a90a5b2-cce0-4eba-b803-81b097b6162e",
      "clientSecret" : "28473e12-a37e-4e81-9159-66daceef0f0e",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}

HTTP Response

HTTP/1.1 204 No Content

When Microsoft Entra ID is configured

7.4. Steps API

  • Invoke the API to update an external identity provider.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/ad6288ac-3784-4b8a-92a8-b9db4fffb9a0' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "Entra ID",
    "directory" : {
      "name" : "entra_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
    },
    "oidcSpec" : {
      "clientId" : "e2f470b9-76d9-4791-bd82-f9cc6351c679",
      "clientSecret" : "8e5bae67-e4db-4276-9322-2377bd74f03b",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}'

HTTP Request

PATCH /v1/identity-providers/ad6288ac-3784-4b8a-92a8-b9db4fffb9a0 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "type" : "FEDERATED_IDP_BROKER",
  "fedIdpSpec" : {
    "name" : "Entra ID",
    "directory" : {
      "name" : "entra_dir",
      "defaultDomain" : "domain1.com",
      "domains" : [ "domain1.com", "domain2.com" ],
      "federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
    },
    "oidcSpec" : {
      "clientId" : "e2f470b9-76d9-4791-bd82-f9cc6351c679",
      "clientSecret" : "8e5bae67-e4db-4276-9322-2377bd74f03b",
      "discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
    }
  }
}

HTTP Response

HTTP/1.1 204 No Content

Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated

[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_deleteexternalidentityprovider] API

8. Delete an external Identity Provider

8.1. Prerequisites API

The following data is required

  • Identifier of the external Identity Provider

8.2. Steps API

  • Invoke the API to delete an external identity provider.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/2ec2ccbb-390c-4a16-a55e-1f58870a92f3' -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

DELETE /v1/identity-providers/2ec2ccbb-390c-4a16-a55e-1f58870a92f3 HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 204 No Content

[_getidentityproviders] API [_getidentityproviderbyid] API [_addexternalidentityprovider] API [_updateexternalidentityprovider] API

9. Generate sync client token

The sync client token is used by the IDP administrator to push users and groups into the WS1B. Only the users / groups synced to the vCenter/WS1B can login to VCF. Please refer to https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-88933505-9299-49FB-9C30-56E43683099B.html and https://kb.vmware.com/s/article/90835 for more information.

9.1. Prerequisites API

The following data is required

  • Identifier of the external Identity Provider

  • Sync client token TTL

9.2. Steps API

  • Fetch the ID for the external identity provider from the list Identity Providers Response.

Tip : Refer to Get all Identity Providers

  • Invoke the API to generate the sync client token.

Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/505323c9-7d54-4d65-a919-8076114776d2/sync-client?syncClientTokenTTL=263000' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

POST /v1/identity-providers/505323c9-7d54-4d65-a919-8076114776d2/sync-client?syncClientTokenTTL=263000 HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1370

{
  "expireIn" : 1724789241,
  "token" : "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTM2AAzMjksImlhdCI6MTY4MzU4MDMyOSwic3ViIjoiZDZjYjEyN2EtN2Q3Yi00NDRhLTg1MWUtODI1Mjk3YjA2OTQyIiwiYXV0aF90aW1lIjoxNjgzNTgwMzI5LCJzY3AiOiJhZG1pbiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvU0FBUy9hdXRoL29hdXRodG9rZW4iLCJhenAiOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzLyIsInJ1bGVzIjp7ImV4cGlyeSI6MTY4MzU4MjEyOSwibGluayI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzL3J1bGVzL21lIiwicnVsZXMiOlt7InJlc291cmNlcyI6WyJ2cm46dWc6KiJdLCJhY3Rpb25zIjpbInVnOioiXSwiY29uZGl0aW9ucyI6bnVsbCwiYWR2aWNlIjpudWxsfV19LCJwaWQiOiI0ODNmZmY1Yy1iYjg1LTQ2MTgtOWVmMi01MWYwZWFiYjBjMzMiLCJwcm5fdHlwZSI6IlNFUlZJQ0UiLCJwcm4iOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUUBDVVNUT01FUiIsImp0aSI6IjQ4M2ZmZjVjLWJiODUtNDYxOC05ZWYyLTUxZjBlYWJiMGMzMyIsImNpZCI6InN5bmNDbGllbnRJZDNJWVFoV3BWU1o1VGRQOWhkV2hodm9mYm53c1JzOENRIn0.OiZ6nHiFy9hTuU09fT2BUGzbD3XWH-XBoAOCFG3sC8-Pk2FXAn4oZ5fQ9zJHRMDTapAbhfzOF7hCgQ2klhIk_RAnuneey3pUJKotB-DoExU6v6DS3-4C1YBhvMYqezytfE0zcw--ZZbJxFjCwHMIHCf-t6LPLBoEpRZbhB5ZewscYACI0hYcSpseU2hWD9cSkCJr8w7j1zWowIQ1KJxkfdoTdjLuAIH_vesKVcSXirsuOeDiPng93Rx-umMyCzQ8-og64JK1C3XdzdfTsN1-gporUclgawcgFlZgyQFkeL0h8B6j61MzUYHBvwBU_a6jm97BUjSBeu86ipk39o29Og",
  "scimUrl" : "https://sfo01-m01-vc01.rainpole.io/usergroup/t/tenantType/scim/v2"
}

Note : Please note that the sync client token TTL needs to be passed as a query parameter to the API. Setting this parameter while configuring an Okta/Entra Identity Providers has been deprecated (Please refer to [_addexternalidentityprovider] API)

[_getidentityproviders] API [_getidentityproviderbyid] API [_generatesyncclienttoken] API
Last updated 2024-08-27 16:13:54 -0700

Operations
GET
Get Identity Providers
Get all identity providers
POST
Add External Identity Provider
Add a new external identity provider
POST
Generate Sync Client Token
Generate new sync client token
POST
Add Embedded Identity Source
Add a new identity source to the embedded identity provider
GET
Get Identity Provider By Id
Get an identity provider by its id
DELETE
Delete External Identity Provider
Remove an identity provider
PATCH
Update External Identity Provider
Update an identity provider
DELETE
Delete Identity Source
Delete an Identity Source
PATCH
Update Embedded Identity Source
Update an identity source
GET
Get Sddc Ws1b Oidc Info
Get the SDDC Manager WS1B OIDC Information