Identity Providers APIs
APIs for managing Identity Providers
Table of Contents
1. Get all Identity Providers
- This API is used to get a list of all Identity Providers
Tip : Please refer to IdentityProvider.
1.1. Prerequisites
None
When ADFS is configured
1.2. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1682
{
"elements" : [ {
"id" : "b66f40c6-482d-457d-9ce7-4f19c9aa394e",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "d2029450-0b38-4027-80e5-002e72c869fd",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "ca099574-4e46-4454-8a95-4ec2dd17b2b1",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
} ]
}
When OKTA is configured
1.3. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1705
{
"elements" : [ {
"id" : "0bff954d-09cd-4486-b1c6-5df0f12938df",
"name" : "Embedded IDP",
"type" : "Embedded",
"identitySources" : [ {
"name" : "vsphere.local",
"type" : "SystemDomain",
"domainNames" : [ "vsphere.local" ]
}, {
"name" : "localos",
"type" : "LocalOs",
"domainNames" : [ "localos" ]
}, {
"name" : "embedded-ids-name",
"type" : "ActiveDirectory",
"domainNames" : [ "embedded-ids.com" ],
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
} ],
"status" : "inactive"
}, {
"id" : "25f91323-5cf4-4dc5-bfa2-8174e0a40d3b",
"name" : "Okta",
"type" : "FEDERATED_IDP_BROKER",
"status" : "active",
"fedIdp" : {
"name" : "Okta",
"source" : "OKTA",
"directoryList" : {
"name" : "OktaDirectory",
"defaultDomain" : "external-okta-idp.com",
"domains" : [ "external-okta-idp.com" ]
},
"oidcInfo" : {
"clientId" : "03d9abe5-caa3-402b-8475-8eeadda7b971",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"syncClientTokenTTL" : 263000,
"syncClientTokenInfo" : {
"expireAt" : "2024-01-22T19:33:39.490Z",
"scimUrl" : "https://domain.com/usergroup/t/CUSTOMER/scim/v2"
}
}
} ]
}
2. Get Identity Provider
Retrieve detailed information of the specified identity provider.
2.1. Prerequisites
The following data is required
- Identifier of the provider
2.2. Steps
- Invoke the API.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/5caaf63f-84f0-4f6a-9f29-349c24396a6f' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-providers/5caaf63f-84f0-4f6a-9f29-349c24396a6f HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 684
{
"id" : "5caaf63f-84f0-4f6a-9f29-349c24396a6f",
"name" : "My AD Identity Source",
"type" : "Microsoft ADFS",
"domainNames" : [ "external-idp.com" ],
"ldap" : {
"type" : "Oidc",
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "4cb05521-a745-474b-b4b2-885b74915d2d",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"status" : "active"
}
3. Add an embedded Identity Source
3.1. Prerequisites
The following data is required
- Identifier of the embedded Identity Provider
Tip : Please refer to IdentitySourceSpec.
3.2. Steps
- Fetch the ID for the embedded identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to add an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/3dc4ce04-7363-4bc1-8eba-cbc3eb2376c8/identity-sources' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
POST /v1/identity-providers/3dc4ce04-7363-4bc1-8eba-cbc3eb2376c8/identity-sources HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 68
Added Identity source with domain name embedded-ids.com successfully
4. Update an embedded Identity Source
4.1. Prerequisites
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
Tip : Please refer to IdentitySourceSpec.
4.2. Steps
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
Note : Please note that the domainName and domainAlias fields cannot be modified
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/d844fce0-fc1f-4f6f-9cc1-7cd5bd4f6804/identity-sources/embedded-ids.com' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}'
HTTP Request
PATCH /v1/identity-providers/d844fce0-fc1f-4f6f-9cc1-7cd5bd4f6804/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 452
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My AD Identity Source",
"ldap" : {
"type" : "ActiveDirectory",
"domainName" : "embedded-ids.com",
"domainAlias" : "embedded-ids",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
}
}
HTTP Response
HTTP/1.1 204 No Content
5. Delete an embedded Identity Source
5.1. Prerequisites
The following data is required
Identifier of the embedded Identity Provider
The domain name associated with the identity source
5.2. Steps
- Fetch the ID for the embedded identity provider and the domain name associated with the identity source from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to delete an embedded identity source.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/ed49f7f5-48e8-46ac-9e07-56769983928e/identity-sources/embedded-ids.com' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/ed49f7f5-48e8-46ac-9e07-56769983928e/identity-sources/embedded-ids.com HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
6. Add an external Identity Provider
6.1. Prerequisites
The following data is needed:
- Identity Provider Spec details
Tip : Please refer to IdentityProviderSpec.
Configure ADFS
6.2. Steps
- Invoke the API to add an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "04d1f974-85cf-424c-93d8-fdc347160b16",
"clientSecret" : "6be7cc96-7462-46f6-86ef-cb9fd0ad7105",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "04d1f974-85cf-424c-93d8-fdc347160b16",
"clientSecret" : "6be7cc96-7462-46f6-86ef-cb9fd0ad7105",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
61018b08-574e-4326-b3cd-1ec46a0ac8cb
Configure OKTA
6.3. Steps
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type= HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure OKTA as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "77ae5113-b55b-4e74-a405-dd77522f3cf2",
"clientSecret" : "d640508e-dc0f-4827-b611-a0fe5f4307f7",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "77ae5113-b55b-4e74-a405-dd77522f3cf2",
"clientSecret" : "d640508e-dc0f-4827-b611-a0fe5f4307f7",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
8d99d4d5-22c1-40ce-b935-292fb8e3c612
Configure Microsoft Entra ID
6.4. Steps
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type= HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure Microsoft Entra ID as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "32df465f-b237-4c14-9578-a197f3085758",
"clientSecret" : "94cb0a28-f361-473f-94ee-c312ce87dccc",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "32df465f-b237-4c14-9578-a197f3085758",
"clientSecret" : "94cb0a28-f361-473f-94ee-c312ce87dccc",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
49d0142a-ad1d-45a9-9160-53827b9743ef
Configure Ping Federate
6.5. Steps
- Invoke the precheck API
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-broker/prechecks?type=' -i -X GET \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
GET /v1/identity-broker/prechecks?type= HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
{
"status" : "SUCCESS"
}
- If the status from the above API is "SUCCESS", invoke the following API to configure Ping Federate as an external identity provider.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Ping Federate",
"directory" : {
"name" : "ping_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "PING_FEDERATE"
},
"oidcSpec" : {
"clientId" : "68e71a05-4908-42ef-8157-14d287552c1f",
"clientSecret" : "87893d38-cfc8-4113-bd30-e9eb6270456d",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"trustedCertChains" : [ {
"certChain" : [ "-----BEGIN CERTIFICATE-----\\nMIIDljBRA==\\n-----END CERTIFICATE-----\n" ]
} ]
}
}'
HTTP Request
POST /v1/identity-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 651
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Ping Federate",
"directory" : {
"name" : "ping_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "PING_FEDERATE"
},
"oidcSpec" : {
"clientId" : "68e71a05-4908-42ef-8157-14d287552c1f",
"clientSecret" : "87893d38-cfc8-4113-bd30-e9eb6270456d",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"trustedCertChains" : [ {
"certChain" : [ "-----BEGIN CERTIFICATE-----\\nMIIDljBRA==\\n-----END CERTIFICATE-----\n" ]
} ]
}
}
HTTP Response
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 36
c03f4459-9a81-4c3d-93d3-e5aa4f7fb078
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra/Ping Identity Providers has been deprecated
7. Update an external Identity Provider
7.1. Prerequisites
The following data is required
- Identifier of the external Identity Provider
Tip : Please refer to IdentityProviderSpec.
When ADFS is configured
7.2. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/8e1e68ea-b820-4ea3-ac23-351771f2460c' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "c1d8e08e-70b5-42ba-a46a-a6b917ef5376",
"clientSecret" : "7b65bf19-672a-4383-b0f6-ea0269b68342",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}'
HTTP Request
PATCH /v1/identity-providers/8e1e68ea-b820-4ea3-ac23-351771f2460c HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 663
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"name" : "My ADFS",
"type" : "AD_FS",
"certChain" : [ ],
"ldap" : {
"domainName" : "external-idp.com",
"domainAlias" : "external-idp",
"username" : "[email protected]",
"password" : "xxxxxxxxx",
"sourceDetails" : {
"usersBaseDn" : "users-base-dn",
"groupsBaseDn" : "groups-base-dn",
"certChain" : [ ],
"serverEndpoints" : [ "ldap://dns01.domain.com", "ldap://dns02.domain.com" ]
}
},
"oidc" : {
"clientId" : "c1d8e08e-70b5-42ba-a46a-a6b917ef5376",
"clientSecret" : "7b65bf19-672a-4383-b0f6-ea0269b68342",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
HTTP Response
HTTP/1.1 204 No Content
When OKTA is configured
7.3. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/7d4be275-6b92-4581-8bb8-153b9e085626' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "8e9fb626-d8c9-403d-a1bf-e9f69aec9acf",
"clientSecret" : "31f596b7-99bc-4916-82b9-543d7860dffe",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/7d4be275-6b92-4581-8bb8-153b9e085626 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 496
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "okta",
"directory" : {
"name" : "okta_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "OKTA"
},
"oidcSpec" : {
"clientId" : "8e9fb626-d8c9-403d-a1bf-e9f69aec9acf",
"clientSecret" : "31f596b7-99bc-4916-82b9-543d7860dffe",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
When Microsoft Entra ID is configured
7.4. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/d592997e-d4f6-4590-b846-a807340bfc8f' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "a6a81f57-7920-4b03-94d8-d13db6eff9af",
"clientSecret" : "9263ab91-e53b-4dc2-97fd-43f0b17c7113",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}'
HTTP Request
PATCH /v1/identity-providers/d592997e-d4f6-4590-b846-a807340bfc8f HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 515
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Entra ID",
"directory" : {
"name" : "entra_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "MICROSOFT_ENTRA_ID"
},
"oidcSpec" : {
"clientId" : "a6a81f57-7920-4b03-94d8-d13db6eff9af",
"clientSecret" : "9263ab91-e53b-4dc2-97fd-43f0b17c7113",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
}
}
}
HTTP Response
HTTP/1.1 204 No Content
When Ping Federate is configured
7.5. Steps
- Invoke the API to update an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/5e585d1b-8b51-4e73-8972-3e1803b7d262' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....' \
-d '{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Ping Federate",
"directory" : {
"name" : "ping_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "PING_FEDERATE"
},
"oidcSpec" : {
"clientId" : "fdca826f-3299-4348-82de-f67a356c53b6",
"clientSecret" : "83c23480-019e-466c-830d-68e2f5f92c1e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"trustedCertChains" : [ {
"certChain" : [ "-----BEGIN CERTIFICATE-----\\nMIIDljBRA==\\n-----END CERTIFICATE-----\n" ]
} ]
}
}'
HTTP Request
PATCH /v1/identity-providers/5e585d1b-8b51-4e73-8972-3e1803b7d262 HTTP/1.1
Content-Type: application/json
Accept: application/json
Content-Length: 651
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
{
"type" : "FEDERATED_IDP_BROKER",
"fedIdpSpec" : {
"name" : "Ping Federate",
"directory" : {
"name" : "ping_dir",
"defaultDomain" : "domain1.com",
"domains" : [ "domain1.com", "domain2.com" ],
"federatedIdpSourceType" : "PING_FEDERATE"
},
"oidcSpec" : {
"clientId" : "fdca826f-3299-4348-82de-f67a356c53b6",
"clientSecret" : "83c23480-019e-466c-830d-68e2f5f92c1e",
"discoveryEndpoint" : "https://domain.com/.well-known/openid-configuration"
},
"trustedCertChains" : [ {
"certChain" : [ "-----BEGIN CERTIFICATE-----\\nMIIDljBRA==\\n-----END CERTIFICATE-----\n" ]
} ]
}
}
HTTP Response
HTTP/1.1 204 No Content
Note : Please note that the sync client token TTL needs to be configured while generating the sync client token (Please refer to [_generatesyncclienttoken] API) Setting this parameter while configuring an Okta/Entra/Ping Identity Providers has been deprecated
8. Delete an external Identity Provider
8.1. Prerequisites
The following data is required
- Identifier of the external Identity Provider
8.2. Steps
- Invoke the API to delete an external identity provider.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/d2959c8b-b876-43af-9431-a0a6a427addf' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
DELETE /v1/identity-providers/d2959c8b-b876-43af-9431-a0a6a427addf HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 204 No Content
9. Generate sync client token
The sync client token is used by the IDP administrator to push users and groups into the WS1B. Only the users / groups synced to the vCenter/WS1B can login to VCF. Please refer to https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-88933505-9299-49FB-9C30-56E43683099B.html and https://kb.vmware.com/s/article/90835 for more information.
9.1. Prerequisites
The following data is required
Identifier of the external Identity Provider
Sync client token TTL
9.2. Steps
- Fetch the ID for the external identity provider from the list Identity Providers Response.
Tip : Refer to Get all Identity Providers
- Invoke the API to generate the sync client token.
Note : For the sake of brevity, the Bearer tokens in the Authorization header has been abbreviated in the code snippets throughout this document.
cURL Request
$ curl 'https://sfo-vcf01.rainpole.io/v1/identity-providers/0d711253-0750-40dd-94fe-ad4db069131c/sync-client' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer etYWRta....'
HTTP Request
POST /v1/identity-providers/0d711253-0750-40dd-94fe-ad4db069131c/sync-client HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1370
{
"expireIn" : 1705952019,
"token" : "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTM2AAzMjksImlhdCI6MTY4MzU4MDMyOSwic3ViIjoiZDZjYjEyN2EtN2Q3Yi00NDRhLTg1MWUtODI1Mjk3YjA2OTQyIiwiYXV0aF90aW1lIjoxNjgzNTgwMzI5LCJzY3AiOiJhZG1pbiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvU0FBUy9hdXRoL29hdXRodG9rZW4iLCJhenAiOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzLyIsInJ1bGVzIjp7ImV4cGlyeSI6MTY4MzU4MjEyOSwibGluayI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTAxMTQvYWNzL3J1bGVzL21lIiwicnVsZXMiOlt7InJlc291cmNlcyI6WyJ2cm46dWc6KiJdLCJhY3Rpb25zIjpbInVnOioiXSwiY29uZGl0aW9ucyI6bnVsbCwiYWR2aWNlIjpudWxsfV19LCJwaWQiOiI0ODNmZmY1Yy1iYjg1LTQ2MTgtOWVmMi01MWYwZWFiYjBjMzMiLCJwcm5fdHlwZSI6IlNFUlZJQ0UiLCJwcm4iOiJzeW5jQ2xpZW50SWQzSVlRaFdwVlNaNVRkUDloZFdoaHZvZmJud3NSczhDUUBDVVNUT01FUiIsImp0aSI6IjQ4M2ZmZjVjLWJiODUtNDYxOC05ZWYyLTUxZjBlYWJiMGMzMyIsImNpZCI6InN5bmNDbGllbnRJZDNJWVFoV3BWU1o1VGRQOWhkV2hodm9mYm53c1JzOENRIn0.OiZ6nHiFy9hTuU09fT2BUGzbD3XWH-XBoAOCFG3sC8-Pk2FXAn4oZ5fQ9zJHRMDTapAbhfzOF7hCgQ2klhIk_RAnuneey3pUJKotB-DoExU6v6DS3-4C1YBhvMYqezytfE0zcw--ZZbJxFjCwHMIHCf-t6LPLBoEpRZbhB5ZewscYACI0hYcSpseU2hWD9cSkCJr8w7j1zWowIQ1KJxkfdoTdjLuAIH_vesKVcSXirsuOeDiPng93Rx-umMyCzQ8-og64JK1C3XdzdfTsN1-gporUclgawcgFlZgyQFkeL0h8B6j61MzUYHBvwBU_a6jm97BUjSBeu86ipk39o29Og",
"scimUrl" : "https://sfo01-m01-vc01.rainpole.io/usergroup/t/tenantType/scim/v2"
}
Note : Please note that the sync client token TTL needs to be passed as a query parameter to the API. Setting this parameter while configuring an Okta/Entra/Ping Identity Providers has been deprecated (Please refer to [_addexternalidentityprovider] API)
Last updated 2024-02-29 05:35:20 -0800
Operations
GET
Get All Idps
Get all Identity Providers
POST
Add External Identity Provider
Add an external Identity provider
GET
Get Identity Provider By Id
Get Identity Provider By Id
DELETE
Delete External Identity Provider
Delete an external Identity Provider
PATCH
Update External Identity Provider
Update an external Identity provider
POST
Add Embedded Identity Source
Add an embedded Identity source
DELETE
Delete Identity Source
Delete an Identity Source
PATCH
Update Embedded Identity Source
Update an embedded Identity source