VMware Cloud Director has a brand new characteristic added in 10.4.1 launch which gives flexibility to alter Identity Providers as per your alternative and comfort, with out shedding the assets assigned to the customers. VMware Cloud Director helps Lightweight Directory Access Protocol (LDAP), Security Assertion Markup Language (SAML) and OpenId Connect (OIDC) protocols for authentication. You can change between these protocols or migrate to a unique identification supplier with ease by remapping present customers to their identification in one other Identity Provider. This weblog demonstrates the best way to use the person administration API to perform this.
Additionally, VMware Cloud Director has introduced the deprecation of assist for native customers beginning with 10.4.1 launch (launch notes). VMware Cloud Director’s industry-compliant integrations with exterior Identity Providers provides advantages of most trendy and safe authentication schemes to its prospects. Customers can avail all of the options comparable to Two Factor Authentication/Multi Factor Authentication, biometric integrations, sensible card integrations, and many others. with VMware Cloud Director. It additionally aids prospects staying updated with all future developments in authentication applied sciences.
Following is an instance to remap supplier (native) person to a SAML identification supplier federation. As of VMware Cloud Director 10.4.1, remapping a person is offered solely as an API characteristic. Thus, for all subsequent steps use an API consumer of your alternative. In my examples under, I’m utilizing Postman to carry out remapping.
Pre-requisite: Make positive the Identity Provider federation to which you wish to remap person to is precisely configured.
- Login to VMware Cloud Director as an administrator (tenant or system administrator) and determine the person you wish to remap. Here, the person I’m remapping is ‘demouser’. This person is an area person.
- Login utilizing the API because the administrator; both utilizing their credentials (native or LDAP), IDP issued tokens (SAML or OAuth) or VMware Cloud Director’s API Token.
API: POST “https”//{api_host}/cloudapi/1.0.0/periods”
- Retrieve the urn id of ‘demouser’ from question customers API.
API: GET “https://{api_host}/cloudapi/1.0.0/users”
Now, utilizing this urn id, fetch full info of the person. Refer to Get User for extra perception on this API.
API: GET “https://{api_host}/cloudapi/1.0.0/users/urn:vcloud:user:bafe9a31-1810-4108-8754-3ece52a4e963”
- Copy full info of the person from earlier step and edit following properties to be used as physique of the following PUT request.
- Update the ‘username’ to replicate the person’s username within the new Identity Provider. While this instance reveals a definite username getting used, it’s doable to have less complicated updates like switching from username to electronic mail deal with, and many others.
- Update the ‘providerType’ primarily based on the kind of new Identity Provider. New values of ‘providerType’ might be OIDC, SAML, LOCAL, LDAP.
Send PUT request for the person to be remapped. Refer to replace person for extra perception on this API.
API: PUT “https://{api_host}/cloudapi/1.0.0/users/urn:vcloud:user:bafe9a31-1810-4108-8754-3ece52a4e963”
The person ‘demouser’ has now been remapped to the tenant’s SAML identification supplier and their username has been remapped to ‘demouser@provider.com’.
Users may be remapped from one IDP federation to a different utilizing the identical course of. If you’re remapping a person to ‘LOCAL’ supplier sort, along with updating the supplier sort replace password within the physique of PUT request.
In subsequent a part of this weblog sequence, we’ll remap a tenant person.
Check out the entire newest enhancements in VMware Cloud Director 10.4.