VMware Cloud Community
aamodei01
Enthusiast
Enthusiast

vROPS 6.x API Question - SSO UserGroup Creation

Hello everyone!

I'm hoping someone out there has played around with the API enough to have come across this:

I'm trying to programatically create an SSO User group, imported from our SSO (via PSC & AD integration) source.

I've been digging in the API docs, and I've found the "importUsers" REST function (POST /api/auth/sources/{id}/users)

However in searching the entire API doc, I can find no "importUserGroups" function of any kind.

I'm trying to create these SSO group type objects so that the end users (once configured) can simply log in (and would be tying the group to a custom group build for them)

Has anyone figured out a way to REST call and create a SSO user group?

Thanks!

Tags (2)
2 Replies
aamodei01
Enthusiast
Enthusiast

Digging into the API docs, there is a value not shown in the examples or even mentioned in the function, I found it buried in the 'Model Representation' called <ops:authSourceId>

So, to create a SSO SAML Group inside vROPs (and I suppose it would work with a standard LDAP group too) would be to POST something similar to this (just adjust your required permissions as needed):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ops:user-group xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ops="http://webservice.vmware.com/vRealizeOpsMgr/1.0/">

    <ops:name>YOUR AD GROUP FQDN NAME</ops:name>

    <ops:description xsi:nil="true" />

    <ops:authSourceId>YOUR SSO/LDAP SOURCE ID (You can GET this from /api/auth/sources/)</ops:authSourceId> <-- THIS WAS THE MISSING PIECE

    <ops:roleNames>

        <ops:roleName>YOUR vROPS SECURITY ROLE NAME</ops:roleName>

    </ops:roleNames>

<ops:role-permissions>

        <ops:role-permission allowAllObjects="true">

            <ops:roleName>Administrator</ops:roleName>

            <ops:traversal-spec-instances>

                <ops:traversal-spec-instance selectAllResources="true">

                    <ops:adapterKind>?</ops:adapterKind>

                    <ops:resourceKind>?</ops:resourceKind>

                    <ops:name>traversal_spec_name</ops:name>

                </ops:traversal-spec-instance>

            </ops:traversal-spec-instances>

        </ops:role-permission>

    </ops:role-permissions>

</ops:user-group>

enpicket
Contributor
Contributor

Thank you so much for posting this! I'm trying it out and will let you know if it worked for me.

Reply
0 Kudos