VMware Cloud Community
shreyaShankar
Contributor
Contributor

vRO - How to configure vRO Authentication Provider to use vSphere SSO via REST APIs?

I have used control center to configure Authentication for vRO. I want to try to do the same via REST APIs. Can someone help with what all REST calls have to be made to do the same?

I'm using vRO 7.3 and vCenter 6.5.

Tags (1)
Reply
0 Kudos
7 Replies
daphnissov
Immortal
Immortal

It's all accessible via https://<FQDN>:8283/vco-controlcenter/docs/

The API you'll leverage is under /api/authentication.

Reply
0 Kudos
shreyaShankar
Contributor
Contributor

I tried executing

POST /api/authentication/configuration/provider/{provider}

and get the id and then executed

POST /api/authentication/configuration/{id}

When the above call was executed, I get response code as '0'.

I wanted to know what are the exact API's call to be made?

Reply
0 Kudos
Chris0976
Contributor
Contributor

This post is old, but I had to do this recently and figuring it out took me a little while on vRO 8.1.  It's a 3-step process to configure vRO to use vSphere SSO through the API.  First, you create a new VSPHERE configuration with a POST to the endpoint:

/vco-controlcenter/api/authentication/configuration/provider/VSPHERE

The first call should return the ID of the new connection and some JSON that describes the new connection, although it's initially just an empty template.  Update the JSON as needed with your SSO endpoint URL and credentials.  Then POST the JSON body to the following endpoint, where <ID> is from the first request result:

/vco-controlcenter/api/authentication/configuration/<ID>

You commit the change to vRO with a final POST of the same JSON body to the endpoint:

/vco-controlcenter/api/authentication/configuration/<ID>/finish

I'm guessing you could also post the updated JSON body to the "finish" endpoint without the intermediate post.  It looks like the intermediate step is present to enable building the configuration incrementally?

holden_ca
Contributor
Contributor

Hi Chris0976

Many thanks for the reply here in this thread, seems like this is the only place to clarify the topic,
I'm currently trying to configure the vRO 7.5 authentication provider following your steps:

- POST call to /vco-controlcenter/api/authentication/configuration/provider/VSPHERE, getting the session ID

- POST call to /vco-controlcenter/api/authentication/configuration/<ID> putting the username, password, Center URL and preserved <ID> to JSON body. Here I'm getting an error: 

"Exception occurred. Details: JSON parse error: Could not resolve type id 'authProvider' into a subtype of [simple type, class com.vmware.o11n.configuration.authentication.Authentication]: known type ids = [Authentication, CAFE, LDAP, SSO, VSPHERE]; nested exception is com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'authProvider' into a subtype of [simple type, class com.vmware.o11n.configuration.authentication.Authentication]: known type ids = [Authentication, CAFE, LDAP, SSO, VSPHERE]\n at [Source: java.io.PushbackInputStream@6415d18; line: 1, column: 2]"

I've checked and double-checked the JSON body for sure and it has valid structure and data:

{
"error": null,
"warning": null,
"id": "<my session ID from initial POST call>",
"providers": [
"CAFE",
"VSPHERE"
],
"authentication": {
"VSPHERE": {
"URL": "<my Center URL>",
"certificateAlias": "vco.vsphere.lookup-service.ssl.certificate",
"username": "administrator@vsphere.local",
"password": "<my password>",
"importCertificates": false,
"configureLicences": true,
"adminGroup": "<my group>",
"adminGroupDomain": "my group's domain",
"defaultTenant": "vsphere.local",
"ssoClockTolerance": 300,
"tokenLifetimeInSeconds": 7776000,
"ssoTokenRenewCount": 5,
"provider": "VSPHERE"
}
},
"state": "NEW",
"certificate": [],
"authProvider": "VSPHERE"
}

Java exception is also caught in /var/log/vco/configuration/controlcenter.log of vRO node:

org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Could not resolve type id 'error' into a subtype of [simple type, class com.vmware.o11n.configuration.authentication.Authentication]: known type ids = [Authentication, CAFE, LDAP, SSO, VSPHERE]; nested exception is com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'error' into a subtype of [simple type, class com.vmware.o11n.configuration.authentication.Authentication]: known type ids = [Authentication, CAFE, LDAP, SSO, VSPHERE]
at [Source: java.io.PushbackInputStream@1b9a885b; line: 2, column: 5]
at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readJavaType(AbstractJackson2HttpMessageConverter.java:238)
at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.read(AbstractJackson2HttpMessageConverter.java:223)
at org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodArgumentResolver.readWithMessageConverters(AbstractMessageConverterMethodArgumentResolver.java:201)
at org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyMethodProcessor.readWithMessageConverters(RequestResponseBodyMethodProcessor.java:150)
at org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyMethodProcessor.resolveArgument(RequestResponseBodyMethodProcessor.java:128)
at org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.resolveArgument(HandlerMethodArgumentResolverComposite.java:121)
at org.springframework.web.method.support.InvocableHandlerMethod.getMethodArgumentValues(InvocableHandlerMethod.java:158)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:128)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.o11n.controlcenter.web.filter.ThreadContextCleanUpFilter.doFilter(ThreadContextCleanUpFilter.java:33)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:215)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at com.vmware.o11n.controlcenter.security.DynamicSecurityContextFilterBeanProxy.doFilter(DynamicSecurityContextFilterBeanProxy.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.o11n.controlcenter.web.filter.ServiceUnavailableFilter.doFilter(ServiceUnavailableFilter.java:39)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'error' into a subtype of [simple type, class com.vmware.o11n.configuration.authentication.Authentication]: known type ids = [Authentication, CAFE, LDAP, SSO, VSPHERE]
at [Source: java.io.PushbackInputStream@1b9a885b; line: 2, column: 5]
at com.fasterxml.jackson.databind.exc.InvalidTypeIdException.from(InvalidTypeIdException.java:42)
at com.fasterxml.jackson.databind.DeserializationContext.unknownTypeIdException(DeserializationContext.java:1490)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownTypeId(DeserializationContext.java:1170)
at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._handleUnknownTypeId(TypeDeserializerBase.java:282)
at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:156)
at com.fasterxml.jackson.databind.jsontype.impl.AsWrapperTypeDeserializer._deserialize(AsWrapperTypeDeserializer.java:104)
at com.fasterxml.jackson.databind.jsontype.impl.AsWrapperTypeDeserializer.deserializeTypedFromObject(AsWrapperTypeDeserializer.java:52)
at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:209)
at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:63)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3814)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2938)
at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.readJavaType(AbstractJackson2HttpMessageConverter.java:235)
... 80 more

Any ideas on how to resolve the issue?

Tags (1)
Reply
0 Kudos
pankaj1977
Contributor
Contributor

Hi,

Did this work for anyone as I  have tried suggested steps with no luck.

1. 

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'https://<VROHOSATNAME>/vco-controlcenter/api/authentication/configuration/provider/VSPHERE'

Got JSON output.

2. From above tooke the ID - 116fda30-2d65-44d1-8062-852d00a35ef4 and used in 

https://<vrofqdn>/vco-controlcenter/api/authentication/configuration/116fda30-2d65-44d1-8062-852d00a35ef4

used with JSON  output from step 1 and provided information on password and admin group.

Whatever I do I always get Response Code as 0.

{
"error": "no response from server"
}

3. 

https://<vrofqdn>/vco-controlcenter/api/authentication/configuration/d40e4653-321d-45f4-b1fa-fd7ee0bae2d1/finish

Getting JSON  output.

It actually not working. Any help with this is much appreciated.

Reply
0 Kudos
pankaj1977
Contributor
Contributor

Hi Chris,

I am facing the iosue with this one. I have updated my command in theic chain itself.

Thanks and Regard,

Pankaj

 

Reply
0 Kudos
pankaj1977
Contributor
Contributor

Hi,

Update:

This is working now.

Steps:

1. curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'https://vrofqdn/vco-controlcenter/api/authentication/configuration/provider'

This will give and ID which need to be used in next 2 steps.

2. https://ukxvadaip104.uk.dev.net/vco-controlcenter/api/authentication/configuration/<ID from above command>

Use payload in below format

{
"VSPHERE": {
"url": "https://vcenterfqdn/lookupservice/sdk",
"certificateAlias": "vco.vsphere.lookup-service.ssl.certificate",
"username": "vcenteradminaccount",
"password": "vcenteradminpasword",
"importCertificates": false,
"configureLicences": true,
"adminGroup": null,
"adminGroupDomain": null,
"defaultTenant": "vsphere.local",
"ssoClockTolerance": 300,
"tokenLifetimeInSeconds": 7776000,
"ssoTokenRenewCount": 5,
"provider": "VSPHERE"
}
}

3. 

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'https://vrofqdn/vco-controlcenter/api/authentication/configuration/<id from 1st step>/finish'