Highlighted
Contributor
Contributor

vco REST API Holder of key Authirization

Hello

I'm trying to access to vco REST API using HoK which was acquired from sso.

I compose Authorization header by following algorithm:

Authorization: SIGN token="...",

               nonce="143210500:asdfsd",

               signature_alg="RSA-SHA256",

               signature="..."

Where :

token              BASE64(GZIP(SAML2)). Under SAML2 I mean all xml value of a HoK
signature          value of <ds:SignatureValue> XML tag in HoK

and send GET requests to following url https://vcoFQDN:8281/vco/api/users

Unfortunately I get error 500:java.lang.AssertionError: Problem decompressing data: java.util.zip.ZipException: Not in GZIP format

What I'm doing wrong?

0 Kudos
7 Replies
Highlighted
VMware Employee
VMware Employee

Is there any particular reason you are taking the HoK route? The API allows you to use BASIC authentication and handles the SSO aspect for you. For example, in my SSO enabled lab, I can use PostMan with basic auth to connect and do what I need via the REST API without the hassle of the HoK.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
0 Kudos
Highlighted
Contributor
Contributor

I want to access vCO REST api from vSphere Web Client plugin. And I don't think that SSO provides user credentials for plugins.

0 Kudos
Highlighted
VMware Employee
VMware Employee

Please review the documentation. The vSphere Web Client passes your credentials to the registered Orchestrator server automatically. If they are tied together properly and the user you have logged into the vSphere Web Client with has appropriate role in Orchestrator, you will see the Orchestrator server, workflows, etc. There is no need to be fiddling with HoK stuff when setting this up.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
0 Kudos
Highlighted
Contributor
Contributor

Does it mean that I can access to vCO REST API (for example run workflow) from my plugin without passing anything into Authorization header?

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hm, I see that you are actually saying "plug-in" as in you are developing a vSphere Web Client plug-in to do stuff and you wish to launch a workflow from there... If that is the case, sorry for the confusion. I was simply thinking the vSphere Web Client itself.. I'm unsure of what is available to plug-ins with regard to the SSO token so I'll leave further replies to others as developing plug-ins for the vSphere Web Client is not my area of expertise.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
0 Kudos
Highlighted
Contributor
Contributor

This topic not fully related to plugins. I just ask how to generate signature correctly

0 Kudos
Highlighted
Contributor
Contributor

Here's a snippet of perl code I use. I take everything between <saml2:Assertion> and </saml2:Assertion>, not including those tags and call that $token.

Then I:

gzip \$token => \$gzipped;

$encoded = encode_base64($gzipped);

$encoded =~ s/\n//g;

$restClient->addHeader('Authorization',   'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');

HTH

0 Kudos