Thank you Laurent,

I found the sample (wssdk-provider) showing how to get the com.vmware.vise.usersession.UserSession object, but this object has no such field - only clientId, locale, serversInfo[] and userName.

ServerInfo has name, serviceGuid, serviceURL, sessionCookie, thumbprint and version.

There's another UserSession object - com.vmware.vim25.UserSession, which has a bunch of getters, but not for a samlTokenXML property.

Could you help me a little further?

Hi is there any documentation of how to use this samlTokenXml to pass it to another process so it can authenticate with the vSphere?

I guess this token cannot be passed as is. So how is it done?

Thanks

See above  "you can use the SSO API to convert that xml into the SAML token object." 

Check the SSO API doc and the vSphere Management SDK forum for vSphere authentication using a SAML token.

Hi,


I checked the SSO API, there are methods for issuing new tokens and renewing them. I also printed the samlTokenXml and as I see it is holder of key token. 


There is ProxyRestiction 0 in this token, does it mean it cannot be passed as is to other service in order for it to authenticate with the vSphere?


There is an example in SSO API how to issue holder of key token by other holder of key token. But it requires original certificate and private key. And I do not see any API in web client how to get those.


I tried to put this token in the SOAP header as is from the service and got authentication error.


I also posted the question on vSphere management SDK forum and did not get any answer. Trying here again because you seem to be the only one who talks about this.


Could you please point me to some example or may be other documentation.


Thanks


Alex

This is a vCenter and SSO topic so there is nothing in the Web Client SDK to help you.

A global search in the communities may yield better results.

Hi Laurent,

I have exactly the same requirement as Alex. I am using HTML bridge, and would like to send the SSO information to my backend-server which would use this information to authenticate with vCenter to retrieve the inventory information.

From my HTML Bridge I can access the userSession information and the samlTokenXml string, username that I am using a POST Rest call and sending them over to backend. I am currently blocked on what SSO API's I need to use to convert that string into a valid token object. Yes I understand it is not in the scope of discussion web client sdk. I did not find any article that explains this conversion.

This is a blocker for my plugin development, any help will be greatly appreciated.

Thanks,

Bhrami.

I see some LoginByToken examples in the SSO SDK documentation at vSphere 5.5 Documentation Center

but since I am not an expert there I don't know if this can help you.

I'll ping other people here to try to get more info.

I would really really appreciate that help from you Laurent.

Just a piece of code on how to convert the samlTokenXml into the object will take me a long way through.

Regards,

Bhrami

So for the only response I got inside VMware related to some internal API so that's not good.

But just to be sure, what is your use case for using LoginByToken?

You can already use the vSphere Web Services API and have a valid vCenter session as shown in this code sample:

samples/vsphereviews/vsphere-wssdk-provider/src/main/java/com/vmware/samples/wssdkprovider/VmDataProviderImpl.java

From my HTML bridge client I want to make a direct REST call to my backend server and send the token across.

I would want my server to authenticate with vcenter and get the service instance. I am not using the intermediate JAVA service.

I found some test code which converts a samlTokenXml string into a samlToken object.

It uses the httpSsoAuth library which is attached.

Try to see if that works for you. I can't help on this code myself because I am not familiar with those APIs.

import java.security.KeyStore.PrivateKeyEntry;

import java.security.cert.X509Certificate;

import com.vmware.vim.sso.client.SamlToken;

import com.vmware.vim.sso.http.Request.Method;

import com.vmware.vim.sso.http.SignatureAlgorithm;

import com.vmware.vim.sso.http.util.SecureStoreUtil;

PrivateKeyEntry user = SecureStoreUtil.readUser1Entry();

Request req = new MockRequest(Method.GET, "/", "test.com", 80, "");

AuthCalculator calc = AuthCalculatorFactory.instance(SignatureAlgorithm.RSA_SHA256);

String[] token = calc.computeToken(req, user.getPrivateKey(), samlTokenXml);

X509Certificate stsCert = SecureStoreUtil.readStsCertificate();

AuthVerifier verifier = AuthVerifierFactory.instance(new X509Certificate[] { stsCert }, 0, 60);

SamlToken samlToken = verifier.verifyToken(req, token);

Thanks Laurent. Will try it out.

Hi Laurent,

This solution with the specified jar file didn't seem to work for us. Do you have any updated sample that passes the SAML token to the backend server, which in turn uses to successfully login into the vCenter.

This is such a simple workflow, I am trying to solve but unfortunately none of the api's are documented. Hence a huge issue for the web client plugin integration.

Thanks,

Bhrami.

What API do you use to login vCenter with the SAML token?

Hi Laurent,

Sorry to bring back such an old post, but I'm working through the same issue right now. I'm actually able to use the samlTokenXml to get a bearer token if I convert it to XML using a DocumentBuilder, but I can't currently get the PrivateKey and X509Certificate in a vSphere 5.5-friendly way. Your previous example with the SecureStoreUtil seems to do exactly that, however. Could you please tell me where the jar is that I can find SecureStoreUtil?

Failing that, is there any other way to grab the PrivateKey and X509Certificate in vSphere 5.5?

Thanks!

SecureStoreUtil is a test class, see source attached.

Ah, I see. Is there any v5.5 SDK method to get the path and password to the VMware keystore, since I believe it varies depending on the server's OS?