Scribd
Upload
231 views36 pages

Vmware Sso Client Prog Guide 1 0

Vmware Sso Client Prog Guide 1 0

Uploaded by

sgaraba7446
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
231 views36 pages

Vmware Sso Client Prog Guide 1 0

Vmware Sso Client Prog Guide 1 0

Uploaded by

sgaraba7446
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

vCenter Single Sign On

Programming Guide
vCenter Single Sign On SDK
vSphere 5.1

This document supports the version of each product listed and


supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.

EN-000832-01

vCenter Single Sign On Programming Guide

You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
[email protected]

Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

VMware, Inc.

Contents

AboutThisBook

SingleSignOninthevSphereEnvironment 5
vCenterSingleSignOnOverview 5
vCenterSingleSignOnClientAPI 7
AcquiringaSAMLToken 7
vCenterSingleSignOnSecurityPolicies 8
ConnectingtoavCenterSingleSignOnServer 9
TokenDelegation 10
TokenLifetimeClockTolerance 10
Challenge(SSPI) 10
vCenterSingleSignOnSOAPMessageStructure 11
vCenterSingleSignOnSDK 11
vCenterSingleSignOnSDKExamples 12

vCenterSingleSignOn
APIReference

13

vCenterSingleSignOnClientAPIMethods 13
Issue 13
Renew 14
Validate 14
Challenge 15
vCenterSingleSignOnAPIDataStructures 15
RequestSecurityTokenType 15
RequestSecurityTokenResponseCollectionType
RequestSecurityTokenResponseType 17
LifetimeType 18
RenewingType 18
KeyTypeOpenEnum 18
UseKeyType 19
ParticipantsType 19
ParticipantType 19
EndpointReference 19
BinaryExchangeType 19
AdviceType 20
AttributeType 20

vCenterSingleSignOn
ClientExample(JAXWS)

17

21

vCenterSingleSignOnTokenRequestOverview 21
UsingHandlerMethodsforSOAPHeaders 22
SendingaRequestforaSecurityToken 24

LoginByTokenExample(JAXWS)

27

vCenterServerSingleSignOnSession 27
HTTPandSOAPHeaderHandlers 27
SampleCode 28
SavingthevCenterServerSessionCookie 29
VMware, Inc.

vCenter Single Sign-On Programming Guide

UsingLoginByToken 30
RestoringthevCenterServerSessionCookie

31

Index 33

VMware, Inc.

About This Book

vCenterSingleSignOnProgrammingGuidedescribeshowtousetheVMwarevCenterSingleSignOnAPI.
VMwareprovidesdifferentAPIsandSDKsfordifferentapplicationsandgoals.ThevCenterSingleSignOn
SDKsupportsthedevelopmentofvCenterclientsthatuseSAMLtokenauthenticationforaccesstovSphere
environments.
ToviewthecurrentversionofthisbookaswellasallVMwareAPIandSDKdocumentation,goto
http://www.vmware.com/support/pubs/sdk_pubs.html.

Revision History
Thisbookisrevisedwitheachreleaseoftheproductorwhennecessary.Arevisedversioncancontainminor
ormajorchanges.Table 1summarizesthesignificantchangesineachversionofthisbook.
Table 1. Revision History
Revision Date

Description

08Nov2012

vCenterSingleSignOnSDKV1.0documentationupdatechangedSOAPenvelopedescriptionto
identifySSL/TLS(TransportLayerSecurity)correctly.

10Sep2012

vCenterSingleSignOnSDKV1.0documentation.

Intended Audience
ThisbookisintendedforanyonewhoneedstodevelopapplicationsusingthevCenterSingleSignOnSDK.
DeveloperstypicallycreatevCenterSingleSignOnclientapplicationsusingJavatoaccessthevCenterSingle
SignOnServer.AnunderstandingofWebServicestechnologyandsomeprogrammingbackgroundinoneof
thestublanguages(Java)isrequired..

VMware Technical Publications Glossary


VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.

Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Sendyourfeedbackto
[email protected].

VMware, Inc.

vCenter Single Sign-On Programming Guide

VMware, Inc.

Single Sign-On in the vSphere


Environment

AvCenterSingleSignOnclientconnectstothevCenterSingleSignOnServertoobtainasecuritytokenthat
containsauthenticationclaimsrequiredforoperationsinthevSphereenvironment.ThevCenterSingleSign
OnclientAPIsupportsoperationstoacquire,renew,andvalidatetokens.
Thischapterincludesthefollowingtopics:

vCenterSingleSignOnOverview

vCenterSingleSignOnClientAPI

AcquiringaSAMLToken

vCenterSingleSignOnSOAPMessageStructure

vCenterSingleSignOnSDK

vCenter Single Sign On Overview


Tosupporttherequirementsforsecuresoftwareenvironments,softwarecomponentsrequireauthorizationto
performoperationsonbehalfofauser.Inasinglesignonenvironment,auserprovidescredentialsonce,and
componentsintheenvironmentperformoperationsbasedontheoriginalauthentication.vCenterSingleSign
Onauthenticationcanusethefollowingidentitystoretechnologies:

WindowsActiveDirectory

OpenLDAP(LightweightDirectoryAccessProtocol)

Localuseraccounts(vCenterSingleSignOnServerresidentonthevCenterServermachine)

vCenterSingleSignOnuseraccounts

Forinformationaboutconfiguringidentitystoresupport,seevSphereInstallationandSetupandvSphere
SecurityintheVMwareDocumentationCenter.
Inthecontextofsinglesignon,thevSphereenvironmentisacollectionofservicesandsolutions,eachof
whichpotentiallyrequiresauthenticationofclientsthatusetheserviceorsolution.Examplesofsolutionsthat
mightsupportsinglesignonincludevShield,SRM(SiteRecoveryManager),andvCO(vCenterOrchestrator).
Becauseaservicecanuseanotherservice,singlesignonprovidesaconvenientmechanismtobroker
authenticationduringasequenceofvSphereoperations.
ThevCenterSingleSignOnServerprovidesaSecurityTokenService(STS).AvCenterSingleSignOnclient
connectstothevCenterSingleSignOnservertoobtainatokenthatrepresentstheclient.Atokenusesthe
SecurityAssertionMarkupLanguage(SAML)whichisanXMLencodingofauthenticationdata.Itcontainsa
collectionofstatementsorclaimsthatsupportclientauthentication.Examplesoftokenclaimsincludename,
key,andgroup.

VMware, Inc.

vCenter Single Sign-On Programming Guide

TherearetwotypesofvCenterSingleSignOntokens.

Holderofkeytokensprovideauthenticationbasedonsecurityartifactsembeddedinthetoken.
Holderofkeytokenscanbeusedfordelegation.Aclientcanobtainaholderofkeytokenanddelegate
thattokenforusebyanotherentity.Thetokencontainstheclaimstoidentifytheoriginatorandthe
delegate.InthevSphereenvironment,avCenterServerobtainsdelegatedtokensonausersbehalfand
usesthosetokenstoperformoperations.

Bearertokensprovideauthenticationbasedonlyonpossessionofthetoken.Bearertokensareintended
forshortterm,singleoperationuse.Abearertokendoesnotverifytheidentityoftheuser(orentity)
sendingtherequest.ItispossibletousebearertokensinthevSphereenvironment,howeverthereare
potentiallimitations:

ThevCenterSingleSignOnServermayimposelimitationsonthetokenlifetime,whichwould
requireyoutoacquirenewtokensfrequently.

FutureversionsofvSpheremightrequiretheuseofholderofkeytokens.

ThefollowingfigureshowsavCenterclientthatusesaSAMLtokentoestablishasessionwithavCenter
Server.
Figure 1-1. Single Sign-On in the vSphere Environment vCenter Server LoginByToken
vCenter
client

Identity Store

2 Authentication

vCenter
Single Sign On
client

Token request

SAML token

SessionManager.LoginByToken()
[SAML token]

vCenter
Single Sign On
Server

vCenter Server

ThevCenterclientalsooperatesasavCenterSingleSignOnclient.ThevCenterSingleSignOnclient
componenthandlescommunicationwiththevCenterSingleSignOnServer.
1

ThevCenterSingleSignOnclientsendsatokenrequesttothevCenterSingleSignOnServer.Therequest
containsinformationthatidentifiestheprincipal.Theprincipalhasanidentityintheidentitystore.The
principalmaybeauseroritmaybeasoftwarecomponent.Inthisscenario,theprincipalistheuserthat
controlsthevCenterclient.

ThevCenterSingleSignOnServerusestheidentitystoretoauthenticatetheprincipal.

ThevCenterSingleSignOnServersendsaresponsetothetokenrequest.Ifauthenticationissuccessful,
theresponseincludesaSAMLtoken.

ThevCenterclientconnectstothevCenterServerandcallstheSessionManagermethodLoginByToken
method.TheloginrequestcontainstheSAMLtoken.

ThefigureshowsthevCenterServer,vCenterSingleSignOnServer,andidentitystoreascomponentsrunning
onseparatemachines.YoucanusedifferentvCenterSingleSignOnconfigurations.

VMware, Inc.

Chapter 1 Single Sign-On in the vSphere Environment

AvCenterSingleSignOnServercanoperateasanindependentcomponentrunningonitsownmachine.
ThevCenterSingleSignOnServercanusearemoteidentitystoreoritcanmanageuseraccountsinits
owninternalidentitystore.

AvCenterSingleSignOnServercanoperateasanembeddedcomponentrunningonthevCenterServer
machine.Inthisconfiguration,thevCenterSingleSignOnServercanusearemoteidentitystore,itsown
internalidentitystore,oritcanaccessuseraccountsonthevCenterServermachine.

ForinformationaboutinstallingandconfiguringthevCenterSingleSignOnServer,seevSphereInstallationand
SetupandvSphereSecurityintheVMwareDocumentationCenter.

vCenter Single Sign On Client API


ThevCenterSingleSignOnclientAPIisdescribedintheWSDL(WebServiceDefinitionLanguage)filethat
isincludedinthevCenterSingleSignOnSDK.ThisAPIdefinesasetofrequestoperationsthatcorrespondto
theWSTrust1.4bindings.ThesetofoperationsincludesIssue,Renew,Validate,andChallengerequests.

IssueObtainsatokenfromavCenterSingleSignOnServer.

RenewRenewsanexistingtoken.

ValidateValidatesanexistingtoken.

ChallengePartofanegotiationwithavCenterSingleSignOnServertoobtainatoken.

ThevCenterSingleSignOnSDKincludesJavabindingsforthevCenterSingleSignOnWSDL.TheSDKalso
containssamplecodethatincludesaJAXWSimplementationofSOAPheadermethodsthatsupportthe
vCenterSingleSignOnsecuritypolicies.ThesecuritypoliciesarebasedontheWSSecurityPolicystandard.
SecuritypoliciesspecifytheelementsthatprovideSOAPmessagesecurity.TheSOAPheadermethodsinsert
digitalsignatures,certificates,andSAMLtokensintotheSOAPmessageforvCenterSingleSignOnrequests.
SeevCenterSingleSignOnSecurityPoliciesonpage 8andvCenterSingleSignOnSDKonpage 11.

Acquiring a SAML Token


ToobtainasecuritytokenfromavCenterSingleSignOnServer,thevCenterSingleSignOnclientcallsthe
Issuemethod,whichsendsaSOAPmessagethatcontainsatokenrequestandauthenticationdata.This
sectiondescribesatokenrequestthatusesacertificatetoobtainaholderofkeytoken.Whentheclientcreates
thetokenrequest,italsoinsertstimestamp,signature,andcertificatedataintotheSOAPsecurityheader.The
vCenterSingleSignOnSDKprovidesJavapackagesthatsupportSOAPheadermanipulation.
ThefollowingfigurerepresentsthecontentofanIssuerequestandtheresponsecontainingaSAMLtoken.
Figure 1-2. Issue - vCenter Single Sign On Token Request and Response
vCenter
Single Sign On
client

Issue request
SOAP body

SOAP header

Token request

timestamp
digital signature
certificate

vCenter
Single Sign On
Server

Issue response
SAML token

Identity Store

VMware, Inc.

vCenter Single Sign-On Programming Guide

WhenthevCenterSingleSignOnServerreceivestheissuerequest,itperformsthefollowingoperationsto
generateatoken:

Usesthetimestamptovalidatetherequest.

Validatesthecertificate.

Usesthecertificatetovalidatethedigitalsignature.

Usesthecertificatesubjecttoauthenticatetherequest.Authenticationisobtainedfromtheidentitystore
thatisregisteredwiththevCenterSingleSignOnServer.

GeneratesatokenthatspecifiestheprincipalthevCenterSingleSignOnclientasthetokensubject.

vCenter Single Sign On Security Policies


WebservicesecuritypoliciesdefinetherequirementsforsecurecommunicationbetweenaWebserviceanda
client.vCenterSingleSignOnsecuritypoliciesarebasedontheWSPolicyframeworkandWSSecurityPolicy
specifications.Apolicyidentifiesspecificelementsfortokenrequests.Basedonthepolicyrequirements,a
vCenterSingleSignOnclientwillinsertdataintotheSOAPsecurityheaderforthetokenrequest.
vCenterSingleSignOndefinessecuritypoliciesforenduseraccess,solutionaccess,andfortokenexchange.
Thepoliciesstipulatethefollowingelements:

Securitycertificates(x509V3,x509PKIPathV1,x509PKCS7,orWssSamlV20Token11)

Messagetimestamps

Securitybinding(transport)

Encryptionalgorithm(Basic256Sha256)

vCenterSingleSignOnsecuritypoliciesspecifythatthebodyoftheSOAPmessageforaholderofkeytoken
mustbesigned.Bearertokensrequireonlytheusernameandtimestamptokens.
NOTEThevCenterSingleSignOnServerissuesSAMLtokenstorepresentclientauthentication.The
standardsdocumentationalsousesthetermtokentorefertoclaimsandcertificatedatathatisinsertedinto
SOAPsecurityheaders.

VMware, Inc.

Chapter 1 Single Sign-On in the vSphere Environment

ThefollowingtableshowsthevCenterSingleSignOnpoliciesandidentifiestherequirementsforeachpolicy.
ThevCenterSingleSignOnWSDLdefinesthesepoliciesforusewiththevCenterSingleSignOnmethods.
Table 1-1. vCenter Single Sign On Policies
Policy

Description

STSSecPolicy

DefinesthetransportpolicyandalgorithmsuiteforallcommunicationwiththevCenter
SingleSignOnServer:

IssueRequestPolicy

CertificatebasedserversideSSLauthentication.

HTTPStransportbindingusingNIST(NationalInstituteofStandardsandTechnology)
Basic256Sha256encryptionalgorithm.TheHTTPStokenisusedtogeneratethemessage
signature.

Requestsecurityheadermustcontainatimestamp.

DefinesthesecuritypolicyforIssuetokenrequests.IssueRequestPolicyspecifieseither
usernametoken(signed),usernametoken(plaintextpassword),X509certificate,or
holderofkeytokenauthentication.Youspecifyusername/passwordorX509certificate
credentialstoobtainavCenterSingleSignOntoken.Ifyouobtainaholderofkeytoken,you
canusethattokenforsubsequentIssuerequests.
Usernametoken(signed)authentication:

X509endorsingsupportingtoken(WssX509V3Token11,WssX509PkiPathV1Token11,
orWssX509Pkcs7Token10)

WssUsernameToken11signedsupportingtoken

Usernametoken(plaintextpassword)authentication:

WssUsernameToken11signedsupportingtoken

X509certificateauthentication:

X509endorsingsupportingtoken(WssX509V3Token11,WssX509PkiPathV1Token11,
orWssX509Pkcs7Token10)

HolderofKeytokenauthentication:

RenewRequestPolicy

WssSamlV20Token11assertionreferencedbyaKeyIdentifier

TokenmustbeusedtosigntheSOAPmessagebody.

DefinesthesecuritypolicyforRenewtokenrequests.Therequestmustcontainoneofthe
followingendorsingsupportingtokens.TheSOAPmessagebodymustbeincludedinthe
signaturegeneratedwiththetoken.

WssX509V3Token11

WssX509PkiPathV1Token11

WssX509Pkcs7Token10

vCenter Single Sign On SDK Support for vCenter Single Sign On Security Policies
ThevCenterSingleSignOnSDKprovidesJavautilitiesthatsupportthevCenterSingleSignOnsecurity
policies.YourvCenterSingleSignOnclientcanusetheseutilitiestocreatedigitalsignaturesandsupporting
tokens,andinsertthemintoSOAPheadersasrequiredbythepolicies.TheSOAPheaderutilitiesaredefined
infilesthatarelocatedinthesamplesdirectory:
SDK\sso\java\JAXWS\samples\com\vmware\sso\client\soaphandlers

SeeUsingHandlerMethodsforSOAPHeadersonpage 22.

Connecting to a vCenter Single Sign On Server


WhenavCenterSingleSignOnclientconnectstoavCenterSingleSignOnserver,itmustspecifytheserver
URLastheendpointforthetokenrequestmessage.Theendpointspecificationusesthefollowingformat:
https://hostname|IPaddress:7444/ims/STSService

Theportnumberandpathsuffix(7444/ims/STSService)isrequired.7444isthedefaultportnumber.See
SendingaRequestforaSecurityTokenonpage 24foranexampleofsettingtheendpointforatokenrequest.
YoucanchangetheportnumberduringvCenterSingleSignOnServerinstallation.

VMware, Inc.

vCenter Single Sign-On Programming Guide

Token Delegation
HolderofkeytokenscanbedelegatedtoservicesinthevSphereenvironment.Aservicethatusesadelegated
tokenperformstheserviceonbehalfoftheprinciplethatprovidedthetoken.Atokenrequestspecifiesa
DelegateToidentity.TheDelegateTovaluecaneitherbeasolutiontokenorareferencetoasolutiontoken.
ComponentsinthevSphereenvironmentcanusedelegatedtokens.vSphereclientsthatusethe
LoginByTokenmethodtoconnecttoavCenterServerdonotusedelegatedtokens.ThevCenterServerwill
useavSphereclientstokentoobtainadelegatedtoken.ThevCenterServerwillusethedelegatedtokento
performoperationsonbehalfoftheuseraftertheusersvCentersessionhasended.Forexample,ausermay
scheduleoperationstooccuroveranextendedperiodoftime.ThevCenterServerwilluseadelegatedtoken
tosupporttheseoperations.

Token Lifetime - Clock Tolerance


ASAMLtokencontainsinformationaboutthelifetimeofatoken.ASAMLtokenusestheNotBeforeand
NotOnOrAfterattributesoftheSAMLConditionselementtodefinethetokenlifetime.
<saml2:ConditionsNotBefore=20111004T21:39:17.731ZNotOnOrAfter=20111004T21:39:47.731Z>
Duringatokenslifetime,thevCenterSingleSignOnserverconsidersanyrequestcontainingthattokentobe
validandtheserverwillperformrenewalandvalidationoperationsonthetoken.Thelifetimeofatokenis
affectedbyaclocktolerancevaluethatthevCenterSingleSignOnserverappliestotokenrequests.Theclock
tolerancevalueaccountsfordifferencesbetweentimevaluesgeneratedbydifferentsystemsinthevSphere
environment.Theclocktoleranceis10minutes.

Challenge (SSPI)
ThevCenterSingleSignOnServersupportstheuseofSSPI(SecuritySupportProviderInterface)forclient
authentication.SSPIauthenticationrequiresthatboththeclientandserverusesecurityproviderstoperform
authentication.AtthebeginningofavCenterSingleSignOnServersession,thevCenterSingleSignOnclient
andvCenterSingleSignOnServerexchangedata.Eachparticipantwilluseitssecurityproviderto
authenticatethedataitreceives.Theauthenticationexchangecontinuesuntilbothsecurityproviders
authenticatethedata.
ThevCenterSingleSignOnclientAPIprovidesachallengerequestforclientparticipationinSSPI
authentication.Thefollowingsequencedescribesthechallengeprotocol.

vCenterSingleSignOnclientsendsanissuerequesttothevCenterSingleSignOnServer.Therequest
containstheclientcredentials.

vCenterSingleSignOnServerusesitssecurityprovidertoauthenticatetheclient.TheServerreturnsa
RequestSecurityTokenResponseTypeobjectinresponsetotheissuerequest.Theresponsecontainsa
challenge.

vCenterSingleSignOnclientusesitssecurityprovidertoauthenticatethevCenterSingleSignOnServer
response.Tocontinuetheauthenticationexchange,theclientsendsachallengerequesttothevCenter
SingleSignOnServer.TherequestcontainstheresolutiontotheServerschallengeanditcanalsocontain
achallengefromthevCenterSingleSignOnclient.

vCenterSingleSignOnServerusesitssecurityprovidertoauthenticatetheclientsresponse.Ifthereare
stillproblems,theServercancontinuetheauthenticationexchangebyreturningaresponsewithan
embeddedchallenge.Ifauthenticationissuccessful,thevCenterSingleSignOnServerreturnsaSAML
tokentocompletetheoriginalissuerequest.

Toexchangechallengedata,thevCenterSingleSignOnclientandvCenterSingleSignOnServerusethe
followingelementsdefinedforbothRequestSecurityTokenTypeandRequestSecurityTokenResponseType
objects.

10

Contextattribute

BinaryExchangeelement

VMware, Inc.

Chapter 1 Single Sign-On in the vSphere Environment

vCenter Single Sign On SOAP Message Structure


TherequirementslistedinthefollowingtableapplytotheSOAPmessagestructureinvCenterSingleSignOn
messageexchange.
Table 1-2. vCenter Single Sign On SOAP Message Structure
Element

Message Requirements

SOAPenvelope

All<wst:RequestSecurityToken>,<wst:RequestSecurityTokenResponse>,and
<wst:RequestSecurityTokenResponseCollection>elementsmustbesentasthesingledirect
childofthebodyofaSOAP1.1<S11:Envelope>element.
UseHTTPPOSTtosendallvCenterSingleSignOnSOAPmessagesoveranSSL/TLS
protectedchannel.SettheSOAPActionHTTPheaderfieldtotheappropriatemessage
binding.
The<wsse:Security>headerinanvCenterSingleSignOnrequestmustcontaina
<wsu:Timestamp>element.

SOAPmessagesignature

Ifasignatureisappliedtoarequestthenitmustinclude:

Eitherthe<S11:Body>,ortheWSTrustelementasadirectchildofthe<S11:Body>

The<wsu:Timestamp>,ifpresent,inthe<S11:Header>.

Exclusivecanonicalizationwithoutcomments(xmlexcc14n)mustbeusedpriorto
signaturegeneration.
Thesignaturecertificatemusteitherbecarriedeitherwithina<wsse:BinarySecurityToken>
ora<saml:Assertion>within<wsse:Security>headerofthe<S11:Header>.
Thesignaturemustcontaina<wsse:SecurityTokenReference>thatusesaninternaldirect
referencetothe<wsse:BinarySecurityToken>.

vCenter Single Sign On SDK


ThevCenterSingleSignOnSDKisdistributedaspartoftheVMwarevSphereManagementSDK.Whenyou
extractthecontentsofthedistributionkit,thevCenterSingleSignOnSDKislocatedinthessosubdirectory:
VMware-vSphere-SDK-build-num
eam
sms-sdk
ssoclient
docs
java
JAXWS
lib
samples
wsdl
vsphere-ws

ThefollowingtableshowsthelocationsofthecontentsofthevCenterSingleSignOnSDK.
Table 1-3. vCenter Single Sign On SDK Contents
vCenter Single Sign On SDK Component

Location

JAXWSvCenterSingleSignOnclientbinding

ssoclient/java/JAXWS/lib

Javasamples

ssoclient/java/JAXWS/samples/com/vmware/sso/client/samples

VMwareSOAPheaderutilities

ssoclient/java/JAXWS/samples/com/vmware/sso/client/soaphandlers

Generalutilitiesforsamples

ssoclient/java/JAXWS/samples/com/vmware/sso/client/utils

WSSecurityutilitiesforsamples

ssoclient/java/JAXWS/samples/com/vmware/sso/client/wssecurity

vCenterLoginByTokensample

ssoclient/java/JAXWS/samples/com/vmware/vsphere/samples

VMwareSOAPheaderutiltiesfor
LoginByTokensample

ssoclient/java/JAXWS/samples/com/vmware/vsphere/soaphandlers

Documentationforsamples

ssoclient/docs/java/JAXWS/samples/javadoc/index.html

WSDLfiles

ssoclient/wsdl

VMware, Inc.

11

vCenter Single Sign-On Programming Guide

vCenter Single Sign On SDK Examples


ThismanualdescribestwooftheexamplesprovidedbytheVMwareSSOClientSDK:

vCenterSingleSignOnClientExample(JAXWS)onpage 21.Thisexampleshowshowtoobtaina
holderofkeytokenfromthevCenterSingleSignOnServer.

LoginByTokenExample(JAXWS)onpage 27.Thisexampleshowshowtousethetokentologinto
vCenterServer.

TheSDKcontainsadditionalexamplesthatshowhowtousethevCenterSingleSignOnclientAPItoacquire,
renew,andvalidatetokens.ThefollowingtableliststhesamplefilesintheSDK:
Table 1-4. VMware SSO Client SDK Sample Files
Location

Examples

Description

SDK/ssoclient/java/JAXWS/samples/com/vmware/sso/client/samples/
AcquireBearerTokenByUserCredentialSample.java

Demonstrateshowtouseusernameandpassword
credentialstoobtainabearertoken.

AcquireHoKTokenByHoKTokenSample.java

Demonstrateshowtoexchangeoneholderofkey
tokenforanother.

AcquireHoKTokenBySolutionCertificateSample.java

Demonstrateshowasolutionusesitsprivatekey
andcertificatetoacquireaholderofkeytoken.

AcquireHoKTokenByUserCredentialSample.java

Demonstrateshowtouseusername,password,
andcertificatecredentialstoobtaina
holderofkeytoken.SeevCenterSingleSignOn
ClientExample(JAXWS)onpage 21.

RenewTokenSample.java

Demonstrateshowtorenewaholderofkey
token.

ValidateTokenSample.java

Demonstrateshowtovalidateatoken.

SDK/ssoclient/java/JAXWS/samples/com/vmware/sso/client/soaphandlers/
HeaderHandlerResolver.java

Providesmethodstomanagethesetofheader
handlers.

SamlTokenExtractionHandler.java

ExtractsaSAMLtokenfromthevCenterSingle
SignOnServerresponse.

SamlTokenHandler.java

AddsaSAMLtokentoaSOAPsecurityheader.

SSOHeaderhandler.java

Baseclassforheaderhandlerclasses.

TimeStampHandler.java

AddsatimestampelementtoaSOAPsecurity
header.

UserCredentialHandler.java

AddsausernametokentoaSOAPsecurity
header.

WsSecuritySignatureAssertionHandler.java

UsesSAMLtokenassertionID,privatekey,and
certificatetosignaSOAPmessage.Forusewhen
usinganexistingtokentoacquireanewtoken.

WsSecurityUserCertificateSignatureHandler.java

UsesaprivatekeyandcertificatetosignaSOAP
message.

SDK/ssoclient/java/JAXWS/samples/com/vmware/vsphere/samples/
LoginByTokenSample.java

DemonstrateshowtouseaSAMLtokentologinto
avCenterServer.SeeLoginByTokenExample
(JAXWS)onpage 27.

SDK/ssoclient/java/JAXWS/samples/com/vmware/vsphere/soaphandlers/

12

HeaderCookieExtractionHandler.java

ExtractsthevCenterHTTPsessioncookiefromthe
responsetoaconnectionrequest.

HeaderCookieHandler.java

InsertsanHTTPcookieintoarequest.

VMware, Inc.

vCenter Single Sign On


API Reference

ThischaptercontainsdescriptionsofthemethodsanddatastructuresdefinedforthevCenterSingleSignOn
clientAPI.

vCenterSingleSignOnClientAPIMethodsonpage 13

vCenterSingleSignOnAPIDataStructuresonpage 15

vCenter Single Sign On Client API Methods


ThevCenterSingleSignOnclientAPIconsistsofthefollowingmethods:

Issue

Renew

Validate

Challenge

Issue
SendsasecuritytokenrequesttoavCenterSingleSignOnServer.

Method Signature
Issue (requestSecurityToken : RequestSecurityTokenType)
returns RequestSecurityTokenResponseCollectionType

Parameter
requestSecurityToken:RequestSecurityTokenTypeThefollowingRequestSecurityTokenType
elementsarerequiredforanIssuerequest;theremainingelementsareoptional.

RequestTypeMustbetheURLhttp://docs.oasisopen.org/wssx/wstrust/200512/Issue.

Sigattribute(UseKeyelement)Specifiesasecuritytokenthatcontainsanexistingcertificatekeyfor
subjectconfirmation.

ContextattributeRequiredifyouincludeaBinaryExchangeTypeelementforSSPIauthentication.

Return Value
RequestSecurityTokenResponseCollectionTypeSetofRequestSecurityTokenResponseType.Aresponse
containsaSAMLtokenorachallengerequiringadditionalauthenticationdata.

VMware, Inc.

13

vCenter Single Sign-On Programming Guide

Comments
SendsatokenrequesttoavCenterSingleSignOnServer.Therequestmessagemustcontainsecurityartifacts
asdeterminedbythevCenterSingleSignOnpolicyusedfortherequest.ThevCenterSingleSignOnServer
willauthenticatetheusercredentialsintherequest.Forinformationaboutconfiguringuserdirectorysupport
forauthentication,seevSphereInstallationandSetupandvSphereSecurityintheVMwareDocumentation
Center.IfthevCenterSingleSignOnServerrequiresinformationduringSSPIauthentication,itwillnegotiate
withthevCenterSingleSignOnclientbyembeddingachallengeintheresponse.

Renew
RenewsanexistingSAMLtoken.

Method Signature
Renew (token : RequestSecurityTokenType) returns RequestSecurityTokenResponseType

Parameter
token:RequestSecurityTokenTypeSecuritytokenrequestcontainingaSAMLtokenpreviously
obtainedfromavCenterSingleSignOnServer.Thetokenmustbevalid(notexpired).Thefollowing
RequestSecurityTokenTypeelementsarerequiredforaRenewrequest;theremainingelementsare
optional.

RequestTypeMustbetheURLhttp://docs.oasisopen.org/wssx/wstrust/200512/Renew.

RenewTargetIdentifiestheSAMLtokentoberenewed.

Sigattribute(UseKeyelement)Specifiesasecuritytokenthatcontainsanexistingcertificatekeyfor
subjectconfirmation.

ContextattributeRequiredifyouincludeaBinaryExchangeTypeelementforSSPIauthentication.

Return Value
RequestSecurityTokenResponseTypeResponsecontainingtherenewedtoken.

Comments
Youcanrenewholderofkeytokensonly.Inadditiontothetherequiredtokenrequestelementsshownabove,
theRenewrequestSOAPheadermustcontainsecurityelementsaccordingtothesecuritypolicy.

Validate
ValidatesanexistingSAMLtoken.

Method Signature
Validate (token : RequestSecurityToken) returns RequestSecurityTokenResponseType

Parameter
token:RequestSecurityTokenTypeSecuritytokenrequestcontainingaSAMLtokenpreviously
obtainedfromavCenterSingleSignOnServer.ThefollowingRequestSecurityTokenTypeelementsare
requiredforaValidaterequest;theremainingelementsareoptional.

14

RequestTypeMustspecifytheURLhttp://docs.oasisopen.org/wssx/wstrust/200512/Validate.

ValidateTargetIdentifiestheSAMLtokentobevalidated.

Sigattribute(UseKeyelement)Specifiesasecuritytokenthatcontainsanexistingcertificatekey.

ContextattributeRequiredifyouincludeaBinaryExchangeTypeelementforSSPIauthentication.

VMware, Inc.

Chapter 2 vCenter Single Sign On API Reference

Return Value
RequestSecurityTokenResponseTypeResponsecontainingthevalidatedtoken.

Comments
Performsvalidationofthetokenanditssubject.Itincludesbutisnotlimitedtovalidationsofthefollowing
elements:

Tokensignature

Tokenlifetime

Tokensubject

Tokendelegates

Group(s)towhichthesubjectbelongs

Challenge
Extendsatokenrequesttoverifyelementsintherequest.

Method Signature
Challenge (response : RequestSecurityTokenResponseType) returns RequestSecurityTokenResponseType

Parameter
response:RequestSecurityTokenResponseTypeContainsSSPIdataintheBinaryExchangeelement.

Return Value
RequestSecurityTokenResponseTypeResponsecontainingthevalidatedtoken.

Comments
PartofanegotiationwithavCenterSingleSignOnServertoresolveissuesrelatedtoSSPIauthentication.

vCenter Single Sign On API Data Structures


UsethefollowingobjectsforthevCenterSingleSignOnmethods.
RequestSecurityTokenType

ParticipantsType

RequestSecurityTokenResponseCollectionType

ParticipantType

RequestSecurityTokenResponseType

EndpointReference

LifetimeType

BinaryExchangeType

RenewingType

AdviceType

KeyTypeOpenEnum

AttributeType

UseKeyType

RequestSecurityTokenType
DefinesasetoftokencharacteristicsrequestedbythevCenterSingleSignOnclient.ThevCenterSingleSign
OnclientspecifiesthisdataobjectinacalltotheIssue,Renew,andValidatemethods.ThevCenterSingleSign
OnServermaysatisfyarequestforaparticularcharacteristicoritmayuseadifferentvalueintheissuedtoken.
Theresponsetothetokenrequestcontainstheactualtokenvalues.SeeRequestSecurityTokenResponseType
onpage 17.

VMware, Inc.

15

vCenter Single Sign-On Programming Guide

ThevCenterSingleSignOnAPIsupportsasubsetoftheRequestSecurityTokenTypeelementsdefinedin
theWSTrustspecification.Thefollowingtableshowsthesupportedelementsandattributes.Aniteminthe
tableisdefinedasanelementintheWSDLunlessexplicitlyidentifiedasanattribute.
Table 2-1. RequestSecurityTokenType Elements (vCenter Single Sign On)
Element

Datatype

Description

Context

string

RequestSecurityTokenattributespecifyingaURI(Uniform
ResourceIdentifier)thatidentifiestheoriginalrequest.Ifyouinclude
thisinarequest,thevCenterSingleSignOnServerwillincludethe
contextidentifierintheresponse.Thisattributeisrequiredwhenthe
requestincludesaBinaryExchangeproperty.

TokenType

string

Identifiestherequestedtokentype,specifiedasaURI(Uniform
ResourceIdentifier).Thefollowinglistshowsthevalidtokentypes:

RequestType

string

urn:oasis:names:tc:SAML:2.0:assertionforissueandrenew
requests.

http://docs.oasisopen.org/wssx/wstrust/200512/RSTR/Status
forvalidationrequests.

Identifiestherequesttype,specifiedasaURI.TheRequestType
propertyisrequired.
Thefollowinglistshowsthevalidrequesttypes:

Lifetime

LifetimeType

http://docs.oasisopen.org/wssx/wstrust/200512/Issue

http://docs.oasisopen.org/wssx/wstrust/200512/Renew

http://docs.oasisopen.org/wssx/wstrust/200512/Validate

Timeperiodduringwhichatokenisvalid.ThevCenterSingleSignOn
Servercanignoretherequestedlifetimeandassignadifferentlifetime
tothetoken.Thelifetimespecifiescreationandexpirationvalues.This
propertyisoptionalusedwithIssueandRenewrequests.

ValidateTarget

Specifiesthetokentobevalidated.Thispropertycancontaineithera
referencetothetokenoritcancontainthetokenitself.Thepropertyis
requiredforandusedonlywiththeValidatemethod.

RenewTarget

Specifiesthetokentoberenewed.Thispropertycancontaineithera
referencetothetokenoritcancontainthetokenitself.Thispropertyis
requiredforandusedonlywiththeRenewmethod.

Renewing

RenewingType

DelegateTo

Specifiesarequestforarenewabletoken.Thispropertyisoptional.If
youdonotspecifytheRenewingproperty,thevCenterSingleSignOn
Serverwillissuearenewabletoken.Thispropertyisoptional.
Specifiesasecuritytokenortokenreferenceforanidentitytowhich
therequestedtokenwillbedelegated.TheDelegateTovaluemust
identifyasolution.

Delegatable

xs:boolean

Indicateswhethertherequestedtokencanbedelegatedtoanidentity.
UsethispropertytogetherwiththeDelegateToproperty.Thedefault
valuefortheDelegatablepropertyisfalse.

UseKey

UseKeyType

Referencesatokenforsubjectconfirmation.RequiredforIssue,
Renew,andValidatemethods.

KeyType

string

StringvaluecorrespondingtoaKeyTypeOpenEnumvalue.Thevalue
isaURI(UniformResourceIdentifier)thatspecifiestherequestedkey
cryptographytype.Thispropertyisoptional.

SignatureAlgorithm

string

SpecifiesaURI(UniformResourceIdentifier)foranalgorithmthat
producesadigitalsignatureforthetoken.Thefollowinglistshowsthe
validvalues:

BinaryExchange

16

BinaryExchangeType

http://www.w3.org/2000/09/xmldsig#rsa-sha1

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

ContainsdataforchallengenegotationbetweenthevCenterSingle
SignOnclientandvCenterSingleSignOnServer.

VMware, Inc.

Chapter 2 vCenter Single Sign On API Reference

Table 2-1. RequestSecurityTokenType Elements (vCenter Single Sign On)


Element

Datatype

Description

Participants

ParticipantsType

Specifiestheidentitiesofparticipantsthatareauthorizedtousethe
token.

AdviceSet

AdviceSetType

ListofAdviceType.

RequestSecurityTokenResponseCollectionType
ReturnedbytheIssuemethod.Thistypecontainsaresponsetotherequestortherequestedtoken..
Table 2-2. RequestSecurityTokenResponseCollectionType
Element

Datatype

Description

RequestSecurityTokenResponse

RequestSecurityTokenResponseType[]

Listoftokenrequestresponseobjects.The
currentarchitecturesupportsasingle
tokenresponseonly

RequestSecurityTokenResponseType
Describesasingletoken.
Table 2-3. RequestSecurityTokenResponseType Properties (vCenter Single Sign On)
Element

Datatype

Context

string

Description

RequestSecurityTokenResponseattributespecifyingaURI(UniformResourceIdentifier)
thatidentifiestheoriginalrequest.Thisattributeisincludedintheresponseifitwas
specifiedintherequest.
TokenType

string
Identifiesthetypeoftokenintheresponse.TokenTypeisspecifiedasaURI(Uniform
ResourceIdentifier),oneofthefollowing:

Lifetime

urn:oasis:names:tc:SAML:2.0:assertionforissueandrenewoperations.

http://docs.oasisopen.org/wssx/wstrust/200512/RSTR/Statusforvalidation
operations.

LifetimeType
Timeperiodduringwhichatokenisvalid.Thelifetimeinthetokenresponseistheactual
lifetimeassignedbythevCenterSingleSignOnServer.Thelifetimespecifiescreationand
expirationvalues.

RequestedSecurityToken

RequestedSecurityTokenType
SAMLtoken.

Renewing

RenewingType
Indicateswhetherornotthetokencanberenewed.Bydefault,thevCenterSingleSignOn
Serverwillissuearenewabletoken.

BinaryExchange

BinaryExchangeType
ContainsdataforchallengenegotiationbetweenvCenterSingleSignOnclientandvCenter
SingleSignOnServer.

KeyType

string
Indicateswhetherornotkeycryptographyisused.TheKeyTypeisastringvalue
correspondingtoanenumeratedtypevalue.SeeKeyTypeOpenEnum.ThevalueisaURI
(UniformResourceIdentifier)thatspecifiesthekeytype.

VMware, Inc.

17

vCenter Single Sign-On Programming Guide

Table 2-3. RequestSecurityTokenResponseType Properties (vCenter Single Sign On) (Continued)


Element

Datatype

SignatureAlgorithm

string

Description

IndicatesaURI(UniformResourceIdentifier)foranalgorithmthatproducesadigital
signatureforthetoken.Thefollowinglistshowsthevalidvalues:

Delegatable

http://www.w3.org/2000/09/xmldsig#rsa-sha1

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

xs:boolean
Indicateswhethertherequestedtokencanbedelegatedtoanidentity.

Status

StatusType
Indicatesthestatusoftherequest.ThepropertyspecifiesCodeandReasonvalues.

LifetimeType
Specifiesthetokenlifetime.UsedinRequestSecurityTokenTypeandRequestSecurityTokenResponseType.
Table 2-4. LifetimeType Properties
Property

Datatype

Description

created

wsu:AttributedDateTime

Creationtimeofthetoken.XMLdateandtime,expressedasa
standardtimevalue(Gregoriancalendar).

expires

wsu:AttributedDateTime

Timeintervalduringwhichthetokenisvalid,startingatthe
createdtime.Thetimeintervalisanabsolutevaluespecifiedin
seconds.

RenewingType
Specifiestokenrenewal.
Table 2-5. RenewingType Properties
Property

DataType

Description

Allow

xsd:boolean

Specifiesarequestforatokenforwhichthelifetimecanbeextended.Thisproperty
isoptional.Thedefaultvalueistrue.

OK

xsd:boolean

IndicatesthatthevCenterSingleSignOnclientwillacceptatokenthatcanbe
renewedafterithasexpired.Thispropertyisoptional.Thedefaultvalueisfalse.
Ifyouspecifythisproperty,youmustspecifyavalueoffalse.Atokenthatcanbe
renewedafterexpirationdoesnotprovideadequatesecurity.

KeyTypeOpenEnum
Specifiesasetofenumeratedtypevaluesthatidentifythesupportedtypesofkeycryptographyusedfor
securitytokens.ThevaluesareURIs(UniversalResourceIdentifiers).
Table 2-6. KeyType Properties

18

Enumerated type value

Description

http://docs.oasisopen.org/wssx/wstrust/200512/PublicKey

Specifiesasymmetrickeycryptographyusinga
combinationofpublicandprivatekeys.Usethiskey
typeforholderofkeytokens.

http://docs.oasisopen.org/wssx/wstrust/200512/Bearer

Indicatesabearertoken,whichdoesnotrequireakeyto
authenticatethetoken.

VMware, Inc.

Chapter 2 vCenter Single Sign On API Reference

UseKeyType
SpecifiestheURIforanexistingkey.
Table 2-7. UseKeyType Properties
Property

Datatype

Description

Sig

string

URI(UniversalResourceIdentifer)thatreferstoasecuritytokenwhichcontainsan
existingkey.Ifspecified,thevCenterSingleSignOnServerwillusetheassociated
certificateforsubjectconfirmation.

ParticipantsType
Identifiesusersandserviceswhoareallowedtousethetoken.
Table 2-8. ParticipantsType Properties
Property

Datatype

Description

Primary

ParticipantType

Primaryuserofthetoken.

Participant

ParticipantType

Listofparticipantswhoareallowedtousethetoken.

ParticipantType
ParticipantTypeisanendpointreference.
Table 2-9. ParticipantType Property
Property

Datatype

Description

EndpointReference

SpecifiesaparticipantrepresentedasaURI.

EndpointReference
Participantidentification.TheReferenceParameters,Metadata,andanyelementsarenotused.
Table 2-10. EndpointReference Property
Property

Datatype

Description

name

tns:AttributedURIType

URIthatidentifiesaparticipantallowedtouseatoken.

BinaryExchangeType
Specifiesablob(binarylargeobject)thatcontainsdatafornegotationbetweenthevCenterSingleSignOnclientandserver.

Table 2-11. BinaryExchangeType Attributes


Attribute

Datatype

Description

ValueType

xsd:anyURI

Identifiesthetypeofnegotiation.

EncodingType

xsd:anyURI

Identifiestheencodingformatoftheblob.

VMware, Inc.

19

vCenter Single Sign-On Programming Guide

AdviceType
Specifiesadditionalinformationalattributestobeincludedintheissuedtoken.ThevCenterSingleSignOn
clientcanignorethisdata.Advicedatawillbecopiedtodelegatetokens.Thistypeisusedin
RequestSecurityTokenType.
Table 2-12. AdviceType Properties
Element/Attribute

Datatype

Description

Advicesource

string

AdviceTypeattributespecifyingaURIrepresentingtheidentity
thatprovidestheadviceAttributeelements.Thisattributeis
required.

Attribute

AttributeType

Advicedata.

AttributeType
Attributeprovidingadvicedata.UsedinAdviceType.
Table 2-13. AttributeType Properties
Element/Attribute

Datatype

Description

Name

string

AttributeTypeattributespecifyingaURIthatistheunique
nameoftheattribute.Thisattributeisrequired.

FriendlyName

string

AttributeTypeattributespecifyingahumanreadableformof
thename.Thisattributeisoptional.

AttributeValue

string

Listofvaluesassociatedwiththeattribute.
TheAttributeValuestructuredependsonthefollowing
criteria:

20

Iftheattributehasoneormorevalues,theAttributeType
containsoneAttributeValueforeachvalue.Empty
attributevaluesarerepresentedbyemptyAttributeValue
elements.

Iftheattributedoesnothaveavalue,theAttributeType
doesnotcontainanAttributeValue.

VMware, Inc.

vCenter Single Sign On


Client Example (JAX-WS)

ThischapterdescribesaJavaexampleofacquiringavCenterSingleSignOnsecuritytoken.

vCenterSingleSignOnTokenRequestOverviewonpage 21

UsingHandlerMethodsforSOAPHeadersonpage 22

SendingaRequestforaSecurityTokenonpage 24

vCenter Single Sign On Token Request Overview


ThecodeexamplesinthefollowingsectionsshowhowtousetheIssuemethodtoacquireaholderofkey
securitytoken.ToseeanexampleofusingthetokentologintoavCenterServer,seeLoginByTokenExample
(JAXWS)onpage 27.Thecodeexamplesinthischapterarebasedonthefollowingsamplefilelocatedinthe
vCenterSingleSignOnSDKJAXWSclientsamplesdirectory:
.../JAXWS/samples/com/vmware/sso/client/samples/AcquireHoKTokenByUserCredentialSample.java

TheAcquireHoKTokenByUserCredentialSampleprogramcreatesatokenrequestandcallstheissue
methodtosendtherequesttoavCenterSingleSignOnServer.Theprogramusesasampleimplementationof
WebservicesmessagehandlerstomodifytheSOAPsecurityheaderfortherequestmessage.
Thisexampleusestheusernamepasswordsecuritypolicy(STSSecPolicy_UserPwd).Thispolicyrequires
thattheSOAPsecurityheaderincludeatimestamp,usernameandpassword,andadigitalsignatureand
certificate.Thesamplemessagehandlersembedtheseelementsinthemessage.
Theexampleperformsthefollowingoperations:
1

Createasecuritytokenserviceclientobject(STSService_Service).ThisobjectmanagesthevCenter
SingleSignOnheaderhandlersanditprovidesaccesstothevCenterSingleSignOnclientAPImethods.
Thisexampleusestheissuemethod.

CreateavCenterSingleSignOnheaderhandlerresolverobject(HeaderHandlerResolver).Thisobject
actsasacontainerforthedifferenthandlers.

Addthehandlersfortimestamp,usercredentials,certificate,andtokenextractiontothehandlerresolver.

Addthehandlerresolvertothesecuritytokenservice.

RetrievetheSTSport(STS_Service)fromthesecuritytokenserviceobject.

Createasecuritytokenrequest.

Settherequestfields.

Settheendpointintherequestcontext.TheendpointidentifiesthevCenterSingleSignOnServer.

Calltheissuemethod,passingthetokenrequest.

10

HandletheresponsefromthevCenterSingleSignOnserver.

VMware, Inc.

21

vCenter Single Sign-On Programming Guide

Using Handler Methods for SOAP Headers


TheVMwarevCenterSingleSignOnSDKprovidessamplecodethatisanextensionoftheJAXWSXMLWeb
servicesmessagehandler(javax.xml.ws.handler).ThesamplecodeconsistsofasetofSOAPheader
handlermethodsandaheaderhandlerresolver,towhichyouaddthehandlermethods.Thehandlermethods
inserttimestamp,usercredential,andmessagesignaturedataintotheSOAPsecurityheaderfortherequest.
AhandlermethodextractstheSAMLtokenfromthevCenterSingleSignOnServerresponse.
TheVMwarevCenterSingleSignOnclientSOAPheaderhandlerfilesarelocatedinthesoaphandlers
directory:
SDK/sso/java/JAXWS/samples/com/vmware/sso/client/soaphandlers

ToaccesstheSOAPhandlerimplementation,theexamplecodecontainsthefollowingimportstatements:
import
import
import
import
import
import

com.vmware.sso.client.soaphandlers.HeaderHandlerResolver;
com.vmware.sso.client.soaphandlers.SSOHeaderHandler;
com.vmware.sso.client.soaphandlers.SamlTokenExtractionHandler
com.vmware.sso.client.soaphandlers.TimeStampHandler;
com.vmware.sso.client.soaphandlers.UserCredentialHandler;
com.vmware.sso.client.soaphandlers.WsSecurityUserCertificateSignatureHandler;

Thisexampleusesthefollowinghandlerelements:

HeaderHandlerResolver

SamlTokenExtractionHandler

TimestampHandler

UserCredentialHandler

WsSecurityUserCertificateSignatureHandler(SSOHeaderHandler)

ThefollowingsequenceshowstheoperationsandcorrespondingJavaelementsformessagesecurity.
1

CreateanSTSserviceobject
(STSService_Service).Thisobjectwillbind
thehandlerstotherequestandprovideaccess
totheissuemethod.

STSService_Service

Createahandlerresolverobject
(HeaderHandlerResolver).Thisobjectactsas
areceptacleforthehandlers.

HeaderHandlerResolver

Addtheheaderhandlers:

TimestampThehandlerwillusesystem
timetosetthetimestampvalues.

UsercredentialThehandlerrequiresa
usernameandapassword;itwillcreatea
usernametokenforthesuppliedvalues.

UsercertificatesignatureThehandler
requiresaprivatekeyandanx509
certificate.Thehandlerwillusetheprivate
keytosignthebodyoftheSOAPmessage
(thetokenrequest),anditwillembedthe
certificateintheSOAPsecurityheader.

HeaderHandler Resolver
TimestampHandler
UserCredentialHandler
WsSecurityUserCertificateSignatureHandler
(SSOHeaderHandler)
SamlTokenExtractionHandler

SAMLtokenextractionThehandler
extractstheSAMLtokendirectlyfrom
vCenterSingleSignOnServerresponseto
avoidtokenmodificationbytheJAXWS
bindings.

AddthehandlerresolvertotheSTSservice.
STSService_Service
handlerResolver

22

HeaderHandler Resolver

VMware, Inc.

Chapter 3 vCenter Single Sign On Client Example (JAX-WS)

Thefollowingcodefragmentcreatesahandlerresolverandaddsthehandlermethodstothehandlerresolver.
Afterthehandlershavebeenestablished,theclientcreatesatokenrequestandcallstheIssuemethod.See
SendingaRequestforaSecurityTokenonpage 24.
IMPORTANTYoumustperformthesestepsformessagesecuritybeforeretrievingtheSTSserviceport.An
exampleofretrievingtheSTSserviceportisshowninSendingaRequestforaSecurityTokenonpage 24.
Example 3-1. Acquiring a vCenter Single Sign On Token Soap Handlers
/*
* Instantiate the STS Service
*/
STSService_Service stsService = new STSService_Service();
/*
* Instantiate the HeaderHandlerResolver.
*/
HeaderHandlerResolver headerResolver = new HeaderHandlerResolver();
/*
* Add handlers to insert a timestamp and username token into the SOAP security header
* and sign the message.
*
* -- Timestamp contains the creation and expiration time for the request
* -- UsernameToken contains the username/password
* -- Sign the SOAP message using the combination of private key and user certificate.
*
* Add the TimeStampHandler
*/
headerResolver.addHandler(new TimeStampHandler());
/*
* Add the UserCredentialHandler. arg[1] is the username; arg[2] is the password.
*/
UserCredentialHandler ucHandler = new UserCredentialHandler(args[1],args[2]);
headerResolver.addHandler(ucHandler);
/*
* Add the message signature handler (WsSecurityUserCertificateSignatureHandler);
* The client is responsible for supplying the private key and certificate.
*/
SSOHeaderHandler ssoHandler =
new WsSecurityUserCertificateSignatureHandler(privateKey, userCert);
headerResolver.addHandler(ssoHandler);
/*
* Add the token extraction handler (SamlTokenExtractionHandler).
*/
SamlTokenExtractionHandler sbHandler = new SamlTokenExtractionHandler;
headerResolver.addHandler(sbHandler);
/*
* Set the handlerResolver for the STSService to the HeaderHandlerResolver created above.
*/
stsService.setHandlerResolver(headerResolver);

VMware, Inc.

23

vCenter Single Sign-On Programming Guide

Sending a Request for a Security Token


AftersettinguptheSOAPheaderhandlers,theexamplecreatesatokenrequestandcallstheissuemethod.
ThefollowingsequenceshowstheoperationsandcorrespondingJavaelements.
5

RetrievetheSTSserviceport(STSService).Theserviceport
providesaccesstothevCenterSingleSignOnclientAPImethods.
ThevCenterSingleSignOnhandlerresolvermustbeassociated
withtheSTSservicebeforeyouretrievetheserviceport.SeeUsing
HandlerMethodsforSOAPHeadersonpage 22.

STSService_Service

Createatokenrequest(RequestSecurityTokenType).Your
vCenterSingleSignOnclientwillpassthetokenrequesttothe
Issuemethod.TheIssuemethodwillsendthetokenrequestin
thebodyoftheSOAPmessage.Thisexamplesetsthetokenrequest
fieldsasappropriateforaholderofkeytokenrequest.

RequestSecurityTokenType

Setthetokenrequestfields.

lifetimeCreationandexpirationtimes.

tokentypeurn:oasis:names:tc:SAML:2.0:assertion

requesttype
http://docs.oasisopen.org/wssx/wstrust/200512/Issue

keytype
http://docs.oasisopen.org/wssx/wstrust/200512/PublicKey
(forholderofkeytokentype)

signaturealgorithm
http://www.w3.org/2001/04/xmldsigmore#rsasha256

renewablestatus

RequestSecurityTokenType
tokenType
requestType
lifetime
keyType
signatureAlgorithm
renewing

Settheendpointaddressforthetokenrequest.
STSService

STSService

CalltheIssuemethod.

Request Context

STSService
Issue( RequestSecurityTokenType )

10 HandletheresponsefromthevCenterSingleSignOnServer.
RequestSecurityTokenResponseType

ThefollowingexampleshowsJavacodethatperformstheseoperations.
Example 3-2. Acquiring a vCenter Single Sign On Token Sending the Request
/*
* Retrieve the STSServicePort from the STSService_Service object.
*/
STSService stsPort = stsService.getSTSServicePort();
/*
* Create a token request object.
*/
RequestSecurityTokenType tokenType = new RequestSecurityTokenType();
/*
* Create a LifetimeType object.
*/
LifetimeType lifetime = new LifetimeType();
/*
* Derive the token creation date and time.
* Use a GregorianCalendar to establish the current time,

24

VMware, Inc.

Chapter 3 vCenter Single Sign On Client Example (JAX-WS)

* then use a DatatypeFactory to map the time data to XML.


*/
DatatypeFactory dtFactory = DatatypeFactory.newInstance();
GregorianCalendar cal = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
XMLGregorianCalendar xmlCalendar = dtFactory.newXMLGregorianCalendar(cal);
AttributedDateTime created = new AttributedDateTime();
created.setValue(xmlCalendar.toXMLFormat());
/*
* Specify a time interval for token expiration (specified in milliseconds).
*/
AttributedDateTime expires = new AttributedDateTime();
xmlCalendar.add(dtFactory.newDuration(30 * 60 * 1000));
expires.setValue(xmlCalendar.toXMLFormat());
/*
* Set the created and expires fields in the lifetime object.
*/
lifetime.setCreated(created);
lifetime.setExpires(expires);
/*
* Set the token request fields.
*/
tokenType.setTokenType("urn:oasis:names:tc:SAML:2.0:assertion");
tokenType.setRequestType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue");
tokenType.setLifetime(lifetime);
tokenType.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey");
tokenType.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
/*
* Specify a token that can be renewed.
*/
RenewingType renewing = new RenewingType();
renewing.setAllow(Boolean.TRUE);
renewing.setOK(Boolean.FALSE); // WS-Trust Profile: MUST be set to false
tokenType.setRenewing(renewing);

/* Get the request context and set the endpoint address. */


Map<String, Object> reqContext = ((BindingProvider) stsPort).getRequestContext();
reqContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, args[0]);
/*
* Use the STS port to invoke the "issue" method to acquire the token
* from the vCenter Single Sign On Server.
*/
RequestSecurityTokenResponseCollectionType issueResponse = stsPort.issue(tokenType);
/*
* Handle the response - extract the SAML token from the response. The response type
* contains the token type (SAML token type urn:oasis:names:tc:SAML:2.0:assertion).
*/
RequestSecurityTokenResponseType rstResponse = issueResponse.getRequestSecurityTokenResponse();
RequestedSecurityTokenType requestedSecurityToken = rstResponse.getRequestedSecurityToken();
/*
* Extract the SAML token from the RequestedSecurityTokenType object.
* The generic token type (Element) corresponds to the type required
* for the SAML token handler that supports the call to LoginByToken.
*/
Element token = requestedSecurityToken.getAny();

VMware, Inc.

25

vCenter Single Sign-On Programming Guide

26

VMware, Inc.

LoginByToken Example (JAX-WS)

ThischapterdescribesaJavaexampleofusingtheLoginByTokenmethod.

vCenterServerSingleSignOnSessiononpage 27

SavingthevCenterServerSessionCookieonpage 29

UsingLoginByTokenonpage 30

RestoringthevCenterServerSessionCookieonpage 31

vCenter Server Single Sign On Session


AfteryouobtainaSAMLtokenfromthevCenterSingleSignOnServer,youcanusethevSphereAPImethod
LoginByTokentoestablishasinglesignonsessionwithavCenterServer.SeevCenterSingleSignOnClient
Example(JAXWS)onpage 21foranexampleofobtainingavCenterSingleSignOntoken.
AtthebeginningofavCenterSingleSignOnsession,yourclientisresponsibleforthefollowingtasks:

MaintainthevCentersessioncookie.ThevSpherearchitectureusesanHTTPcookietosupporta
persistentconnectionbetweenavSphereclientandavCenterServer.Duringtheinitialconnection,the
Serverproducesasessioncookie.Operationsduringtheloginsequencewillresettherequestcontextso
yourclientmustsavethiscookieandreintroduceitattheappropriatetimes.

InsertthevCenterSingleSignOntokenandatimestampintotheSOAPheaderoftheLoginByToken
message.

Theexampleprogramusesthesegeneralsteps:
1

CalltheRetrieveServiceContentmethodtoestablishanHTTPconnectionwiththevCenterServerand
savetheHTTPsessioncookie.TheclientusesanHTTPheaderhandlermethodtoextractthecookiefrom
thevCenterServerresponse.

CalltheLoginByTokenmethodtoauthenticatethevCentersession.TosendthetokentothevCenter
Server,theclientusesahandlertoembedthetokenandatimestampintheSOAPheaderforthemessage.
ToidentifythesessionstartedwiththeRetrieveServiceContentmethod,theclientusesahandlerto
embedthesessioncookieintheHTTPheader.

Restorethesessioncookie.

HTTP and SOAP Header Handlers


TouseavCenterSingleSignOntokentologintoavCenterServer,theexampleusesheaderhandlersto
manipulatestheHTTPandSOAPheaderelementsoftheloginrequest.Afterestablishingahandler,
subsequentrequestsautomaticallyinvokethehandler.

AnextractionhandlerobtainstheHTTPsessioncookieprovidedbythevCenterServer.Aftersettingup
thehandler,acalltotheRetrieveServiceContentmethodwillinvokethehandlertoextractthecookie
fromtheServerresponse.

VMware, Inc.

27

vCenter Single Sign-On Programming Guide

InsertionhandlersputthevCenterSingleSignOntokenandatimestampintotheSOAPheaderandthe
sessioncookieintotheHTTPheaderoftheloginrequest.

ThefollowingfigureshowstheuseofhandlerstomanipulateheaderelementswhenestablishingavCenter
SingleSignOnsessionwithavCenterServer.
Figure 4-1. Starting a vCenter Session
vCenter
client

vCenter
Server

RetrieveServiceContent( )

extraction handler

HTTP header:

session cookie

session cookie
insertion handler

HTTP header:

session cookie

LoginByToken( )
timestamp
vCenter Single
Sign On token

timestamp
insertion handler

SOAP header:

insertion handler

vCenter Single
Sign On token

IMPORTANTEverycalltothevCenterServerwillinvokeanymessagehandlersthathavebeenestablished.
TheoverheadinvolvedinusingtheSOAPandHTTPmessagehandlersisnotnecessaryafterthesessionhas
beenestablished.TheexamplesavesthedefaultmessagehandlerbeforesettinguptheSOAPandHTTP
handlers.Afterestablishingthesession,theexamplewillresetthehandlerchainandrestorethedefault
handler.
TheexamplecodealsousesmultiplecallstotheVimPortType.getVimPort methodtomanagetherequest
context.ThegetVimPortmethodclearstheHTTPrequestcontext.AftereachcalltothegetVimPortmethod,
theclientresetstherequestcontextendpointaddresstothevCenterServerURL.Aftertheclienthasobtained
thesessioncookie,itwillrestorethecookieinsubsequentrequests.

Sample Code
ThecodeexamplesinthefollowingsectionsshowhowtousetheLoginByTokenmethodwithaholderofkey
securitytoken.ThecodeexamplesarebasedonthesamplecodecontainedinthevCenterSingleSignOnSDK.
ThefilesarelocatedintheJavasamplesdirectory(SDK/ssoclient/java/JAXWS/samples):

LoginByTokensample:
samples/com/vmware/vsphere/samples/LoginByTokenSample.java

Headercookiehandlers:
samples/com/vmware/vsphere/soaphandlers/HeaderCookieHandler.java
samples/com/vmware/vsphere/soaphandlers/HeaderCookieExtractionHandler.java

SOAPheaderhandlers.ThesearethesamehandlersthatareusedinvCenterSingleSignOnClient
Example(JAXWS)onpage 21.TheSOAPhandlerfilesarelocatedinthevCenterSingleSignOnclient
soaphandlersdirectory:
samples/com/vmware/sso/client/soaphandlers

28

VMware, Inc.

Chapter 4 LoginByToken Example (JAX-WS)

Saving the vCenter Server Session Cookie


ThecodefragmentinthissectionestablishesanHTTPsessionwiththevCenterServerandsavestheHTTP
sessioncookie.
Thefollowingsequencedescribesthesestepsandshowsthecorrespondingobjectsandmethods.
1

UsethegetHandlerResolvermethodto
savethedefaultmessagehandler.Tousethe
HTTPandSOAPmessagehandlers,you
mustfirstsavethedefaultmessagehandler
sothatyoucanrestoreitafterlogin.The
HTTPandSOAPmessagehandlersimpose
overheadthatisunneccessaryafterlogin.
Setthecookiehandler.The
HeaderCookieExtractionHandler
methodretrievestheHTTPcookie.

VimService.getHandlerResolver( )

VimService

HeaderHandler Resolver
HeaderCookieExtractionHandler

GettheVIMport.TheVIMportprovides
accesstothevSphereAPImethods,
includingtheLoginByTokenmethod.
Settherequestcontextendpointaddressto
thevCenterServerURL.

RetrievetheServiceContent.Thismethod
establishestheHTTPconnectionandsetsthe
sessioncookie.

VimService

VimService

VimPortType

VimPortType

Request Context

ServiceContent

Extractthecookieandsaveitforlateruse.
HeaderCookieExtractionHandler.getCookie ( )

ThefollowingexampleshowsJavacodethatsavesthesessioncookie.
Example 4-1. Saving the vCenter Server Session Cookie
/*
* The example uses a SAML token (obtained from a vCenter Single Sign On Server)
* and the vCenter Server URL.
* The following declarations indicate the datatypes; the token datatype (Element) corresponds
* to the token datatype returned by the vCenter Single Sign On Server.
*
* Element token;
-- from vCenter Single Sign On Server
* String vcServerUrl; -- identifies vCenter Server
*
* First, save the default message handler.
*/
HandlerResolver defaultHandler = vimService.getHandlerResolver();
/*
* Create a VIM service object.
*/
vimService = new VimService();
/*
* Construct a managed object reference for the ServiceInstance.
VMware, Inc.

29

vCenter Single Sign-On Programming Guide

*/
ManagedObjectReference SVC_INST_REF = new ManagedObjectReference();
SVC_INST_REF.setType("ServiceInstance");
SVC_INST_REF.setValue("ServiceInstance");
/*
* Create a handler resolver.
* Create a cookie extraction handler and add it to the handler resolver.
* Set the VIM service handler resolver.
*/
HeaderCookieExtractionHandler cookieExtractor = new HeaderCookieExtractionHandler();
HeaderHandlerResolver handlerResolver = new HeaderHandlerResolver();
handlerResolver.addHandler(cookieExtractor);
vimService.setHandlerResolver(handlerResolver);
/*
* Get the VIM port for access to vSphere API methods. This call clears the request context.
*/
vimPort = vimService.getVimPort();
/*
* Get the request context and set the connection endpoint.
*/
Map<String, Object> ctxt = ((BindingProvider) vimPort).getRequestContext();
ctxt.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, vcServerUrl);
ctxt.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, true);
/*
* Retrieve the ServiceContent. This call establishes the HTTP connection.
*/
serviceContent = vimPort.retrieveServiceContent(SVC_INST_REF);
/*
* Save the HTTP cookie.
*/
String cookie = cookieExtractor.getCookie();

Using LoginByToken
ThecodefragmentinthissectionsetsupthemessagehandlersandcallstheLoginByTokenmethod.The
followingsequencedescribesthestepsandshowsthecorrespondingobjectsandmethods.
1

CreateanewHeaderHandlerResolver.
Thensetthemessagesecurityhandlersfor
cookieinsertionandforinsertingthe
SAMLtokenandcredentialsintheSOAP
header.

HeaderHandler Resolver
HeaderCookieHandler (session cookie)
TimestampHandler
SamlTokenHandler (SAML token)
WsSecurityUserCertificateSignatureHandler (key, certificate, ID)

GettheVIMport.
VimService

30

SettheconnectionendpointintheHTTP
requestcontext.

CalltheLoginByTokenmethod.The
methodinvocationexecutesthehandlers
toinserttheelementsintothemessage
headers.Themethodauthenticatesthe
sessionreferencedbythesessioncookie.

VimService

VimPortType

Request Context

VimPortType.LoginByToken ( )

VMware, Inc.

Chapter 4 LoginByToken Example (JAX-WS)

ThefollowingexamplesshowsJavacodethatcallstheLoginByTokenmethod.
Example 4-2. Using LoginByToken
/*
* Create a handler resolver and add the handlers.
*/
HeaderHandlerResolver handlerResolver = new HeaderHandlerResolver();
handlerResolver.addHandler(new TimeStampHandler());
handlerResolver.addHandler(new SamlTokenHandler(token));
handlerResolver.addHandler(new HeaderCookieHandler(cookie));
handlerResolver.addHandler(new WsSecuritySignatureAssertionHandler(
userCert.getPrivateKey(),
userCert.getUserCert(),
Utils.getNodeProperty(token, "ID")));
vimService.setHandlerResolver(handlerResolver);
/*
* Get the Vim port; this call clears the request context.
*/
vimPort = vimService.getVimPort();
/*
* Retrieve the request context and set the server URL.
*/
Map<String, Object> ctxt = ((BindingProvider) vimPort).getRequestContext();
ctxt.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, vcServerUrl);
ctxt.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, true);
/*
* Call LoginByToken.
*/
UserSession us = vimPort.loginByToken(serviceContent.getSessionManager(), null);

Restoring the vCenter Server Session Cookie


Afteryoulogin,youmustrestorethestandardvCentersessioncontext.Thecodefragmentinthissection
restoresthedefaultmessagehandlerandthesessioncookie.Asthecookiehandlerhasbeenreplacedbythe
defaulthandler,theclientresetsthesessioncookiebycallingrequestcontextmethodstoaccessthecontext
fieldsdirectly.Thefollowingsequencedescribesthesestepsandshowsthecorrespondingobjectsand
methods.

Restorethedefaultmessagehandler.The
handlersusedforLoginByTokenarenot
usedinsubsequentcallstothevSphere
API.

VimService.setHandlerResolver ( )

GettheVIMport.
VimService

SettheconnectionendpointintheHTTP
requestcontext.

SettheHTTPrequestheader(vCenter
sessioncookie).

VimService

VimPortType

Request Context

RequestContext.get ()
RequestContext.put ( )

ThefollowingexampleshowsJavacodethatrestoresthevCentersession.ThiscoderequiresthevCenterURL
andthecookieanddefaulthandlerthatwereretrievedbeforelogin.SeeSampleCodeonpage 28.

VMware, Inc.

31

vCenter Single Sign-On Programming Guide

Example 4-3. Restoring the vCenter Server Session


/*
* Reset the default handler. This overwrites the existing handlers, effectively removing them.
*/
vimService.setHandlerResolver(defaultHandler);
vimPort = vimService.getVimPort();
/*
* Restore the connection endpoint in the request context.
*/
// Set the validated session cookie and set it in the header for once,
// JAXWS will maintain that cookie for all the subsequent requests
Map<String, Object> ctxt = ((BindingProvider) vimPort).getRequestContext();
ctxt.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, vcServerUrl);
ctxt.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, true);
/*
* Reset the cookie in the request context.
*/
Map<String, List<String>> headers = (Map<String, List<String>>)
ctxt.get(MessageContext.HTTP_REQUEST_HEADERS);
if (headers == null) {
headers = new HashMap<String, List<String>>();
}
headers.put("Cookie", Arrays.asList(cookie));
ctxt.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

32

VMware, Inc.

Index

A
acquiring a token 7
example 21
API reference 13
authentication
local user account 5
OpenLDAP 5
SSPI 10
vCenter Single Sign On user account 5
Windows Active Directory 5

B
bearer token 6

example 31
LoginByToken 27

I
Issue function
request-response 7
Issue method 13
example 21

J
JAX-WS
SDK contents 11
SOAP header methods 7

example 22
SDK location

C
Challenge function
SSPI authentication 10
Challenge method 15
client SDK 11
clock tolerance 10
connecting to a vCenter Single Sign On Server 9

D
data structures
KeyTypeOpenEnum 18
LifetimeType 18
ParticipantsType 19
RenewingType 18
RequestSecurityTokenResponseCollectionTyp
e 17
RequestSecurityTokenResponseType 17
RequestSecurityTokenType 15
UseKeyType 19
delegation, token 10
digital certificate 7
digital signature 7

E
endpoint specification 9
example
calling LoginByToken 27
obtaining a token 21

H
holder-of-key token 6
example 21
HTTP header methods
VMware, Inc.

K
KeyTypeOpenEnum 18

L
LifetimeType 18
local user account 5
LoginByToken method 6, 10
example 27

M
methods, vCenter Single Sign On
Challenge 15
Issue 13
Renew 14
Validate 14

O
OpenLDAP 5

P
ParticipantsType 19
policy, security 8
port number 9

R
Renew method 14
RenewingType 18
RequestSecurityTokenResponseCollectionType 17
RequestSecurityTokenResponseType 17
RequestSecurityTokenType 15

33

vCenter Single Sign-On Programming Guide

S
SAML token 5
SDK, vCenter Single Sign On 11
security policy 8
Security Token Service (STS) 5
server configuration 6
server connection 9
single sign on 5
SOAP header methods 7
example 22
LoginByToken 27
SDK location 9
SOAP message structure 11
SSPI authentication 10

T
timestamp 7
token
acquisition 7
bearer 6
delegation 10
holder-of-key 6, 10
holder-of-key example 21
lifetime 10
LoginByToken example 27
SAML 5

U
UseKeyType 19
user accounts 5

V
Validate method 14
vCenter Server session 27
vCenter Single Sign On 5
API reference 13
client methods 7
client SDK 11
endpoint 9
server configuration 6
server connection 9
user account 5

W
Windows Active Directory 5
WS-Policy 8
WS-SecurityPolicy 7, 8
WS-Trust 7

34

VMware, Inc.

You might also like