vCenter Single Sign On API Data Structures

vCenter Single Sign On API Data Structures

Use the following objects for the vCenter Single Sign On methods.

RequestSecurityTokenType

ParticipantsType

RequestSecurityTokenResponseCollectionType

ParticipantType

RequestSecurityTokenResponseType

EndpointReference

LifetimeType

BinaryExchangeType

RenewingType

AdviceType

KeyTypeOpenEnum

AttributeType

UseKeyType

RequestSecurityTokenType

Defines a set of token characteristics requested by the vCenter Single Sign On client. The vCenter Single Sign On client specifies this data object in a call to the Issue, Renew, and Validate methods. The vCenter Single Sign On Server may satisfy a request for a particular characteristic or it may use a different value in the issued token. The response to the token request contains the actual token values. See RequestSecurityTokenResponseType.

The vCenter Single Sign On API supports a subset of the RequestSecurityTokenType elements defined in the WS-Trust specification. The following table shows the supported elements and attributes. An item in the table is defined as an element in the WSDL unless explicitly identified as an attribute.

RequestSecurityTokenType Elements (vCenter Single Sign On)

Element

Datatype

Description

Context

string

RequestSecurityToken attribute specifying a URI (Uniform Resource Identifier) that identifies the original request. If you include this in a request, the vCenter Single Sign On Server will include the context identifier in the response. This attribute is required when the request includes a BinaryExchange property.

TokenType

string

Identifies the requested token type, specified as a URI (Uniform Resource Identifier). The following list shows the valid token types:

■

urn:oasis:names:tc:SAML:2.0:assertion – for issue and renew requests.

■

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status – for validation requests.

RequestType

string

Identifies the request type, specified as a URI. The RequestType property is required.

The following list shows the valid request types:

■

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

■

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew

■

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate

Lifetime

LifetimeType

Time period during which a token is valid. The vCenter Single Sign On Server can ignore the requested lifetime and assign a different lifetime to the token. The lifetime specifies creation and expiration values. This property is optional – used with Issue and Renew requests.

ValidateTarget

Specifies the token to be validated. This property can contain either a reference to the token or it can contain the token itself. The property is required for and used only with the Validate method.

RenewTarget

Specifies the token to be renewed. This property can contain either a reference to the token or it can contain the token itself. This property is required for and used only with the Renew method.

Renewing

RenewingType

Specifies a request for a renewable token. This property is optional. If you do not specify the Renewing property, the vCenter Single Sign On Server will issue a renewable token. This property is optional.

DelegateTo

Specifies a security token or token reference for an identity to which the requested token will be delegated. The DelegateTo value must identify a solution.

Delegatable

xs:boolean

Indicates whether the requested token can be delegated to an identity. Use this property together with the DelegateTo property. The default value for the Delegatable property is false.

UseKey

UseKeyType

References a token for subject confirmation. Required for Issue, Renew, and Validate methods.

KeyType

string

String value corresponding to a KeyTypeOpenEnum value. The value is a URI (Uniform Resource Identifier) that specifies the requested key cryptography type. This property is optional.

SignatureAlgorithm

string

Specifies a URI (Uniform Resource Identifier) for an algorithm that produces a digital signature for the token. The following list shows the valid values:

■

http://www.w3.org/2000/09/xmldsig#rsa-sha1

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

BinaryExchange

BinaryExchangeType

Contains data for challenge negotation between the vCenter Single Sign On client and vCenter Single Sign On Server.

Participants

ParticipantsType

Specifies the identities of participants that are authorized to use the token.

AdviceSet

AdviceSetType

List of AdviceType.

RequestSecurityTokenResponseCollectionType

Returned by the Issue method. This type contains a response to the request or the requested token. .

RequestSecurityTokenResponseCollectionType

Element

Datatype

Description

RequestSecurityTokenResponse

RequestSecurityTokenResponseType[ ]

List of token request response objects. The current architecture supports a single token response only

RequestSecurityTokenResponseType

Describes a single token.

RequestSecurityTokenResponseType Properties (vCenter Single Sign On)

Element

Datatype

Description

Context

string

RequestSecurityTokenResponse attribute specifying a URI (Uniform Resource Identifier) that identifies the original request. This attribute is included in the response if it was specified in the request.

TokenType

string

Identifies the type of token in the response. TokenType is specified as a URI (Uniform Resource Identifier), one of the following:

■

urn:oasis:names:tc:SAML:2.0:assertion – for issue and renew operations.

■

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status – for validation operations.

Lifetime

LifetimeType

Time period during which a token is valid. The lifetime in the token response is the actual lifetime assigned by the vCenter Single Sign On Server. The lifetime specifies creation and expiration values.

RequestedSecurityToken

RequestedSecurityTokenType

SAML token.

Renewing

RenewingType

Indicates whether or not the token can be renewed. By default, the vCenter Single Sign On Server will issue a renewable token.

BinaryExchange

BinaryExchangeType

Contains data for challenge negotiation between vCenter Single Sign On client and vCenter Single Sign On Server.

KeyType

string

Indicates whether or not key cryptography is used. The KeyType is a string value corresponding to an enumerated type value. See KeyTypeOpenEnum. The value is a URI (Uniform Resource Identifier) that specifies the key type.

SignatureAlgorithm

string

Indicates a URI (Uniform Resource Identifier) for an algorithm that produces a digital signature for the token. The following list shows the valid values:

■

http://www.w3.org/2000/09/xmldsig#rsa-sha1

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

■

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

Delegatable

xs:boolean

Indicates whether the requested token can be delegated to an identity.

Status

StatusType

Indicates the status of the request. The property specifies Code and Reason values.

LifetimeType

Specifies the token lifetime. Used in RequestSecurityTokenType and RequestSecurityTokenResponseType.

LifetimeType Properties

Property

Datatype

Description

created

wsu:AttributedDateTime

Creation time of the token. XML date and time, expressed as a standard time value (Gregorian calendar).

expires

wsu:AttributedDateTime

Time interval during which the token is valid, starting at the created time. The time interval is an absolute value specified in seconds.

RenewingType

Specifies token renewal.

RenewingType Properties

Property

DataType

Description

Allow

xsd:boolean

Specifies a request for a token for which the lifetime can be extended. This property is optional. The default value is true.

OK

xsd:boolean

Indicates that the vCenter Single Sign On client will accept a token that can be renewed after it has expired. This property is optional. The default value is false. If you specify this property, you must specify a value of false. A token that can be renewed after expiration does not provide adequate security.

KeyTypeOpenEnum

Specifies a set of enumerated type values that identify the supported types of key cryptography used for security tokens. The values are URIs (Universal Resource Identifiers).

KeyType Properties

Enumerated type value

Description

http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey

Specifies asymmetric key cryptography using a combination of public and private keys. Use this key type for holder-of-key tokens.

http://docs.oasis-open.org/wssx/wstrust/200512/Bearer

Indicates a bearer token, which does not require a key to authenticate the token.

UseKeyType

Specifies the URI for an existing key.

UseKeyType Properties

Property

Datatype

Description

Sig

string

URI (Universal Resource Identifer) that refers to a security token which contains an existing key. If specified, the vCenter Single Sign On Server will use the associated certificate for subject confirmation.

ParticipantsType

Identifies users and services who are allowed to use the token.

ParticipantsType Properties

Property

Datatype

Description

Primary

ParticipantType

Primary user of the token.

Participant

ParticipantType

List of participants who are allowed to use the token.

ParticipantType

ParticipantType is an end point reference.

ParticipantType Property

Property

Datatype

Description

EndpointReference

Specifies a participant represented as a URI.

EndpointReference

Participant identification. The ReferenceParameters, Metadata, and any elements are not used.

EndpointReference Property

Property

Datatype

Description

name

tns:AttributedURIType

URI that identifies a participant allowed to use a token.

BinaryExchangeType

Specifies a blob (binary large object) that contains data for negotation between the vCenter Single Sign On client and server.

BinaryExchangeType Attributes

Attribute

Datatype

Description

ValueType

xsd:anyURI

Identifies the type of negotiation.

EncodingType

xsd:anyURI

Identifies the encoding format of the blob.

AdviceType

Specifies additional informational attributes to be included in the issued token. The vCenter Single Sign On client can ignore this data. Advice data will be copied to delegate tokens. This type is used in RequestSecurityTokenType.

AdviceType Properties

Element/Attribute

Datatype

Description

Advicesource

string

AdviceType attribute specifying a URI representing the identity that provides the advice Attribute elements. This attribute is required.

Attribute

AttributeType

Advice data.

AttributeType

Attribute providing advice data. Used in AdviceType.

AttributeType Properties

Element/Attribute

Datatype

Description

Name

string

AttributeType attribute specifying a URI that is the unique name of the attribute. This attribute is required.

FriendlyName

string

AttributeType attribute specifying a human-readable form of the name. This attribute is optional.

AttributeValue

string

List of values associated with the attribute.

The AttributeValue structure depends on the following criteria:

■

If the attribute has one or more values, the AttributeType contains one AttributeValue for each value. Empty attribute values are represented by empty AttributeValue elements.

■

If the attribute does not have a value, the AttributeType does not contain an AttributeValue.

RequestSecurityTokenType	ParticipantsType
RequestSecurityTokenResponseCollectionType	ParticipantType
RequestSecurityTokenResponseType	EndpointReference
LifetimeType	BinaryExchangeType
RenewingType	AdviceType
KeyTypeOpenEnum	AttributeType
UseKeyType

RequestSecurityTokenResponseCollectionType
Element	Datatype	Description
RequestSecurityTokenResponse	RequestSecurityTokenResponseType[ ]	List of token request response objects. The current architecture supports a single token response only

LifetimeType Properties
Property	Datatype	Description
created	wsu:AttributedDateTime	Creation time of the token. XML date and time, expressed as a standard time value (Gregorian calendar).
expires	wsu:AttributedDateTime	Time interval during which the token is valid, starting at the created time. The time interval is an absolute value specified in seconds.

RenewingType Properties
Property	DataType	Description
Allow	xsd:boolean	Specifies a request for a token for which the lifetime can be extended. This property is optional. The default value is true.
OK	xsd:boolean	Indicates that the vCenter Single Sign On client will accept a token that can be renewed after it has expired. This property is optional. The default value is false. If you specify this property, you must specify a value of false. A token that can be renewed after expiration does not provide adequate security.

KeyType Properties
Enumerated type value	Description
http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey	Specifies asymmetric key cryptography using a combination of public and private keys. Use this key type for holder-of-key tokens.
http://docs.oasis-open.org/wssx/wstrust/200512/Bearer	Indicates a bearer token, which does not require a key to authenticate the token.

UseKeyType Properties
Property	Datatype	Description
Sig	string	URI (Universal Resource Identifer) that refers to a security token which contains an existing key. If specified, the vCenter Single Sign On Server will use the associated certificate for subject confirmation.

ParticipantsType Properties
Property	Datatype	Description
Primary	ParticipantType	Primary user of the token.
Participant	ParticipantType	List of participants who are allowed to use the token.

ParticipantType Property
Property	Datatype	Description
	EndpointReference	Specifies a participant represented as a URI.

EndpointReference Property
Property	Datatype	Description
name	tns:AttributedURIType	URI that identifies a participant allowed to use a token.

BinaryExchangeType Attributes
Attribute	Datatype	Description
ValueType	xsd:anyURI	Identifies the type of negotiation.
EncodingType	xsd:anyURI	Identifies the encoding format of the blob.

AdviceType Properties
Element/Attribute	Datatype	Description
Advicesource	string	AdviceType attribute specifying a URI representing the identity that provides the advice Attribute elements. This attribute is required.
Attribute	AttributeType	Advice data.

Help us improve this information. Send feedback to docfeedback@vmware.com.