If your organization defines a SAML identity provider in its OrgFederationSettings, you must import users individually or as members of groups from the identity provider before they can log in to the organization.
Unlike imports from an LDAP service, imports from a SAML identity provider do not import information from an external database. Instead, the operation creates a mapping between a user or group name in your organization's database and a user or group name that your organization's SAML provider defines. The vCloud Director database stores these mappings, but does not store data retrieved from the SAML provider.
When you import a user from a SAML identity provider, you must include the domain name, such as user@domain.com. When you import a group from a SAML identity provider, you must use its fully distinguished name.
When a user login presents a SAML token to the organization, user and group names in the token are evaluated using the mappings established by the import operation. If you defined custom user and group attributes, the evaluation process uses the values of the UserNameAttributeName and GroupNameAttributeName elements from the SamlAttributeMapping element in the organization OrgFederationSettings. The evaluation process includes the following:
■
|
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights. |
■
|
Verify that your organization has defined a SAML identity provider in its OrgFederationSettings. See Configuring and Managing Federation with SAML. |
This example imports a user from the SAML identity provider that the organization defines. This example is identical to the one shown in Example: Import a User from an LDAP Database, but includes a ProviderType element that specifies the source as the organization's SAML identity provider. This example also omits the IsExternal element, which is required when importing from LDAP but is ignored when importing from SAML.
The response is a User element, most of which is not shown in the example. The response includes a link that an administrator can use to edit user metadata, and additional elements, such as IsDefaultCached and StoredVmQuota, inherited from organization defaults. It also includes a NameInSource element, which contains the user's name in the encoding that the identity provider uses.
POST https://vcloud.example.com/api/admin/org/26/users Content-Type: application/vnd.vmware.admin.user+xml ... <?xml version="1.0" encoding="UTF-8"?> <User xmlns="http://www.vmware.com/vcloud/v1.5" name="user@example.com" type="application/vnd.vmware.admin.user+xml"> <IsEnabled>true</IsEnabled> <ProviderType>SAML</ProviderType> <Role href="https://vcloud.example.com/api/admin/org/26/role/13a69c14-e64c-409f-800f-0ecc470ea42d" /> </User>
201 Created Content-Type: application/vnd.vmware.admin.user+xml ... <User xmlns="http://www.vmware.com/vcloud/v1.5" name="user@example.com" id="urn:vcloud:user:85" type="application/vnd.vmware.admin.user+xml" href="https://vcloud.example.com/api/admin/user/85"> <Link rel="edit" type="application/vnd.vmware.admin.user+xml" href="https://vcloud.example.com/api/admin/user/85" /> <FullName>Imported User Full Name</FullName> <EmailAddress>user@example.com</EmailAddress> <IsEnabled>true</IsEnabled> <ProviderType>SAML</ProviderType> <NameInSource>\F4\D3\42\8E\6A\BC\D3</NameInSource> <IsAlertEnabled>false</IsAlertEnabled> <IsDefaultCached>false</IsDefaultCached> <StoredVmQuota>0</StoredVmQuota> <DeployedVmQuota>0</DeployedVmQuota> <Role type="application/vnd.vmware.admin.role+xml" name="vApp Author" href="https://vcloud.example.com/api/admin/org/26/role/13a69c14-e64c-409f-800f-0ecc470ea42d" /> <GroupReferences /> </User>