If your organization defines an OAuth identity provider in its OrgOAuthSettings, users managed by that identity provider are created implicitly when they first log in to the organization. You can also import a user from an OAuth identity provider explicitly if you need the user to exist in the organization before first login, or to assign the user a specific role.

Unlike imports from an LDAP service, imports from an OAuth identity provider do not actually import information from an external database. Instead, the operation creates a mapping between a user defined in your organization and a user defined by your organization's OAuth provider. The vCloud Director database stores these mappings, but does not store any user properties retrieved from the OAuth provider.

Prerequisites

This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.

Verify that your organization has defined an OAuth identity provider in its OrgOAuthSettings.

Procedure
1

Create a User element that identifies a user defined by your organization's OAuth provider.

2

Include the following line in the User or Group element. 

<ProviderType>OAUTH</ProviderType>
3

POST the element to the organization's users URL.

Example: Import a User from an OAuth Identity Provider

This example imports a user from an OAuth identity provider and assigns the user a specific role (the predefined role vApp Author).

Note

Any user managed by an OAuth identity provider is assigned the role Defer to Identity Provider when created implicitly at first login (see Predefined Roles and Their Rights). You can assign this role when you import a user explicitly, though in many cases there is no need to do an explicit import unless you want to assign the user another role or multiple roles.

Request: 

POST https://vcloud.example.com/api/admin/org/26/users
Content-Type: application/vnd.vmware.admin.user+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<User
   xmlns="http://www.vmware.com/vcloud/v1.5"
   name="user@example.com"
   type="application/vnd.vmware.admin.user+xml">
   <IsEnabled>true</IsEnabled>
   <ProviderType>OAUTH</ProviderType>
   <Role
      type="application/vnd.vmware.admin.role+xml"
      href="https://vcloud.example.com/api/admin/role/1bf4457f-a253-3cf1-b163-f319f1a31802" />
</User>

The response is a User element, most of which is not shown in the example. The response includes a link that an administrator can use to edit user metadata, and additional elements, such as IsDefaultCached and StoredVmQuota, inherited from organization defaults. It also includes a NameInSource element, which contains the user's name in the encoding used by the identity provider.

Response: 

201 Created
Content-Type: application/vnd.vmware.admin.user+xml
...
<User
   xmlns="http://www.vmware.com/vcloud/v1.5"
   name="user@example.com"
   id="urn:vcloud:user:85"
   type="application/vnd.vmware.admin.user+xml"
   href="https://vcloud.example.com/api/admin/user/85">
   <Link
      rel="edit"
      type="application/vnd.vmware.admin.user+xml"
      href="https://vcloud.example.com/api/admin/user/85" />
   <FullName>Imported User Full Name</FullName>
   <EmailAddress>user@example.com</EmailAddress>
   <IsEnabled>true</IsEnabled>
   <ProviderType>OAUTH</ProviderType>
   <NameInSource>\F4\D3\42\8E\6A\BC\D3</NameInSource>
   <IsAlertEnabled>false</IsAlertEnabled>
   <IsDefaultCached>false</IsDefaultCached>
   <StoredVmQuota>0</StoredVmQuota>
   <DeployedVmQuota>0</DeployedVmQuota>
   <Role
      type="application/vnd.vmware.admin.role+xml"
      name="vApp Author"
      href="https://vcloud.example.com/api/admin/role/1bf4457f-a253-3cf1-b163-f319f1a31802" />
   <GroupReferences />
</User>