As a small introduction, what is the reason I’m writing this post ?
For now, There is no mechanism for authentication without credentials in vCloud Director. Only HTTP Basic authentication is supported. If you intend to add additional layers of security (two-factor authentication for example), you might need what’s following, to integrate a more advanced authentication solution to cope with your customer requirements, (Can be a new portal, or just adding this additional layer of security to your vCloud Director infrastructure)
I’ll now explain, how to authenticate into the vCloud Director Portal generating a cookie using the vCloud API.
Here is the basic workflow of what happens when you login using your Web Browser to the vCloud Director Portal.
- User logs into the vCloud Director portal (UI).
- User enters a username and password in the vCloud Director portal (UI) and gets back a session ID.
- The vCloud Director portal sets the vcloud_session_id cookie for its domain to that session ID.
NOTE: The vCloud Director portal (UI) itself does not use the REST API.
I have many customers that asked me the following question :
is there any way to setup a intermediate security solution to avoid using the only current basic vCloud Director username/password authentication system ?
With some automation, you can achieve this, here is the process that illustrates the overall mechanism to connect using the vCloud API, and then generating a cookie for the vCloud Director Portal :
- Client uses the vCloud REST API and issues a POST request to login
using your username / password.
- If the request is successful, vCloud Director returns a HTTP response
code 200 (OK), and then issues a vcloud-token that includes an authorization header in the form of:x-vcloud-authorization: <vcloud_token>
andset-cookie: vcloud-token=<vcloud_token>; Secure; Path=/
- Client receives the vCloud answer, and retrieves the token.
- Client generates a cookie for the web browser to login without entering anything.
I’m using Mozilla Firefox in this example with the following extension to generate the cookie : Cookies Manager+
Now I’m generating the vcloud_session_id cookie, using the Cookies Manager+ extension, with my vcloud-token value. I’ve also highlighted the other options to generate the cookie.
I’ve demonstrated this ability with manual steps, but you can easily integrate this process into another orchestration workflow to enable for example other ways to login/authenticate against vCloud Director, like integrating a 2 factor authentication solution.
PS: Don’t worry, we are evaluating a security framework that will include controlling identities enterprise-wide, supporting more secure authentication methods and providing interoperability for our next releases.
References : vCloud API Programming Guide v1.5
Hope this helps,
EDITED: 29 Nov 22:25 CET, Included feedback from Michael Haines