There are times during troubleshooting where you like to see a particular attribute in Workspace ONE Identity (VMware Identity Manager) and its not displayed in the web portal or times when you would like to update a particular attribute or delete a JIT user.
DISCLAIMER: Please use the API with caution as this can potentially cause issues if not used appropriately. Please do NOT use in Production. Please use at your own risk.
In this blog we'll walk through a few useful API calls to help in your troubleshooting. For a complete list of API calls and documentation:
VMware Identity Manager API - VMware API Explorer - VMware {code}
Please download and install the latest version of Postman.
In this blog we'll go use the following API's:
- Get Specific User Details
- Update SCIM User
- Delete SCIM User
- Create SCIM User
Step 1: Getting your OAuth Token
In order do use the SCIM based API you need an OAuth token. I'm going to walk through two different ways of getting a token to use in your environment.
If you are going to access a particular environment quite often using postman I would suggest you go with Option 1. If its unlikely you will access a particular environment that often then you should go with Option 2.
Option 1: Creating an OAuth Application
- Log into Workspace ONE Identity Admin Console
- Click on the Catalog (down arrow) and select Settings
- Click "Remote App Access"
- Click Create Client
- Select "Service Access Token" from the Drop down menu
- Provide a Client ID ie. Postman
- Expand Advanced
- Click Generate Shared Secret (or provide one)
- Click Add
- We will configure Postman in the next section.
Option 2: Using your browser cookies
- Make sure you have a way of accessing your browser cookies. I use a Chrome plugin called "Edit this cookie"
- Log into your Workspace ONE Identity Admin Console
- Click the Cookie Icon in the chrome address bar
- Search for the "HZN" cookie
- Copy the value for HZN.
- We will configure Postman in the next section.
Step 2: Configure Postman to use your OAuth Token
Depending which option you chose in the previous step, follow the instructions below to add your OAuth Token
Option 1: Creating an OAuth Application
- Open a new Tab in Postman
- In the authorization section, select "OAuth 2.0" as the type:
- Click Get New Access Token
- Provide a Token Name (ie. Workspace ONE)
- Under "Auth URL", enter https:[Tenant URL]/SAAS/auth/oauth2/authorize
ie. https://dsas.vmwareidentity.com/SAAS/auth/oauth2/authorize - "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken - Under Client ID, enter your Client ID from step 1.
- Under Secret, enter your secret from step 1.
- Under Scope, leave blank.
- Under Grant Type, select "Client Credentials"
- Click Request Token
- Click on WorkspaceONE under Existing Tokens
- Select Use Token
- If you click on the headers tab you will see the "Authorization" header has been added with the correct token.
Option 2: Using your browser cookies
- Open a new Tab in Postman
- Click on the Headers Section
- Add the Header Key "Authorization"
- In the Value, type "Bearer" then paste the value of the HZN cookie.
Getting User Details
Now that you have your OAuth token, we can use this token to query Workspace ONE Identity.
- For the HTTP Method, select "GET"
- Enter the following for the URL: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users?filter=username%20eq%20%22MyUserID%22
- Replace MyUserID with a username in your environment
ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/scim/Users?filter=username%20eq%20%22sdsa%22 - This will return a complete result set of attributes for the particular user.
Updating User Details
In order to update user details via the API, you will need to collect some information from the Get User Details.
In my example, I'm going to update the "userPrincipalName" in Workspace ONE Access for one of my users.
- Perform a "Get" on the particular user and retrieve the schema information. Please note, this will be different for each tenant as the tenant name is part of the schema.
- Copy this section to notepad.
- Retrieve the section which contains the attribute(s) you want to update
- Copy the ID of the User
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "PATCH"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users/[ID]
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users/884b7e7d-6a7b-4985-b113-56235826e8a6 - Select Body
- Enter the JSON in raw text that we'll post to Workspace ONE
- Select "JSON (application/json)" as the Content-Type
- Click Send
- You should receive a "204 No Content" response
- If you perform a GET User again you should see the value has changed.
Delete Users
If you are using JIT to onboard users into Workspace ONE Identity you've probably noticed there is no way to delete users in the web portal. They only way to delete is with the API.
- Perform a "Get" on the particular user and retrieve the ID
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "DELETE"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users/[ID]
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users/f6f89782-0a2a-4cc8-84a8-057f1da6ecde - Click Send
- You should receive a "204 No Content" response
- If you perform a GET User again you should see no results found.
Create Users
Creating Users in Workspace ONE Identity require a lot more steps. I reluctantly decided to document the steps as this should really be done by the out of the box connectors. The process is slightly different between System Directory, Local Directory, and Other. The "Other" directory is created automatically when setting up the UEM/WS1 Integration.
Creating Users in the System Directory
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "POST"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users - Set the Content-Type to "application/json"
- Use the following as a sample:
{ "schemas": [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:workspace:tenant:sva:1.0", "urn:scim:schemas:extension:workspace:1.0", "urn:scim:schemas:extension:enterprise:1.0" ], "userName": "testing4@mydomain.com", "name": { "givenName": "first4", "familyName": "last4" }, "emails": [ { "value": "testing4@mydomain.com" } ], "password": "Password$!" }
Creating Users in a Local Directory
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "POST"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users - Set the Content-Type to "application/json"
- Use the following as a sample:
{ "schemas": [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:workspace:tenant:sva:1.0", "urn:scim:schemas:extension:workspace:1.0", "urn:scim:schemas:extension:enterprise:1.0" ], "userName": "testing5@mydomain.com", "name": { "givenName": "first5", "familyName": "last5" }, "emails": [ { "value": "testing5@mydomain.com" } ], "password": "Password$!", "urn:scim:schemas:extension:workspace:1.0": { "internalUserType": "LOCAL", "userStatus": "1", "domain": "mydomain.com" } }
Creating Users in an Other Directory
The steps to create a user in an other directory is almost identity to the local directory except that we need to know the "userStoreUuid" of the directory and we need an ExternalID. The External ID should be a valid ObjectGUID. If you don't have a valid ObjectGUID you will have problems when enrolling devices from the Workspace ONE Intelligent Hub application. Ensure that you generate a proper guid. See Online UUID Generator Toolas a example of a proper guid.
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "GET"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs?includeJitDirectories=true
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs?includeJitDirectories=true - Click Send
- In the response, search for your "Other Directory" and copy the userStoreID
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "POST"
- For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/scim/Users
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users - Set the Content-Type to "application/json"
- Use the following as a sample and don't forget the External ID.
{ "schemas": [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:workspace:tenant:sva:1.0", "urn:scim:schemas:extension:workspace:1.0", "urn:scim:schemas:extension:enterprise:1.0" ], "externalId": "c58085e6-c97a-4df3-8e4a-e376913fab17", "userName": "testing6@oktatest.com", "name": { "givenName": "test6", "familyName": "last6" }, "emails": [ { "value": "testing2@oktatest.com" } ], "password": "Password$!", "urn:scim:schemas:extension:workspace:1.0": { "internalUserType": "PROVISIONED", "userStatus": "1", "domain": "1dsavm.com", "userStoreUuid": "987dca12-22e3-4ec6-8958-110cca481c3d", "externalUserDisabled": false, "userPrincipalName": "testing6@mydomain.com" } }
Troubleshooting
It would be impossible to discuss every combination of errors that can be returned using the API. Here are a few common ones:
- If you receive the error "User is not authorized to perform the task.".
This error typically means that your Oauth Token has expired. Regenerate your OAuth Token. If you have used the browser cookies method to get your token, ensure that your HZN cookie is from the administrative interface. - When doing an update user, you receive the error ""???UNSUPPORTED_MEDIA_TYPE???""
This error means that you are sending a blank or incorrect Content-Type. Check to make sure the content-type is set to "application/json"