vIDM based authentication in vRSLCM | deep-dive |

• Arun Nukula

• Jul 28, 2022

• 6 min read

Updated: Jun 30, 2023

Rated NaN out of 5 stars.

Added an AD group into vRSLCM and gave all available roles to that group

Content Developer
Content Release Manager
LCM Cloud Admin
Certificate Administrator

From logs perspective, here are the actions which are performed in the background when you add a group and map roles to it

 ### vIDM Search group task is initiated ###

2022-07-27 22:50:12.085 INFO  [pool-3-thread-13] c.v.v.l.v.c.t.s.VidmSearchUserGroupTask -  -- Starting :: vIDM Search User Group task 
2022-07-27 22:50:12.359 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]} 
2022-07-27 22:50:12.359 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]} 
2022-07-27 22:50:12.362 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.364 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.367 INFO  [pool-3-thread-48] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.369 INFO  [pool-3-thread-13] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}]

### Group Search Task is successful ### 

2022-07-27 22:50:12.429 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"7e8dbd36-da 
3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externa 
lId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]} 
2022-07-27 22:50:12.429 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":2,"itemsPerPage":2,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"5fcb2bcd-4270-483e-9718-34d6b9139614","meta":{"created":"2022-02-14T00:56:55.863Z","lastModified":"2022-02-14T00:56:55.863Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/5fcb2bcd-4270-483e-9718-34d6b9139614","version":"W/\"1644800215863\""},"displayName":"premadmins@cap.org","externalId":"20acbbd4-07d3-46ff-922c-a6c6daaf1664","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=premadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}},{"id":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]} 
2022-07-27 22:50:12.431 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get Group response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]}] 

2022-07-27 22:50:12.708 INFO  [pool-3-thread-48] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Task Result : {"status":"SUCCESS","statusCode":200,"responseType":"com.vmware.vrealize.lcm.vidm.request.common.dto.ad.VidmFormattedUserNGrpListDTO","response":{"vidmUsers":[],"vidmGroups":[{"displayName":"premadmins@cap.org","groupType":"EXTERNAL","providerIdentifier":"5fcb2bcd-4270-483e-9718-34d6b9139614","domain":"cap.org","isDisabled":false,"groupMetadata":{"distinguishedName":"CN=premadmins,CN=Users,DC=cap,DC=org","externalId":"20acbbd4-07d3-46ff-922c-a6c6daaf1664","additionalMeta":[]}},{"displayName":"capadmins@cap.org","groupType":"EXTERNAL","providerIdentifier":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","domain":"cap.org","isDisabled":false,"groupMetadata":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","additionalMeta":[]}}]},"message":null,"currentState":null,"currentTask":null} 
2022-07-27 22:50:12.708 INFO  [pool-3-thread-48] c.v.v.l.p.a.s.Task -  -- Injecting Edge :: OnVidmSearchUserGrpSuccess
*
*

2022-07-27 22:50:13.164 INFO  [scheduling-1] c.v.v.l.a.c.EventProcessor -  -- INITIALIZING NEW EVENT :: { 
  "vmid" : "ab8c333e-5019-4df7-969f-8511af14dac8", 
  "transactionId" : null, 
  "tenant" : "default", 
  "createdBy" : "root", 
  "lastModifiedBy" : "root", 
  "createdOn" : 1658962212711, 
  "lastUpdatedOn" : 1658962213127, 
  "version" : "8.1.0.0", 
  "vrn" : null, 
  "eventName" : "OnVidmSearchUserGrpSuccess", 
  "currentState" : null, 
  "eventArgument" : "{\"componentSpec\":{\"name\":\"componentSpec\",\"type\":\"com.vmware.vrealize.lcm.domain.ComponentDeploymentSpecification\",\"value\":\"{\\\"component\\\":{\\\"symbolicName\\\":\\\"searchusergrp\\\",\\\"type\\\":null,\\\"componentVersion\\\":null,\\\"properties\\\":{\\\"vidmSearchUserRequestDTO\\\":\\\"{\\\\\\\"vidmHost\\\\\\\":\\\\\\\"idm.cap.org\\\\\\\",\\\\\\\"vidmTenant\\\\\\\":null,\\\\\\\"useServiceClient\\\\\\\":false,\\\\\\\"isTenantConfiguredByPath\\\\\\\":false,\\\\\\\"vidmAdminUser\\\\\\\":\\\\\\\"admin\\\\\\\",\\\\\\\"vidmAdminPassword\\\\\\\":\\\\\\\"JXJXJXJX\\\\\\\",\\\\\\\"vidmOAuthServiceClientId\\\\\\\":\\\\\\\"Service__OAuth2Client\\\\\\\",\\\\\\\"vidmOAuthServiceClientSecret\\\\\\\":\\\\\\\"JXJXJXJX\\\\\\\",\\\\\\\"vidmDomainName\\\\\\\":\\\\\\\"cap.org\\\\\\\",\\\\\\\"baseTenantHostname\\\\\\\":KXKXKXKX,\\\\\\\"requestId\\\\\\\":null,\\\\\\\"searchString\\\\\\\":\\\\\\\"cap\\\\\\\"}\\\",\\\"isVcfUser\\\":\\\"false\\\",\\\"hostName\\\":\\\"idm.cap.org\\\",\\\"vidmTenant\\\":null,\\\"useServiceClient\\\":\\\"true\\\",\\\"__isTenantByPath\\\":\\\"false\\\",\\\"vidmOAuthServiceClientId\\\":\\\"Service__OAuth2Client\\\",\\\"vidmOAuthServiceClientSecret\\\":\\\"JXJXJXJX\\\",\\\"vidmAdminUser\\\":\\\"admin\\\",\\\"vidmAdminPassword\\\":\\\"JXJXJXJX\\\",\\\"vidmDomainName\\\":\\\"cap.org\\\",\\\"vidmBaseTenantHostname\\\":KXKXKXKX,\\\"searchString\\\":\\\"cap\\\"}},\\\"priority\\\":0}\"}}", 
  "status" : "CREATED", 
  "stateMachineInstance" : "556b76d2-a8a0-4489-a382-c13f565d6d5c", 
  "errorCause" : null, 
  "sequence" : 563259, 
  "eventLock" : 1, 
  "engineNodeId" : "lcm.cap.org" 
}

### Role Mapping being performed ### 

2022-07-27 22:50:34.634 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Entity : Group [displayName=capadmins@cap.org, groupType=EXTERNAL, providerIdentifier=7e8dbd36-da3b-4277-a42a-f3a3c5893faa, domain=cap.org, isDisabled=false, groupMetadata={"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","additionalMeta":[]}] 
2022-07-27 22:50:35.223 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=65da899f-8483-426c-a2a6-1cb5eb53260a] 
2022-07-27 22:50:35.321 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=d5fea331-6576-407f-82b3-fd115541e059] 
2022-07-27 22:50:35.322 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=eed92b61-31d2-4024-b550-a008e10c4c8d] 
2022-07-27 22:50:35.323 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=f09ef48e-42ef-4613-8646-c62c56730c41] 
2022-07-27 22:50:35.369 INFO  [http-nio-8080-exec-7] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Created Group vmid : 0d35fb24-84d2-4f5a-8c38-81b32120f08f 
2022-07-27 22:50:35.552 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=65da899f-8483-426c-a2a6-1cb5eb53260a] 
2022-07-27 22:50:35.552 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=d5fea331-6576-407f-82b3-fd115541e059] 
2022-07-27 22:50:35.553 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=eed92b61-31d2-4024-b550-a008e10c4c8d] 
2022-07-27 22:50:35.553 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=f09ef48e-42ef-4613-8646-c62c56730c41] 
2022-07-27 22:50:35.554 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer] 
2022-07-27 22:50:35.561 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager] 
2022-07-27 22:50:35.562 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin] 
2022-07-27 22:50:35.563 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations] 
2022-07-27 22:50:35.564 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group DTO : GroupDTO [vmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, displayName=capadmins@cap.org, groupType=EXTERNAL, providerIdentifier=7e8dbd36-da3b-4277-a42a-f3a3c5893faa, domain=cap.org, isDisabled=false, groupMetadata=GroupMetadataDTO [distinguishedName=CN=capadmins,CN=Users,DC=cap,DC=org, externalId=05da97d4-1269-48a2-94e9-1b7e4e4c9ea5, additionalMeta=[]], roleMappings=[RoleDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer], RoleDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager], RoleDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin], RoleDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations]]]

I would now use one of the members of the AD group to login . Since i am using vIDM as my authentication source , I’ll switch to it than local user and then click on “LOGIN WITH IDENTITY MANAGER”

Have 2 domains and i’ll be using the first one that’s the CAP.ORG , as the group where the permissions has been assigned belongs to this domain

User logs in

So Authentication and Authorization are now complete

Checking or trying to understand the login sequence from logs perspective

### Password based authentication begins by connector as soon as you click on sign in after entering username and password ### 
### Reference: connector.log  ( vidm ) ### 

2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : email 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter -  User Email attribute : 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - outside if  : email    HIDDEN 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : userInput 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - outside if  : userInput    HIDDEN 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : username 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : password 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : forgotPasswd 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : signIn 
2022-07-27T23:09:29,395 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.LdapDirectoryService - Password-based authentication: arun@cap.org - BEGIN 
2022-07-27T23:09:29,433 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.dc.service.context.JNDIContextFetcher - LDAP Context env Json Values: { 
  "java.naming.factory.initial" : "com.sun.jndi.ldap.LdapCtxFactory", 
  "javax.security.sasl.server.authentication" : "true", 
  "com.sun.jndi.ldap.connect.timeout" : "5000", 
  "java.naming.ldap.attributes.binary" : "objectGUID pae-IconData objectSid securityIdentifier", 
  "javax.security.sasl.strength" : "high,medium,low", 
  "javax.security.sasl.qop" : "auth-conf,auth-int,auth", 
  "com.sun.jndi.ldap.read.timeout" : "600000", 
  "java.naming.provider.url" : "ldap://ad.cap.org:389", 
  "java.naming.security.authentication" : "GSSAPI" 
}

### Password based authentication is now successful ### 

2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.LdapDirectoryService - Password-based authentication: arun@cap.org - SUCCESS

### States login is successful for user: arun ### 

2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - Login: arun - SUCCESS 
2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.connector.controller.AdapterLoginController - samlRequestInfo: SamlRequestInfo[acsUrl=https://idm.cap.org/SAAS/auth/saml/response,relayState=dfe41fd6-446a-4945-9a55-91534817100d,nameId=<null>,requestId=_35a6cdf1404211eefc1b8baed576d91b,authnContextClassRefList=[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]] 
2022-07-27T23:09:29,444 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: SamlRequestInfo[acsUrl=https://idm.cap.org/SAAS/auth/saml/response,relayState=dfe41fd6-446a-4945-9a55-91534817100d,nameId=<null>,requestId=_35a6cdf1404211eefc1b8baed576d91b,authnContextClassRefList=[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]]

--------------------------------------------------------------------------
### horizon.log in vIDM states login succeeded after connector confirms it ### 
### Reference: horizon.log ### 

2022-07-27T23:09:30,131 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login succeeded.

--------------------------------------------------------------------------

### Reference: vmware_vrlcm.log  ( lcm ) ### 
### Once horizon confirms authentication for user arun is successful , vRSLCM detects that there is an incoming token ### 

2022-07-27 23:09:30.583 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.VMwareUserAuthenticationConverter -  -- UserAuthenticationConverter Incoming token : {jti=2396d4fc-69d7-442e-845c-05e77eb3bc88, prn=arun@IDM, domain=cap.org, user_id=87, auth_time=1658963370, iss=https://idm.cap.org/SAAS/auth, aud=https://idm.cap.org/SAAS/auth/oauthtoken, ctx=[{"mtd":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","iat":KXKXKXKX,"id":15}], scp=admin user, idp=0, eml=arun@cap.org, cid=vRLCMOAuth2client3c59ac4aefcf4301931942bb58277d95, did=, wid=, rules={expiry=1658965170, rules=[{resources=[*], actions=[acs:readRuleSets, dm:read, ug:read, ent:read, ctg:read, tnts:read, rpt:*], conditions=null}], link=https://idm.cap.org:443/acs/rules/me}, exp=1659568170, iat=1658963370, sub=91fb23fd-6ce1-4f69-a556-ce2ceffbef4a, prn_type=USER}

### API response is deciphered , which has all properties of the user , the memberships he has and properties of the user object in AD ### 

2022-07-27 23:09:30.678 INFO  [http-nio-8080-exec-2] c.v.v.l.u.RestHelper -  -- RestHelper execute methode connection.getResponseCode : 200 
2022-07-27 23:09:30.682 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.VMwareUserAuthenticationConverter -  -- Current Authenticated user info API Response status : 200 Response data : {"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0","urn:scim:schemas:extension:enterprise:1.0","urn:scim:schemas:extension:workspace:mfa:1.0"],"externalId":"89df3116-462b-4794-94ea-a0fed01772b6","active":true,"userName":"arun","id":"91fb23fd-6ce1-4f69-a556-ce2ceffbef4a","meta":{"created":"2021-12-07T05:39:56.929Z","lastModified":"2022-03-02T00:56:29.730Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Users/91fb23fd-6ce1-4f69-a556-ce2ceffbef4a","version":"W/\"1646182589730\""},"name":{"givenName":"Arun","familyName":"Nukula"},"emails":[{"value":"arun@cap.org"}],"phoneNumbers":[{"value":""}],"groups":[{"value":"237386ee-7f61-4d3a-93fa-1569d4bf673a","type":"direct","display":"ALL USERS"},{"value":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","type":"direct","display":"capadmins@cap.org"}],"roles":[{"value":"84a56b68-f8d5-4b9e-a365-92ef2adb3fb3","display":"User"},{"value":"55048dee-fe1b-404a-936d-3e0b86a7209e","display":"Administrator"}],"urn:scim:schemas:extension:workspace:1.0":{"internalUserType":"PROVISIONED","distinguishedName":"CN=Arun Nukula,CN=Users,DC=cap,DC=org","userStatus":"1","domain":"cap.org","userStoreUuid":"3d7e1efd-2589-4fed-b86d-105d076cdbda","externalUserDisabled":false,"userPrincipalName":"arun@cap.org"}}

### Group to Role mapping is performed. What we've seen till now in authentication , now it's time for authorization ### 

2022-07-27 23:09:30.691 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=65da899f-8483-426c-a2a6-1cb5eb53260a] 
2022-07-27 23:09:30.705 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=d5fea331-6576-407f-82b3-fd115541e059] 
2022-07-27 23:09:30.706 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=eed92b61-31d2-4024-b550-a008e10c4c8d] 
2022-07-27 23:09:30.706 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=f09ef48e-42ef-4613-8646-c62c56730c41] 
2022-07-27 23:09:30.707 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role Extended DTO : RoleExDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer, authorities=CONTENT_DEVELOPER, isInternal=false] 
2022-07-27 23:09:30.714 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role Extended DTO : RoleExDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager, authorities=RELEASE_MANAGER, isInternal=false] 
2022-07-27 23:09:30.715 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role Extended DTO : RoleExDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin, authorities=LCM_CLOUD_ADMIN, isInternal=false] 
2022-07-27 23:09:30.715 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role Extended DTO : RoleExDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations, authorities=LOCKER_CERTIFICATE_ADMIN, isInternal=false]

### It identifies that the group has following roles given ### 

2022-07-27 23:09:30.716 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Extended DTO : GroupExDTO [vmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, displayName=capadmins@cap.org, groupType=EXTERNAL, providerIdentifier=7e8dbd36-da3b-4277-a42a-f3a3c5893faa, domain=cap.org, isDisabled=false, groupMetadata=GroupMetadataDTO [distinguishedName=CN=capadmins,CN=Users,DC=cap,DC=org, externalId=05da97d4-1269-48a2-94e9-1b7e4e4c9ea5, additionalMeta=[]], roleMappings=[RoleExDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer, authorities=CONTENT_DEVELOPER, isInternal=false], RoleExDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager, authorities=RELEASE_MANAGER, isInternal=false], RoleExDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin, authorities=LCM_CLOUD_ADMIN, isInternal=false], RoleExDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations, authorities=LOCKER_CERTIFICATE_ADMIN, isInternal=false]]]

### All authorities or roles for the user are declared or shown below ### 

2022-07-27 23:09:30.721 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.VMwareUserAuthenticationConverter -  -- All Authorities of Current Authenticated user : [CONTENT_DEVELOPER, RELEASE_MANAGER, LCM_CLOUD_ADMIN, LOCKER_CERTIFICATE_ADMIN] 
2022-07-27 23:09:30.721 INFO  [http-nio-8080-exec-2] c.v.v.l.a.c.VMwareUserAuthenticationConverter -  -- Authenticated Principal : arun@IDM##cap.org##Arun Nukula Trimmed username : arun Domain : cap.org Display Name : Arun Nukula 
2022-07-27 23:09:32.612 INFO  [http-nio-8080-exec-3] c.v.v.l.r.s.RequestServiceImpl -  -- Authentication object is not null org.springframework.security.oauth2.provider.OAuth2Authentication@5cd44a9d: Principal: arun@IDM##cap.org##Arun Nukula; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=10.104.68.224, sessionId=<SESSION>, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: CONTENT_DEVELOPER, RELEASE_MANAGER, LCM_CLOUD_ADMIN, LOCKER_CERTIFICATE_ADMIN 
2022-07-27 23:09:32.622 INFO  [http-nio-8080-exec-3] c.v.v.l.l.u.RequestSubmissionUtil -  -- Generic Request Response : { 
  "requestId" : "ca78956f-83e9-4d61-a52c-85b9f148e2b3" 
}

2022-07-27 23:09:32.651 INFO  [http-nio-8080-exec-9] c.v.v.l.r.s.RequestServiceImpl -  -- Authentication object is not null org.springframework.security.oauth2.provider.OAuth2Authentication@5cd44a9d: Principal: arun@IDM##cap.org##Arun Nukula; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=10.104.68.224, sessionId=<SESSION>, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: CONTENT_DEVELOPER, RELEASE_MANAGER, LCM_CLOUD_ADMIN, LOCKER_CERTIFICATE_ADMIN

2022-07-27 23:09:32.663 INFO  [http-nio-8080-exec-4] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- User Extended DTO : UserDTO [vmid=caa4d554-2dbf-45a9-b070-15b09fd76c7d, username=serviceadmin@local, password=KXKXKXKX, userType=LCM_LOCAL_USER, displayName=LCM Service Admin, providerIdentifier=null, domain=LCM Local, isDisabled=false, userPrincipalName=null, userMetadata=null, roleMappings=[RoleExDTO [vmid=964b87a9-aae8-4f1c-bd77-2fabfb7c69a5, roleName=LCM Service Admin, roleDescription=vRealize Lifecycle Manager Service Admin, authorities=LCM_SERVICE_ADMIN, isInternal=true]]]

### Confirms authentication or login is completed ### 

2022-07-27 23:10:33.082 INFO  [http-nio-8080-exec-9] c.v.v.l.s.n.s.NotificationServiceImpl -  -- Authentication object is not null org.springframework.security.oauth2.provider.OAuth2Authentication@5cd44a9d: Principal: arun@IDM##cap.org##Arun Nukula; Credentials: [PROTECTED]; Authenticated: true

Checking or trying to understand the logout sequence from logs perspective

### vmware_vrlcm.log ### 
### Invalidates the access token when a user logsout. That's it ### 

2022-07-27 23:29:36.197 INFO  [http-nio-8080-exec-5] c.v.v.l.a.c.CustomLogoutSuccessHandler -  -- Invaldiating vIDM access token. vIDM Logout url : https://idm.cap.org/SAAS/auth/logout?dest=https://lcm.cap.org/login

• VMware Aria Suite
• Architecture
• Guides