VMware Aria Automation Orchestrator

Hello,

i am having difficulties sending REST query to vRO , (8.1) . On the

/vco/api/docs/index.html#!/workflow45controller/getAllWorkflowsUsingGET

it is written that:

Single Sign-On Authentication

If Orchestrator is configured with the vCenter Single Sign-On (SSO) server, you need a principal holder-of-key (HoK) token to access system objects in Orchestrator through the REST API.

The HoK token is passed as a request Authorization header element. The value must be gzip, base64
encoded string.

So in my understanding i should add the Authorization header:

    $header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }

    Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

So  i have obtained the HoK token utilizing for this moment SDK examples :

Function ConvertTo-GZipString () {

    [CmdletBinding()]

    Param(

      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]

      $String

    )

     Process {

      $String | ForEach-Object {

        $ms = New-Object System.IO.MemoryStream

        $cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)

        $sw = New-Object System.IO.StreamWriter($cs)

        $sw.Write($_)

        $sw.Close()

        [System.Convert]::ToBase64String($ms.ToArray())

      }

    }

    }

    Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\VMware.Binding.WsTrust.dll'

    Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\STSService.dll'

    $certificatetobeadded = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

    $certificatetobeadded.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)

        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;

        [VMware.Binding.WsTrust.SamlTokenHelper]::SetupServerCertificateValidation()

        $signingCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

        $signingCertificate.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)

        $service = [VMware.Binding.WsTrust.SamlTokenHelper]::GetSTSService('administrator@vsphere.local','VMware1!',$signingCertificate" rel="nofollow">https://vc001.greg.labs:7444/sts/STSService','administrator@vsphere.local','VMware1!',$signingCertificate)

        $token = [VMware.Binding.WsTrust.SamlTokenHelper]::GetHokRequestSecurityTokenType()

        $token.SignatureAlgorithm = [vmware.sso.SignatureAlgorithmEnum]::httpwwww3org200104xmldsigmorersasha256

        $response = $service.Issue($token)

        $responsetoken =  $response.RequestSecurityTokenResponse.RequestedSecurityToken

        #This part has to be gziped and into base64

        $responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"

        $encodedANDgzippedtoken = ConvertTo-GZipString -String $responsetokenInsideXML

        $header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }

        Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

    and i end up with bad request

PS C:\Users\Grzesiek>     Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

Invoke-WebRequest : Created with Sketch.

401

Unauthorized

At line:1 char:5

+     Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/ ...

its the same if i would use curl, same 500 response.

my response token is:

PS C:\Users\Grzesiek> $responsetoken

saml2              : urn:oasis:names:tc:SAML:2.0:assertion

xsd                : http://www.w3.org/2001/XMLSchema

xsi                : http://www.w3.org/2001/XMLSchema-instance

ID                 : _1e9be9d7-4373-42e8-aedd-06ec641ab139

IssueInstant       : 2020-04-24T15:43:04.350Z

Version            : 2.0

Issuer             : Issuer

Signature          : Signature

Subject            : Subject

Conditions         : Conditions

AuthnStatement     : AuthnStatement

AttributeStatement : AttributeStatement

i am doing on it the innerxml to get its only content: so it will lose the <assertion/>

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_1e9be9d7-4373-42e8-aedd-06ec641ab139" IssueInstant="2020-04-24T15:43:04.350Z" Version="2.0">

this is how one person wrote in 2015 on communities:

vco REST API Holder of key Authirization

---

<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://vc001.greg.labs/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1e9be9d7-4373-42e8-aedd-06ec641ab139"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd xsi" /></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>5rhKEqFgSYVWNf/IpH7gS8wYpgrqM+SlD35J5gEJuSM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>djyiCrb5qRO/sVuyoTY1RYXaYmVRPATGfrxEq2On3Xvy3lgJNAkL1B8xMoUJVgR+MacsUkNfsZq9

C3Xv1Bjbt33g2M/67jPdDMukacewJb+Z74aNnefpm2rfjGyTIQDleLrkNmfYKbSnjibaQD5vdFnM

Gtek0xyU0tJ9xAh62E37Lo5t/BquK937V9728XoDm4HpDtdnKbWTyCFxVyTMDYEqGCZab6EKg34/

qpG3CQGMtTmbuukBUeg/0f/TriN7J37K66iBYPmgYjVAwEXHi8+7+z0oMZVjYHc/lX0KiQoMhVrH

AZnv1Ap5nwzj70cmT7Hlm96RlJCELNPZrhPMxw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID4DCCAsigAwIBAgIJANdMtoAW5aUMMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX

MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC

VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE

CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwODEzMDM0NFoXDTMwMDQwMzEzMTMyOFowGDEW

MBQGA1UEAwwNc3Nvc2VydmVyU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsr

a6jZWSCizugfGEeN5Iz5fWgzC2vVuL6J+9ebV1BwE2Bgr3ChNvlmzus2JiDg6kDz4tZycbDA19gA

vehBS2NqSBZ0SyzgoOzJ5Bs0DE1W+ioYNfEGpy3gTCJlY8jVFBa8LcufMqG8wIpCZWFlWDvBw0e6

wJpDc9RSjRJVHkaR5y6AdywguoxDwUEr9RJ5PtJjZmmwGrATrY2vnLtyAnx0iyZGIx3UbefU9iST

/+7aeZBP6yR0uU+s3F4fwVmuz6BzMLMc81vjgmaxg7qwh5wt/YVy4VVRJYXRqwsu7E/lDpTNV3Yp

YISRzWMZbjoCin/DcxxaHrrYooIfh+CbKgECAwEAAaOBrTCBqjALBgNVHQ8EBAMCBeAwGgYDVR0R

BBMwEYIPdmMwMDEuZ3JlZy5sYWJzMB0GA1UdDgQWBBRyMwoD+dL3IoqH+N+g/B1AV227yTAfBgNV

HSMEGDAWgBS01WuusSM93H3h7isEjnHyUEA2njA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKG

I2h0dHBzOi8vdmMwMDEuZ3JlZy5sYWJzL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQBF

LekY/AP7Hiai776sbJmYDX5DGcJWkX907a3BIZRMOoZ2GeMEY4rYAKv3AAW1QnIDaQ+fd+nVHVhA

7YRBEp8KtSXtQFMevfBBZQ64s44KRD0/WkD2HGBNwXKV9mVUm+GTRjOJcTAaQPPou2+5mOq6f7y2

59gzuZM4aJ0Hy3SnhpxkkWlJ9nvGBBrP7+OEA3W9nabGDTfPdKXVDK1ggNYpPOoEPD74ENvrK+fU

MH/yUvJ6zLzK4PVtDPL5HTBLvxWRiaVgsCLefytycvNEnt0255CvzKJsDlXGbCMZO7nKlS82vZb8

htVdLIMO8x3YLvMC4Mk1qfviQPzSuWgycJl0</ds:X509Certificate><ds:X509Certificate>MIIEFzCCAv+gAwIBAgIJANH5UJnkekg0MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX

MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC

VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE

CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwNTEzMTMyOFoXDTMwMDQwMzEzMTMyOFowgZYx

CzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv

Y2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPdmMwMDEuZ3Jl

Zy5sYWJzMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB

DwAwggEKAoIBAQC4TCic5/6ZmpFPKzsrYqUR6aTFn37P3ulXvyvtX+yv9xXwGPRYHDKUBwEDjPHA

u1fcpqzOfd00R4hoXroLV30WfIrVf7UGmm9E90/rMH40o8hoVjdm2nid5oaI/vV2OZkOpK7ujYIa

4B2NdnFPKAVlqowhw7i62sJxHXYYXBSvhyIFryf6KP5OSqY9k/UbEFA5nQ3b1K0sa5pm4IXxGz+d

enddYNSVrtgLXqFpVa3CR7/TPPtZiMcaiyExJlu1Rm3UK5fNFAIuZ6DZ/LxVQF1mSNXL/vXjRE5j

IhOIeqM+/MV/W8dxAKjbwuOMeU/vFOOj0p+9Dqpm/VvDj4mXy3CxAgMBAAGjZjBkMB0GA1UdDgQW

BBS01WuusSM93H3h7isEjnHyUEA2njAfBgNVHREEGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAO

BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAjZgx

Y4lnpKvNqKG4zF6+wLYe/nz+wCORBpc9gmwvadLAkLlKFIHGzG1dLOYqmxo4XcX4ns6ps5tVWCkX

Sv28CfydogrbI+rnQtrW0m5sBfqVfY7ZVaX6LJubHT1YLWxyX8qcly7zuOYU3B9sUNXm3rVD8yst

96A6DFTlF4kcmV7cdcW2euMTI1mL+apfk7A5nhDTyeP8AvutVP05disMiXSxl1fQ0WRHqvyfVlsj

eSgJ2txvQxh0l9yGIJxpe0HwwrEj85AF12ucsaJlaCn4PE0ws92AyqL1HTZF6t4oZPyomPZwCwXS

CEs/eampyal6zDlwRXnTIGx/EkiXW6T2Kg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpjCCAo6gAwIBAgIIdDaiH1O+Y8kwDQYJKoZIhvcNAQELBQAwWzEPMA0GA1UEAwwGSG9tZUNB

MQwwCgYDVQQLDANERVYxEDAOBgNVBAoMB0hvbWVMYWIxEjAQBgNVBAcMCUFtc3RlcmRhbTEUMBIG

A1UEBhMLTmV0aGVybGFuZHMwHhcNMjAwNDIyMTAxMDU2WhcNMjIwNDIyMTAxMDU2WjBUMQ0wCwYD

VQQDDARncmVnMQwwCgYDVQQLDANERVYxETAPBgNVBAoMCEhvbWVMYWJzMRUwEwYDVQQHDAxOb29y

ZEhvbGxhbmQxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOlH

DF+fMj8xfUgIktpGYVYQPfDZMKfMQxKXZMDKD1xRBuyb6XaoHHJfYq31w5VlwUhSMPg4KQMiOWtO

1EKV0ZUEGDa1Taztln/jBTEVu/qkgN+uRJ64YpJXB0gmsDZ/c370d/q0KBi/S69bdsUpL65vOx52

k3CmWkF+glUYySGwwbmto9i/bjiMH3GtIV5j63voW2DSbOiHJmdLknbI+czLtswFXuq1MaCaZIeT

YIkm7GEgc5CX7uxliguVfJ8IywvhLln/y0DeTmoigf94tL2ZkMzMg5cQCScbIylCU6Yez6uyABk+

mZ1+7OpwIlBT5z0+T4Kcgjb9oKIjB34YVQIDAQABo3UwczAdBgNVHQ4EFgQUDDkA4i35d4VN82ln

PY/GTkMQwCgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSktFaEKhbEStrCbJLH9GlcSwuJljAO

BgNVHQ8BAf8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAAXr

AeIU1mnKiZqDjHzhLqD47fE+wnZAO5VcZFDmYSDZ5UcP01s6NacWnEZpDypcpCCN882XDaQFPxZB

0QewuPG33p7Vm0beI/sOAwmRhES3LWiKXb0gxoCvWLP+Qm+pgb2xByuHx4AaBs9vmX7zzpXAcMKK

+tYaDVrW2u2f/Qqt9RwF4Qg7Pi/vhFyxNyU73EtuPntBOUFna/i2y+JHX/E+Di2mPPdigeZ1M9lB

WHudjuvTS8XtsnC7nz+2iF+RTkE59ipXIl406D0XZG3yCZYmyf0zVjJONFIkXGnSKBNXzj0nnv63

t+fe678HboyQdsQ9+P6FVZtJFjFRBeJHlVM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-04-24T15:43:03.099Z" NotOnOrAfter="2020-04-24T16:53:13.099Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:ProxyRestriction Count="10" /><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10" xsi:type="rsa:RenewRestrictionType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" /></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-04-24T15:43:04.348Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.BashShellAdministrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement>

in that post he wrote :

"

Here's a snippet of perl code I use. I take everything between <saml2:Assertion> and </saml2:Assertion>, not including those tags and call that $token.

Then I:

gzip \$token => \$gzipped;

$encoded = encode_base64($gzipped);

$encoded =~ s/\n//g;

$restClient->addHeader('Authorization',   'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');

"

so thats why i have removed this assertion  as well.

I did tests with , and without . Still the same result. Also same result if i would be removing new lines or not.

Can anybody point me in right direction ?

I also did a version like the person mentioned in his post:

not sure if thats how its supposed to be , if it is not outdated , person wrote this in 2015.

$response = $service.Issue($token)

$responsetoken =  $response.RequestSecurityTokenResponse.RequestedSecurityToken

#This part has to be gziped and into base64

#$responsetokenInsideXML = $responsetoken.InnerXml

$responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"

$sig = $responsetoken.Signature.SignatureValue.Replace("`n","")

$encodedANDgzipped = ConvertTo-GZipString -String $responsetokenInsideXML

$nonce =  '143210500:asdfsd'

#$restClient->addHeader('Authorization',   'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');

$headervalue = 'SIGN token="{0}", nonce="{1}", signature_alg="RSA-SHA256", signature="{2}" ' -f $encodedANDgzipped,$nonce,$sig

$header = @{'Authorization' = $headervalue}

Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

but this is also failing. as you can see i have used his format for the Authorization headers SIGN token, nonce, sig alg, sig.

I am really out of ideas.

When i read literally the documentation on the vro page, it does not mention to do any sign token, sig, etc ..

it is written, paste the gzipped/base64 HoK. So if i am on the same page, if the HoK is just XML that i pasted, i have to gzip it/base64, and then put this into the Authorization header, then what am i doing wrong  ?

Any ideas ?

Thank you all in advance for any hints.

Tiny update,

  i have received this description from support, correct form for Authorization header is :

Description:
-------
token              REQUIRED. The SAML2 token identifying the caller. The value is calculated as BASE64(GZIP(SAML2)).

nonce              REQUIRED. A unique string generated by the client allowing the server to identify replay attacks and reject such requests.
  The strings must be unique across all requests of a single client. The definition is as specified in Section 3.1
  of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with one difference - the first component should be the current time expressed in
  the number of milliseconds since January 1, 1970 00:00:00 GMT with no leading zeros.

bodyhash           OPTIONAL. A hash value computed as described in Section 3.2 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) over the entire HTTP request
  entity body (as defined in Section 7.2 of RFC 2616(http://www.ietf.org/rfc/rfc2616.txt)). Note that the body hash may be missing only if there is no
  request body, i.e. empty body. Otherwise it is required.

signature_alg      REQUIRED. The signature algorithm used by the client to sign the request - "RSA-SHA256", "RSA-SHA384" and "RSA-SHA512"

signature          REQUIRED. A message signature calculated over the normalized request as
  BASE64(signature-algorithm(private key, request)). The request normalization is done
  as defined in Section 3.3.1 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with two exception - (a) the body hash is included without
  BASE64 applied and (b) no "ext" field is appended. All text based fields in the normalized request
  are encoded in UTF-8.

There shouldn't be done any modification to the new lines , (in regards to the initial post where i was wondering if we have to get rid of \n). The token has to be passed entirely, including <saml2:Assertion>  tag. (this is what i was told by vmware support, so its bit different than in the post from 2015 on communities)

Will be working now on getting the signature bits.

Update, i have completed the call, works 100%  i will rewrite the code to make it more pretty, and share later on.

https://grzegorzkulikowski.info/2020/05/20/vrealize-orchestrator-rest-request-using-hok-token/

Hi,

I am new to the vRO, and trying to acquiring the HoK token to access vRO via rest api call. I checked your code on github, still could not know how to use it. Could you please tell me where I can found related info? and do I need to download vSphere sdk and vRO sdk both? Thank you so much!

Thank you ! for sharing this post. Excellent work ! I couldn't find any other documentation or any other forum posts on this topic.  I was able to get this working after some struggle.