yavijava-sso
Bearer-token SSO against vCenter's built-in STS, from your Java app.
The problem
vCenter’s built-in SSO uses WS-Trust to issue bearer/HOK tokens. The protocol is documented but writing a compliant WS-Trust client from scratch is several weeks of work — XML signing, canonicalization, namespace bookkeeping, and a lot of small ways to fail silently and end up with the wrong audience.
Most Java teams that hit this end up either copying older sample code that fell out of maintenance, or wiring in CXF + a code generator and ending up with a build their next engineer can’t compile.
The solution
yavijava-sso ships a hand-written WS-Trust bearer-token client and a thin wrapper that returns a ServiceInstance from a username/password pair:
import com.vmware.vim25.mo.ServiceInstance;
import com.vmware.vsphere.sso.SsoClient;
ServiceInstance si = new SsoClient(new URL("https://vc.example.com/sdk"))
.connect("administrator@vsphere.local", "password");
System.out.println(si.getAboutInfo().getFullName());
si.getServerConnection().logout();
No wsimport. No CXF. No external IdP wiring. Builds clean on Java 11+ with no new runtime dependencies on top of yavijava.
What’s included
Today (v1):
- Bearer-token SSO against vCenter’s STS
- Hand-written WS-Trust client (no code generation)
- Compatible with yavijava 9.0+
- Email support
Roadmap:
- Holder-of-Key (HOK) tokens for headless service auth
- Token caching and refresh
- SAML-token-authenticated guest-OS operations
FAQ
Does this work with ADFS / Okta / Keycloak? Only if vCenter has been federated to them at the deployment level. yavijava-sso talks to vCenter’s STS; whatever vCenter is federated to is what authenticates.
Air-gapped vCenter? Yes. The library never phones home. Your license is a JWT file you place locally.
Renewal? Annual. Stripe-managed. We’ll email you a fresh license file at renewal.
Refunds? 30 days, no questions. See refund policy.