You use the Workspace ONE Access APIs to create the magic login link and prepare it to be sent as a link in an email to the pre-hire user.

Create and Return Magic Login Link to Add to Emails

This API produces the login link that can be added to the email.

  1. Set "domain" to the domain that the pre-hire user belongs to. Enter as domain.mycompany.com.
  2. Set "userName" to the user name of the pre-hire users. This name is synced in through the Active Directory attribute "userName"

The response is the loginLink that is the magic link containing the token. You add this loginLink to the email that your send to the pre-hire user.

HTTP Method POST
Authorization

<AuthHeader>

ReST Endpoint URL

/token/auth/state

Example

https://test.vmwareidentity.com/SAAS/jersey/manager/api/token/auth/state

Content-Type application/vnd.vmware.horizon.manager.tokenauth.generation.request+json
Accept application/vnd.vmware.horizon.manager.tokenauth.link.response+json
Body
{
"domain" : "hs.vidmlabs.com", //the domain the user belongs to
"userName" : "cuser2" // userName of the pre-hire user. This is synced in via the AD attribute "userName"
}
Sample Response
{"loginLink": "https://hostname.vdim.com/SAAS/auth/login?token=<ALongToken>&userstore=Userstore_7ecdf96d-31ae-4fa7-a810-1873dda9615b",
"_links": {}
}

loginLink is the magic link containing the token.

Errors - HTTP Status Code Summary

The response codes to indicate the success or failure of the API request are as follows.

Status Code Description Remediation
200 - OK Request served successfully.
400 - user.not.found A user could not be identified using the parameters passed in the body. Ensure that the user name and domain are correctly passed.
400 - token.auth.invalid.group The user does not belong to the AD group that was configured for this token. Ensure that the user is in the correct group.
409 - token.auth.token.already.exists A token was already generated for the user, cannot generate a fresh one. Delete the existing token and try again. See Delete the Generated Magic Link Token in Workspace ONE Access.
500 - multiple causes Something went wrong on the server while generating the token. Contact VMware Workspace ONE Access support team.

Sample Magic Link Email

Because pre-hires do not have a company email address in Active Directory before their start date, the magic link email should be sent through an external system.

Here is an example of an email that includes the magic link.

Workspace ONE Intelligent Hub Welcome Example