Configure the Workspace ONE Access API to create Token Auth authentication. You enable the authentication method, set the length of time that the generated magic link is valid, and add the pre-hire group UUID. If the pre-hire user email addresses can be used, the Active Directory user email attribute is configured.

Prerequisite

The pre-hire Active Directory group must be created. This pre-hire group must be synced to the Workspace ONE Access directory.

Procedure

In the API, you set the following.

  1. Set "enabled" to true. Later you enable Token Auth as an authentication method in the Workspace ONE Access admin console.
  2. Set "userAttributeForEmail" to the Active Directory user email attribute. This value is set to send an email to the pre-hire users.
  3. Set "loginLinkValidityMillis" to the time that the generated magic link is valid. The time is set in milliseconds. Recommended millisecond value is 2592000000. The magic link does not work if the value is 0.
  4. Set "groupUuid" to the Active Directory pre-hire group UUID. This is the externalId (objectGUID) of the group or UUID of the group in database.

The following is the API.

HTTP Method POST
Authorization

<AuthHeader>

ReST Endpoint URL

/token/auth/configuration

Example

https://test.vmwareidentity.com/SAAS/jersey/manager/api/token/auth/configuration

Content-Type application/vnd.vmware.horizon.manager.token.auth.configuration+json
Accept application/vnd.vmware.horizon.manager.token.auth.configuration+json
Body

Values within angle brackets (< >) are example values. When replacing the example value, remove the angle brackets.

{
"enabled": true,
"userAttributeForEmail": "<emails>", // User attribute in AD having email to send to "prehire" user.
"loginLinkValidityMillis": <2592000000>, // Required value. Time in milliseconds that the generated magic link is valid. Default value is 0 milliseconds, a token that is generated is invalid. 
"groupUuid": "<1027a30f-498e-467c-9bf1-50d45ed7bb4a>" // externalId(objectGUID) of the group or UUID of the group in database
}
Sample Response
{
"enabled": true,
"userAttributeForEmail": "emails",
"loginLinkValidityMillis": 2592000000,
"groupUuid": "1027a30f-498e-467c-9bf1-50d45ed7bb4a"
}

Errors - HTTP Status Code Summary

The response codes to indicate the success or failure of the API request are as follows.

Status Code Description Remediation
200 - Request served successfully. Token Auth configuration created with pre-hire group.
400 - token.auth.config.invalid.group.uuid Group UUID is not given in the request. Ensure that the group UUID is correctly passed.
400 - token.auth.config.group.not.found The group externalId or group UUID is not found in the synced groups in the organization. Ensure that the correct group UUID or externalId is passed.
400- token.auth.config.invalid.group.type The group is not a synced group from Active Directory. Ensure that the group which is passed in the request is synced from Active Directory. The group must not be a local group, dynamic group, or the All Users group.
500 - token.auth.configuration.failed
  1. Could not save the token configuration.
  2. The input request structure is incorrect.
  3. Unexpected cause
  1. Delete the previous token configuration and retry the save operation.
  2. Validate the Body section of the input request.
  3. Contact VMware Workspace ONE Access support team.