Dev Support

☰ Documentation

SSO for Employees

As an integrator, you can use your Partner secret to call the Swipeclock authentication service to get the JSON Web Token (JWT) for an employee.

The process for calling the JWT service is the same as described in Calling the Authentication Service except that the API product is “twpemp”, and in addition to specifying a siteInfo object, the integrator must also provide a user object that identifies the user for whom the JWT token will be generated. The API Secret provided will still be the Partner’s API secret.

Using the Employee SSO Token for Portal Access

The Employee SSO JWT token can be used to create a link to the WFH Employee Portal that will allow the employee access to the portal without having to login. This link should have this URL:

https://www.myfileguardian.com/login.aspx?jwt=<employee JWT token>

We suggest that this link open a new browser tab, as the ESS Portal is not designed to be embedded in an iframe.

Example Employee SSO Endpoint

POST https://clock.payrollservers.us/AuthenticationService/oauth2/userToken
Authorization: Bearer 
Content-Type: application/json
Content Body:
{
  "iss": 9823812,
  "exp": 1557779976,
  "sub": "partner",
  "siteInfo": {
    "type": "id",
    "id": 79701
  },
  "user": {
    "type": "empcode",
    "id": "EMP042"
  },
  "product": "twpemp"
}

Note that in the above endpoint call, siteInfo.id is the TWP siteId for the company. This can be obtained from the Get Companies endpoint.

Employee SSO JWT Response:

{
	"token": "eyJ0eXAiO.....eH74"
}

Employee SSO Link URL:

https://www.myfileguardian.com/login.aspx?jwt=eyJ0eXAiO.....eH74

Using the Employee SSO Token to Embed Employee Components

If desired, rather than sending employees to a new page, integrators can create their own portals with WFH components embedded in IFRAMES using the same Employee SSO token as shown above.

If the Employee identified in the JWT user field does not exist, or if your Partner account does not have permission to administer that user or site you will get a 401 Unauthorized response. If the request is valid, you will get the token back in the response.