Force.com Apex Code Developer's Guide
jNewer Version Available
SamlJitHandler Interface
Namespace
Usage
To use custom logic for user provisioning during SAML single sign-on, you must create a class that implements Auth.SamlJitHandler. This allows you to incorporate organization-specific logic (such as populating custom fields) when users log in to Salesforce with single sign-on. Keep in mind that your class must perform the logic of creating and updating user data as appropriate, including any associated account and contact records.
In Salesforce, you specify your class that implements this interface in the SAML JIT Handler field in SAML Single Sign-On Settings. Make sure that the user you specify to run the class has “Manage Users” permission.
SamlJitHandler Methods
The following are methods for SamlJitHandler.
createUser(samlSsoProviderId, communityId, portalId, federationId, attributes, assertion)
Signature
public User createUser(Id samlSsoProviderId, Id communityId, Id portalId, String federationId, Map<String,String> attributes, String assertion)
Parameters
- samlSsoProviderId
- Type: Id
- The ID of the SamlSsoConfig standard object.
- communityId
- Type: Id
- The ID of the community. This parameter can be null if you’re not creating a community user.
- portalId
- Type: Id
- The ID of the portal. This parameter can be null if you’re not creating a portal user.
- federationId
- Type: String
- The ID Salesforce expects to be used for this user.
- attributes
- Type: Map<String,String>
- All of the attributes in the SAML assertion that were added to the default assertion; for example, custom attributes. Attributes are case-sensitive.
- assertion
- Type: String
- The default SAML assertion, base-64 encoded.
Return Value
Type: User
A User sObject.
Usage
The communityId and portalId parameter values may be null or an empty key if there is no community or portal configured with this organization.
updateUser(userId, samlSsoProviderId, communityId, portalId, federationId, attributes, assertion)
Signature
public void updateUser(Id userId, Id samlSsoProviderId, Id communityId, Id portalId, String federationId, Map<String,String> attributes, String assertion)
Parameters
- userId
- Type: Id
- The ID of the Salesforce user.
- samlSsoProviderId
- Type: Id
- The ID of the SamlSsoConfig object.
- communityId
- Type: Id
- The ID of the community. This can be null if you’re not updating a community user.
- portalId
- Type: Id
- The ID of the portal. This can be null if you’re not updating a portal user.
- federationId
- Type: String
- The ID Salesforce expects to be used for this user.
- attributes
- Type: Map<String,String>
- All of the attributes in the SAML assertion that were added to the default assertion; for example, custom attributes. Attributes are case-sensitive.
- assertion
- Type: String
- The default SAML assertion, base-64 encoded.
Return Value
Type: void
SamlJitHandler Example Implementation
This is an example implementation of the Auth.SamlJitHandler interface. This code uses private methods to handle accounts and contacts (handleContact() and handleAccount()), which aren’t included in this example.
1swfobject.registerObject("clippy.codeblock-0", "9");
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17global class StandardUserHandler implements Auth.SamlJitHandler {
18 private class JitException extends Exception{}
19 private void handleUser(boolean create, User u, Map<String, String> attributes,
20 String federationIdentifier, boolean isStandard) {
21 if(create && attributes.containsKey('User.Username')) {
22 u.Username = attributes.get('User.Username');
23 }
24 if(create) {
25 if(attributes.containsKey('User.FederationIdentifier')) {
26 u.FederationIdentifier = attributes.get('User.FederationIdentifier');
27 } else {
28 u.FederationIdentifier = federationIdentifier;
29 }
30 }
31 if(attributes.containsKey('User.ProfileId')) {
32 String profileId = attributes.get('User.ProfileId');
33 Profile p = [SELECT Id FROM Profile WHERE Id=:profileId];
34 u.ProfileId = p.Id;
35 }
36 if(attributes.containsKey('User.UserRoleId')) {
37 String userRole = attributes.get('User.UserRoleId');
38 UserRole r = [SELECT Id FROM UserRole WHERE Id=:userRole];
39 u.UserRoleId = r.Id;
40 }
41 if(attributes.containsKey('User.Phone')) {
42 u.Phone = attributes.get('User.Phone');
43 }
44 if(attributes.containsKey('User.Email')) {
45 u.Email = attributes.get('User.Email');
46 }
47
48 //More attributes here - removed for length
49
50 //Handle custom fields here
51
52 if(!create) {
53 update(u);
54 }
55 }
56
57 private void handleJit(boolean create, User u, Id samlSsoProviderId, Id communityId, Id portalId,
58 String federationIdentifier, Map<String, String> attributes, String assertion) {
59 if(communityId != null || portalId != null) {
60 String account = handleAccount(create, u, attributes);
61 handleContact(create, account, u, attributes);
62 handleUser(create, u, attributes, federationIdentifier, false);
63 } else {
64 handleUser(create, u, attributes, federationIdentifier, true);
65 }
66 }
67
68 global User createUser(Id samlSsoProviderId, Id communityId, Id portalId,
69 String federationIdentifier, Map<String, String> attributes, String assertion) {
70 User u = new User();
71 handleJit(true, u, samlSsoProviderId, communityId, portalId,
72 federationIdentifier, attributes, assertion);
73 return u;
74 }
75
76 global void updateUser(Id userId, Id samlSsoProviderId, Id communityId, Id portalId,
77 String federationIdentifier, Map<String, String> attributes, String assertion) {
78 User u = [SELECT Id FROM User WHERE Id=:userId];
79 handleJit(false, u, samlSsoProviderId, communityId, portalId,
80 federationIdentifier, attributes, assertion);
81 }
82}