ConfirmUserRegistrationHandler Interface

Manages single sign-on (SSO) user mappings between Salesforce and a third-party identity provider. Use this interface to confirm user mappings before updating them.

Namespace

Auth

Usage

When you set up SSO with a third-party identity provider, you create a class that implements a registration handler using the Auth.RegistrationHandler interface. This class manages the process of creating and updating users. For advanced use cases that require you to confirm user information during the update process, implement the Auth.ConfirmUserRegistrationHandler interface in your class. This interface must be implemented in addition to Auth.RegistrationHandler.

You can use the Auth.ConfirmUserRegistrationHandler interface to ensure that users are mapped correctly between Salesforce and the third party. When a user who has previously logged in with an authentication provider logs in again, you can confirm that the incoming user data is consistent with the user's third-party identifier. If not, you can identify which user is supposed to be logged in.

You can also use the Auth.ConfirmUserRegistrationHandler interface to switch context for users with multiple records. For example, a user has two records—an admin user and a standard user. When the user logs in, the third-party identity provider confirms the account used to log in and sends the response to Salesforce via the UserInfo endpoint. You can then use this information to determine whether to log in the user as an admin or standard user.

ConfirmUserRegistrationHandler Methods

The following are methods for ConfirmUserRegistrationHandler.

confirmUser(userId, tpalId, portalId, userdata)

Returns the ID of the user to be logged in based on their mapping to a third-party identifier. This method is called before calling the updateUser() method. It's called only if the incoming user has previously logged in and has a third-party account link to a Salesforce user.

Signature

public Id confirmUser(Id userId, Id tpalId, Id portalId, Auth.UserData userdata)

Parameters

userId: Type: Id; The ID of the user who is mapped to the third-party identifier via a third-party account link.
tpalId: Type: Id; The third-party account link corresponding to the third-party identifier.
portalId: Type: Id; The portal ID the user is logging in to. If there's no portal configured, this value can be null.
userData: Type: Auth.UserData; Contains user information from the third-party identity provider.

Return Value

Type: Id

The Id of the user to be logged in. If null, login fails.

ConfirmUserRegistrationHandler Example Implementation

This example implements the Auth.ConfirmUserRegistrationHandler interface during the user update process to confirm that the correct user is logging in based on their email address and last name.

1global class StandardUserRegistrationHandler implements Auth.RegistrationHandler, Auth.ConfirmUserRegistrationHandler {
2    global User createUser(Id portalId, Auth.UserData data){
3        User u = new User();
4        Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
5        u.username = data.username + '@salesforce.com';
6        u.email = data.email;
7        u.lastName = data.lastName;
8        u.firstName = data.firstName;
9        String alias = data.username;
10        if(alias.length() > 8) {
11            alias = alias.substring(0, 8);
12        }
13        u.alias = alias;
14        u.languagelocalekey = data.attributeMap.get('language');
15        u.localesidkey = data.locale;
16        u.emailEncodingKey = 'UTF-8';
17        u.timeZoneSidKey = 'America/Los_Angeles';
18        u.profileId = p.Id;
19        return u;
20    }
21    
22    global void updateUser(Id userId, Id portalId, Auth.UserData data) {
23        User u = new User(id=userId);
24        u.username = data.username + '@salesforce.com';
25        u.email = data.email;
26        u.lastName = data.lastName;
27        u.firstName = data.firstName;
28        String alias = data.username;
29        if(alias.length() > 8) {
30            alias = alias.substring(0, 8);
31        }
32        u.alias = alias;
33        u.languagelocalekey = data.attributeMap.get('language');
34        u.localesidkey = data.locale;
35        update(u);
36    }
37    
38    global Id confirmUser(Id userId, Id tpalId, Id portalId, Auth.UserData data) {
39        if (data.email.contains(data.lastName)) { // looks genuine 
40            return userId;
41        } else { // find the right user
42            User confirmedUser = [SELECT id FROM user WHERE email=:data.email];
43            return confirmedUser.Id;
44        }
45    }
46}

The following example tests the implementation:

1@isTest
2public class StandardUserRegistrationHandlerTest {
3    static testMethod void testConfirmUser() {
4        StandardUserRegistrationHandler handler = new StandardUserRegistrationHandler();
5        Auth.UserData sampleData = new Auth.UserData('idA', 'firstName', 'A',
6            'firstName A', 'userA@example.org', null, 'usernameA', 'en_US', 'facebook',
7            null, new Map<String, String>{'language' => 'en_US'});
8        User u = handler.createUser(null, sampleData);
9        insert(u);
10        String uid = u.id;
11        
12        sampleData = new Auth.UserData('idB', 'firstName', 'B',
13            'firstName B', 'userA@example.org', null, 'usernameB', 'en_US', 'facebook',
14            null, new Map<String, String>{}); // note that user B is using userA's email
15        Id confirmedUserId = handler.confirmUser(uid, '060xx0000004Eh6', null, sampleData);
16        System.assertEquals(uid, confirmedUserId); // we should see userA's id
17    }
18}

Apex Reference Guide