When you create a connected app, you specify general information about the app and settings for OAuth, web apps, mobile apps, and canvas apps. To customize how the app is invoked, create a connected app handler with this ConnectedAppPlugin Apex class. For example, use this class to support new authentication protocols or respond to user attributes in a way that benefits a business process.
The class runs on behalf of the current user of the connected app. But the user must have permission to use the connected app for the plug-in to work. If the user isn’t authorized for the connected app, use the authorize method.
This example gives the user permission to use the connected app if the context is SAML and the user has reached the quota tracked in a custom field. It returns the user’s permission set assignments. The example uses Auth.InvocationContext to modify a SAML assertion before it’s sent to the service provider.
global class ConnectedAppPluginExample extends Auth.ConnectedAppPlugin { // Authorize the app if the user has achieved quota tracked in a custom field global override Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved, Auth.InvocationContext context) { // Create a custom boolean field HasAchievedQuota__c on the user record // and then uncomment the block below // User u = [select id, HasAchievedQuota__c from User where id =: userId].get(0); // return u.HasAchievedQuota__c; return isAdminApproved; } // Call a flow during refresh global override void refresh(Id userId, Id connectedAppId, Auth.InvocationContext context) { try { Map<String, Object> inputVariables = new Map<String, Object>(); inputVariables.put('userId', userId); inputVariables.put('connectedAppId', connectedAppId); // Create a custom trigger ready flow and uncomment the block below // Flow.Interview.MyCustomFlow interview = new Flow.Interview.MyCustomFlow(inputVariables); // interview.start(); } catch ( Exception e ) { System.debug('FLOW Exception:' + e); } } // Return a user’s permission set assignments global override Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String> formulaDefinedAttributes, Auth.InvocationContext context) { List<PermissionSetAssignment> psas = [SELECT id, PermissionSet.Name FROM PermissionSetAssignment WHERE PermissionSet.IsOwnedByProfile = false AND (AssigneeId = :userId)]; String permsets = '['; for (PermissionSetAssignment psa :psas) { permsets += psa.PermissionSet.Name + ';'; } permsets += ']'; formulaDefinedAttributes.put('PermissionSets', permsets); return formulaDefinedAttributes; } }
The following are methods for ConnectedAppPlugin.
public Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved)
Type: Boolean
If the connected app requires admin approval, a returned value of true indicates that the current user is approved.
public Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved, Auth.InvocationContext context)
Type: Boolean
If the connected app requires admin approval, a returned value of true indicates that the user is approved.
ConnectedAppPlugin runs on behalf of the current user. But the user must have permission to use the connected app for the plug-in to work. Use this method to authorize the user.
public Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String> formulaDefinedAttributes,)
public Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String> formulaDefinedAttributes, Auth.InvocationContext context)
public dom.XmlNode modifySAMLResponse(Map<String,String> authSession, Id connectedAppId, dom.XmlNode samlResponse)
Type: Dom.XmlNode
Returns an instance of Dom.XmlNode containing the modified SAML XML response.
Use this method to modify the XML SAML response to perform an action based on the context of the SAML request before it’s verified, signed, and sent to the target service provider. This method enables developers to extend the connected app plug-in to meet their specific needs.
The developer assumes full responsibility for changes made within the connected app plug-in. The plug-in must include validation and error handling. If the plug-in throws an exception, catch it, log it, and stop the process. Don’t send anything to the target service provider.
public void refresh(Id userId, Id connectedAppId, Auth.InvocationContext context)
Type: void