The following are methods for SessionManagement. All methods are static. Use these methods to customize your user identity verification flows, manage the use of time-based one-time password (TOTP) apps like Google Authenticator, or create custom login flows. Other methods validate a user’s incoming IP address against trusted IP range settings for an organization or profile.
public static System.PageReference finishLoginDiscovery(Auth.LoginDiscoveryMethod method, Id userId)
Type: System.PageReference
Include this method when implementing the MyDomainLoginDiscoveryHandler interface to direct users to an authentication mechanism, and then log them in. If users enter a username in the login page, they are sent to the password page for authentication. If users are enrolled in Lightning Login, they are directed to the Salesforce Authenticator to authenticate. If users are SSO-enabled, they are sent to the suitable identity provider (IdP) to authenticate.
The calling user requires Manage Users permission. If the user passed in is frozen or inactive, the method throws an exception.
After implementing the MyDomainLoginDiscoveryHandler interface, register the Login Discovery handler from the My Domain Setup page. Under Authentication Configuration, select this handler from the list of Apex classes.
public static System.PageReference finishLoginFlow()
Type: System.PageReference
public static System.PageReference finishLoginFlow(String startUrl)
Type: System.PageReference
public static String generateVerificationUrl(Auth.VerificationPolicy policy, String description, String destinationUrl)
public static Map<String, String> getCurrentSession()
If you create an Apex test method that calls this method, the test fails with an error such as, “Unexpected Exception: Current session unavailable." An error occurs because there isn’t a session in the context through which the test is being run.
When a session is reused, Salesforce updates the LoginHistoryId with the value from the most recent login.
The following example shows the name-value pairs in a map returned by getCurrentSession(). Note that UsersId includes an “s” in the name to match the name of the corresponding field in the AuthSession object.
{ SessionId=0Ak###############, UserType=Standard, ParentId=0Ak###############, NumSecondsValid=7200, LoginType=SAML Idp Initiated SSO, LoginDomain=null, LoginHistoryId=0Ya###############, Username=user@domain.com, CreatedDate=Wed Jul 30 19:09:29 GMT 2014, SessionType=Visualforce, LastModifiedDate=Wed Jul 30 19:09:16 GMT 2014, LogoutUrl=https://google.com, SessionSecurityLevel=STANDARD, UsersId=005###############, SourceIp=1.1.1.1 }
public static Auth.LightningLoginEligibility getLightningLoginEligibility(Id userId)
Auth.LightningLoginEligibility eligibility = Auth.SessionManagement.getLightningLoginEligibility(id); if (eligibility == Auth.LightningLoginEligibility.ELIGIBLE) { // success }
public static Map<String, String> getQrCode()
The secret is a base32-encoded string of a 20-byte shared key.
The following is an example of how to request the QR code.
public String getGetQRCode() { return getQRCode(); } public String getQRCode() { Map<String, String> codeResult = Auth.SessionManagement.getQrCode(); String result = 'URL: '+codeResult.get('qrCodeUrl') + ' SECRET: ' + codeResult.get('secret'); return result; }
The following is an example of a returned map.
{qrCodeUrl=https://www.salesforce.com/secur/qrCode?w=200&h=200&t=tf&u=user%0000000000.com&s=AAAAA7B5BBBB5AAAAAAA66BBBB,
secret=AAAAA7B5AAAAAA5BBBBBBBBB66AAA}
public static Auth.SessionLevel getRequiredSessionLevelForProfile(String profileId)
The 15-character profile ID.
Type: Auth.SessionLevel
The session security level required at login for the profile with the ID profileId. You can customize the assignment of each level in Session Settings. For example, you can set the High Assurance level to apply only to users who authenticated with two-factor authentication or through a specific identity provider.
public static Boolean inOrgNetworkRange(String ipAddress)
Type: Boolean
Trusted IP Range Exists? | User is in the Trusted IP Range? | Return Value |
---|---|---|
Yes | Yes | true |
Yes | No | false |
No | N/A | false |
public static Boolean isIpAllowedForProfile(String profileId, String ipAddress)
Type: Boolean
Trusted IP Range Exists? | User is in the Trusted IP Range? | Return Value |
---|---|---|
Yes | Yes | true |
Yes | No | false |
No | N/A | true |
public static Void setSessionLevel(Auth.SessionLevel level)
Type: Void
The following is an example class for setting the session level.
public class RaiseSessionLevel{ public void setLevelHigh() { Auth.SessionManagement.setSessionLevel(Auth.SessionLevel.HIGH_ASSURANCE); } public void setLevelStandard() { Auth.SessionManagement.setSessionLevel(Auth.SessionLevel.STANDARD); } }
public static Boolean validateTotpTokenForKey(String sharedKey, String totpCode)
Type: Boolean
public static Boolean validateTotpTokenForKey(String totpSharedKey, String totpCode, String description)
Type: Boolean
public static Boolean validateTotpTokenForUser(String totpCode)
Type: Boolean
public static Boolean validateTotpTokenForUser(String totpCode, String description)
Type: Boolean
public static System.PageReference verifyDeviceFlow(String userCode, String startUrl)
Human-readable user code provided to the user by Salesforce. The user must enter this code at the verification URL to approve device access to Salesforce data.
The URL for the page that the user is redirected to after successful login and approval of the device to access Salesforce data. If you don’t specify a start URL, the user is redirected to the Home page.
Type:System.PageReference