ConnectedAppPlugin Class

Extend the behavior of a connected app. This class gives you more control over the interaction between Salesforce and your connected app. You can customize how a connected app is invoked depending on the protocol used. You can intercept SAML XML generated by the Salesforce identity provider and add custom code before passing it to the target service provider.

Namespace

Auth

Usage

The class runs on behalf of the current user of the connected app. This user must have permission to use the connected app for the plug-in to work.

Example

This example gives the user permission to use the connected app if the context is SAML and the user has reached the quota tracked in a custom field. It returns the user’s permission set assignments. The example uses InvocationContext to modify a SAML assertion before it’s sent to the service provider.

        global class ConnectedAppPluginExample extends Auth.ConnectedAppPlugin{
        
        //Authorize the app if the user has achieved quota tracked in a custom field
        global override boolean authorize(Id userId, Id connectedAppId, boolean isAdminApproved) {
        /* Create a custom boolean field HasAchievedQuota__c on the user record 
        and then uncomment the block below */
        /*
        User u = [select id, HasAchievedQuota__c from User where id =: userId].get(0);
        return u.HasAchievedQuota__c; */
        
        return isAdminApproved;
        }
        
        //Call a flow during refresh
        global override void refresh(Id userId, Id connectedAppId) {
        try
        {
            Map<String, Object> inputVariables = new Map<String, Object>();
            inputVariables.put('userId', userId);
            inputVariables.put('connectedAppId', connectedAppId);
            /* Create a custom trigger ready flow and uncomment the block below */
            /*
            Flow.Interview.MyCustomFlow interview = new Flow.Interview.MyCustomFlow(inputVariables);
            interview.start(); */
        } catch ( Exception e ) {
            System.debug('FLOW Exception:' + e);
        }
        
        }
        
        //Return a user’s permission set assignments
        global override Map<String,String> customAttributes(Id userId, Map<String,String> formulaDefinedAttributes) 
        {  
            List<PermissionSetAssignment> psas = [SELECT id, PermissionSet.Name FROM PermissionSetAssignment 
            WHERE PermissionSet.IsOwnedByProfile = false AND (AssigneeId = :userId)];
            String permsets = '[';
            for (PermissionSetAssignment psa :psas)
            {
                permsets += psa.PermissionSet.Name + ';';
            }
            permsets += ']';
            formulaDefinedAttributes.put('PermissionSets', permsets);
            return formulaDefinedAttributes;
        
        }
        
        }

ConnectedAppPlugin Methods

The following are methods for ConnectedAppPlugin.

authorize(userId, connectedAppId, isAdminApproved)

Deprecated. Use authorize(userId, connectedAppId, isAdminApproved, context) instead.

Signature

public Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved)

Parameters

userId
Type: Id
The 15-character ID of the user to whom you want to give access.
connectedAppId
Type: String
The 15-character ID of the connected app.
isAdminApproved
Type: Boolean
The approval state of the specified user when the connected app requires approval.

Return Value

Type: Boolean

If the connected app requires admin approval, a returned value of true indicates that the current user is approved.

authorize(userId, connectedAppId, isAdminApproved, context)

Authorizes the specified user for the connected app. If the connected app is set for users to self-authorize, this call isn’t necessary.

Signature

public Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved, Auth.InvocationContext context)

Parameters

userId
Type: Id
The 15-character ID of the user to whom you want to give access.
connectedAppId
Type: Id
The 15-character ID of the connected app.
isAdminApproved
Type: Boolean
The approval state of the specified user when the connected app requires approval.
context
Type: InvocationContext
The context in which the connected app is invoked.

Return Value

Type: Boolean

If the connected app requires admin approval, a returned value of true indicates that the user is approved.

customAttributes(userId, connectedAppId, formulaDefinedAttributes)

Deprecated. Use customAttributes(userId, connectedAppId, formulaDefinedAttributes, context) instead.

Signature

public Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String> formulaDefinedAttributes,)

Parameters

userId
Type: Id
The 15-character ID of the user associated with the attributes.
connectedAppId
Type: Id
The 15-character ID of the connected app.
formulaDefinedAttributes
Type: Map<String,String>
A map of the new set of attributes from the UserInfo endpoint (OAuth) or from a SAML assertion. For more information, see The UserInfo Endpoint in the online help.

Return Value

Type: Map<String,String>

A map of the updated set of attributes.

customAttributes(userId, connectedAppId, formulaDefinedAttributes, context)

Sets new attributes for the specified user. When the connected app gets the user’s attributes from the UserInfo endpoint or through a SAML assertion, use this method to update those attribute values.

Signature

public Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String> formulaDefinedAttributes, Auth.InvocationContext context)

Parameters

userId
Type: Id
The 15-character ID for the user associated with the attributes.
connectedAppId
Type: Id
The 15-character ID for the connected app.
formulaDefinedAttributes
Type: Map<String,String>
A map of the current set of attributes from the UserInfo endpoint (OAuth) or from a SAML assertion. For more information, see The UserInfo Endpoint in the online help.
Type: InvocationContext
The context in which the connected app is invoked.

Return Value

Type: Map<String,String>

A map of the updated set of attributes.

modifySAMLResponse(authSession, connectedAppId, samlResponse)

Modifies the XML generated by the Salesforce SAML Identity Provider (IDP) before it’s sent to the service provider.

Signature

public dom.XmlNode modifySAMLResponse(Map<String,String> authSession, Id connectedAppId, dom.XmlNode samlResponse)

Parameters

authSession
Type: Map<String,String>
The attributes for the authorized user’s session. The map includes the 15-character ID of the authorized user who’s accessing the connected app.
connectedAppId
Type: Id
The 15-character ID of the connected app.
samlResponse
Type: Dom.XmlNode
Contains the SAML XML response generated by the IDP.

Return Value

Type: Dom.XmlNode

Returns an instance of Dom.XmlNode containing the modified SAML XML response.

Usage

Use this method to modify the XML SAML response to perform an action based on the context of the SAML request before it’s verified, signed, and sent to the target service provider. This method enables developers to extend the connected app plug-in to meet their specific needs.

The developer assumes full responsibility for changes made within the connected app plug-in. The plug-in must include validation and error handling. If the plug-in throws an exception, catch it, log it, and stop the process. Don’t send anything to the target service provider.

refresh(userId, connectedAppId)

Deprecated. Use refresh(userId, connectedAppId, context) instead.

Signature

public void refresh(Id userId, Id connectedAppId)

Parameters

userId
Type: Id
The 15-character ID of the user getting the refresh token.
connectedAppId
Type: Id
The 15-character ID of the connected app.

Return Value

Type: void

refresh(userId, connectedAppId, context)

Salesforce calls this method during a refresh token exchange.

Signature

public void refresh(Id userId, Id connectedAppId, Auth.InvocationContext context)

Parameters

userId
Type: Id
The 15-character ID of the user getting the refresh token.
connectedAppId
Type: Id
The 15-character ID of the connected app.
context
Type: InvocationContext
The context in which the connected app is invoked.

Return Value

Type: void