Newer Version Available
LoginDiscoveryHandler Interface
Namespace
Usage
Implement a Auth.LoginDiscoveryHandler for an interview-based log in. The handler looks up a user from the identifier entered, and can call Site.passwordlessLogin to determine which credential to use, such as email or SMS. Or the handler can redirect a user to a third-party identity provider for login. With this handler, the login page doesn't show a password field. However, you can use Site.passwordlessLogin to then prompt for a password.
From the user perspective, the user enters an identifier at the log in prompt. Then the user completes the login by entering a PIN or password. Or, if SSO-enabled, the user bypasses login.
For an example, see LoginDiscoveryHandler Example Implementation. For more details, see Customer 360 Identity in Salesforce Help.
LoginDiscoveryHandler Method
Here’s the method for LoginDiscoveryHandler.
login(identifier, startUrl, requestAttributes)
Signature
public System.PageReference login(String identifier, String startUrl, Map<String,String>requestAttributes)
Parameters
- identifier
- Type: String
- Identifier the customer or partner entered at the login prompt, for example, an email address or phone number.
- startUrl
- Type: String
- Path to the Experience Cloud site page requested by the customer or partner. The user is redirected to this location after successful login.
- requestAttributes
- Type: Map<String,String>
- Information about the login request based on the user’s browser state when accessing the login page. requestAttributes passes in the CommunityUrl, IpAddress, UserAgent, Platform, Application, City, Country, and Subdivision values. The City, Country, and Subdivision values come from IP geolocation.
Example
Here’s a sample requestAttributes response.
LoginDiscoveryHandler Example Implementation
This Apex code example implements the Auth.LoginDiscoveryHandler interface. It checks whether the user who is logging in has a verified email or phone number, depending on which identifier was supplied on the login page. If verified, with Auth.VerificationMethod.EMAIL or Auth.VerificationMethod.SMS, we send a challenge to the identifier, either the user’s email address or mobile device. If the user enters the code correctly on the verify page, the user is redirected to the Experience Cloud site’s page specified by the start URL. If the user isn’t verified, the user must enter a password to log in. The handler also checks that the email and phone number are unique with this code: users.size()==1.
The discoveryResult function calls the Site.passwordlessLogin method to log the user in with the specified verification method. The getSsoRedirect function looks up whether the user logs in with SAML or an Auth Provider. Add the implementation-specific logic to handle the lookup.
Code Example: Filter Login Discovery Users by Profile
Your production org can have multiple users with the same verified email address and mobile number. But your customers must have unique ones. To address this problem, you can add a few lines of code that filters users by profile to ensure uniqueness. This code example handles users with the External Identity User profile, but can be adapted to support other use cases. For example, you can modify the first line of code to address users with other user licenses or criteria.
Login Discovery is available with the following user licenses: Customer Community, Customer Community Plus, External Identity, Partner Community, and Partner Community Plus. It depends on which profiles have access to your Experience Cloud site.