These are my notes on registration handlers gathered together in working towards the Identity and Access Management certification.
What is a Registration Handler
The registration handler is required when setting up single sign-on for Salesforce or Experience Cloud with authentication providers such as OpenIDConnect, Google, Janrain, Facebook or other third party services. If a registration handler class does not exist the SSO initialisation URL will not be available.
A registration handler is an Apex class that implements the Auth.RegistrationHandler interface. An interface is a collection of methods with empty bodies that are ready for implementing.
Using information/definitions from the chosen authentication provider, the registration handler must be configured to perform the logic of:
- Creating Salesforce Users:
This uses the createUser method to create user records and related data using the Auth.userData class. The third party authentication provider can send back a collection of data about the user which can include data such as username, email, locale. If the registration handler requires more information, the Auth.userData class has a Map of all raw values from the third party as MAP<String, String>. An example would be:
Auth.UserData(String, identifier,
String, Firstname,
String, Lastname,
String, email,
String, Locale,
Map<String, String> attributeMap).
This attribute map can be queried for values, such as data.attributeMap.get(‘language’);
This data should just be used in the registration handler to assist with the authentication process. - Updating Salesforce Users:
This uses the updateUser() method to update an specified users information. This can be used if the user has logged in before with the authentication provider and then logs in again. - Confirm Salesforce Users:
Using the confirmUser() method from the Auth.ConfirmUserRegistrationHandler interface so that users are correctly mapped to between the third party and Salesforce. - Additionally, Linking to existing users, accounts, and/or contacts.
Once a user is authenticated by the authentication provider, an access token is created and accessible to be retrieved. If more than one third party provider can authenticate a single user, then a map of access tokens is created. Janrain behaves differently in relation to tokens.
“When using Janrain as an authentication provider, you must use the Janrain accessCredentials dictionary values to retrieve the access token or its equivalent.”
From Developer.salesforce.com
It is not necessary to know how to code to create a registration handler class. It is possible to select “Automatically create a registration handler template”. This can then be edited later.