Login Flow Examples
- Create the variables. secret—Stores the secret key for all two–factor operations.qr_url—Stores the URL for the QR code encoding of the secret key.IsTokenValid—Stores the verification result.The variables secret and qr_url aretext, while IsTokenValid is a Boolean data type.
- secret—Stores the secret key for all two–factor operations.
- qr_url—Stores the URL for the QR code encoding of the secret key.
- IsTokenValid—Stores the verification result.
- Set up the TOTPPlugin to generate a new secret for users that are not are already registered with a TOTP. A plug-in is an Apex class that extends the standardfunctionality of a flow. You can use a plug-in to do a complex calculation, make APIcalls to external services, and more. TOTPPlugin accesses the Salesforce TOTPmethods, generates a time-based secret key with a QR code, and validates the TOTP. TheApex class for TOTPPlugin is available in the login flow sample package. Theplug-in takes these input parameters.OTP_INPUT—The TOTP token that the user provides. OTP_REGISTRATION_INPUT—The TOTP token that the user provides when first registering.SECRET_INPUT—The secret key used to generate the TOTP.It returns the following parameters. SECRET_OUTPUT—A secret key generated by the plug-in.QR_URL_OUTPUT—A QR encoding of the secret key. IsValid_OUTPUT—If the validation succeeded, it returns true. Otherwise, it returns false.Configure a TOTPPlugin instance to generate a newsecret key and QR code if the user is not already registered. In this case, no input ispassed. The secret key and URL for the QR code are stored inthe qr_url and secret variables.
- OTP_INPUT—The TOTP token that the user provides.
- OTP_REGISTRATION_INPUT—The TOTP token that the user provides when first registering.
- SECRET_INPUT—The secret key used to generate the TOTP.
- SECRET_OUTPUT—A secret key generated by the plug-in.
- QR_URL_OUTPUT—A QR encoding of the secret key.
- IsValid_OUTPUT—If the validation succeeded, it returns true. Otherwise, it returns false.
- Configure a decision element to register a user. The decision element Registrationverifies whether secret is null. If it is not null, the user mustregister, so define Register as the outcome of the decision.Otherwise, the user is already registered and must provide only the TOTP token. In thiscase, the outcome is Get TOTP, which is also the defaultoutcome.
- Configure the Get TOTP screen. Users that are already registered are redirected tothis screen and asked to provide the TOTP token. The input TOTP token is saved in OTP_input.
- Configure the Registration screen. This screen presents the QR code, asks the user toscan and initialize the TOTP client application and provide the TOTP token.
- Validate the TOTP token. Define another instance of the TOTPPlugin to validate theTOTP token that the user provides.The plug-in supports these use cases.The user comes from the Registration screen. The user has to scan the QR code and provide the TOTP token. Both the TOTP token and secret are passed to the TOTPPlugin for validation. The TOTPPlugin validates the TOTP token against the secret. If valid, the secret is registered on the user record and used for future logins. The user comes from the Get Token screen. The user is already registered, so provides only the TOTP. The TOTP token is passed via the TokenInput parameter to the TOTPPlugin for validation. The isTokenValid parameterreturns the validation status, which is then saved in isTokenValid. The decision element has two possible outcomes. The token is valid if IsTokenValid is true. The token is invalid, which is the default.
- The user comes from the Registration screen. The user has to scan the QR code and provide the TOTP token. Both the TOTP token and secret are passed to the TOTPPlugin for validation. The TOTPPlugin validates the TOTP token against the secret. If valid, the secret is registered on the user record and used for future logins.
- The user comes from the Get Token screen. The user is already registered, so provides only the TOTP. The TOTP token is passed via the TokenInput parameter to the TOTPPlugin for validation.
- The token is valid if IsTokenValid is true.
- The token is invalid, which is the default.
- Configure a decision element to log in the user. If the validation succeeds, the userproceeds to the end of the flow, clicks to the next step, and logs in to theapplication. If the validation fails, the flow redirects the user back to Step 2 in theflow. In Step 2, a registered user is asked to provide a new TOTP token. If the userisn’t yet registered, the user is asked to register and provide a new TOTP token.
- Save the login flow, activate it, and connect it with a user profile.