Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Complete Prerequisites to Connect to a Custom One-Time Password Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Complete Prerequisites to Connect to a Custom One-Time Password Provider

            To send a one-time password (OTP) via a custom provider, Salesforce calls an API that's hosted on your provider. To access this API, Salesforce must be able to make authenticated calls to your provider. Get started by retrieving authentication credentials from your provider and registering the provider's callout endpoint with Salesforce. To simplify and secure development, consider creating a named credential that stores the provider's credentials and callout endpoint in a single definition.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: Professional, Enterprise, Unlimited, and Developer Editions
            User Permissions Needed
            To configure remote site settings: Customize Application or Modify All Data
            To view external credentials: View Setup and Configuration
            To create, edit, or delete external credentials: Manage Named Credentials or Customize Applications

            Get Authentication Credentials from Your Provider

            To send a one-time password (OTP) via a custom provider, such as Telesign or Twilio, Salesforce uses your custom OTP delivery Apex handler to call an API that's hosted on your provider. To access this API, you must authenticate using credentials from the provider.

            1. If you don't already have an account with the provider you want to use, create one.
            2. From your provider, retrieve the credentials required to make an authenticated call to their messaging API. How you do this step depends on your provider.
              Here's the documentation about how to authenticate for a couple of common OTP providers.

            Add the Provider's Messaging API Endpoint to Your Remote Site Settings

            To allow your custom OTP delivery handler to send an HTTP POST request to your provider's messaging API, register the provider's messaging endpoint in your remote site settings.

            1. Get the URL for your provider's messaging API, including the correct base URL and the endpoint for the resource you want to access. Use an endpoint that can send one-time passwords (OTPs). How you do this step depends on your provider.
              Here's the documentation for a few common OTP providers.
            2. Add the URL to your provider's remote site settings.

            (Optional) Create a Named Credential

            To simplify and secure your Apex development, create a named credential. The named credential stores your provider's messaging endpoint along with its authentication credentials in a single definition. How you create the named credential depends on the authentication protocol that your provider uses.

            1. To create a named credential, first create an external credential and then link it to a named credential. See Create Named Credentials and External Credentials and find the steps for the authentication protocol that your provider uses.
              For example, if your provider uses the Basic authentication protocol, first create a Basic authentication external credential. Then, create a named credential that connects to your external credential.
            2. To make Apex callouts using the named credential, use the Automated Process User, which is a user account that comes with all Salesforce orgs. Make sure that this user can make callouts.
              1. Create a permission set.
              2. Enable external credential principals for the permission set.
              3. Enable user external credentials for the permission set.
              4. To assign the permission set to the Automated Process User, run this code in the Apex developer console.
                insert new PermissionSetAssignment( AssigneeId = [SELECT Id FROM User WHERE alias = 'autoproc'].Id, 
PermissionSetId = '<your permission set ID>' );
              The Automated Process User can now make callouts by using your named credential.
             
            Loading
            Salesforce Help | Article