Using Frontdoor.jsp to Bridge an Existing Session Into Salesforce

<form method="POST" action="https://domain_name/secur/frontdoor.jsp">
<input type="hidden" name="sid"
      value="full_sessionID_value" />
<input type="hidden" name="retURL" 
      value="optional_relative_url_to_open" /> 
<input type="submit" name="login" value="Log In" /></form>

OAuth 2.0 Hybrid App Token Flows

For OAuth 2.0 hybrid app token flows, the hybrid app sets the domains’ associated SIDs in the session cookies to directly bridge a web session without using frontdoor.jsp.

There’s one scenario that requires you to use frontdoor.jsp with hybrid app token flows: when the web session resets user division on objects via the Reset to Default Division on Login setting. To bypass session interruptions during this flow, include a directBridge2 parameter with the value set to true in the request to frontdoor.jsp. The directBridge2 parameter directly passes the access token to the session ID cookie of the requested domain. With this flow, the hybrid app uses the same access token for API calls and UI requests, so remembering when your access and refresh tokens expire is unnecessary.

If you require multi-factor authentication (MFA) for your entire org, users are prompted for MFA to access their web session during OAuth hybrid app flows. For implementations that authenticate users with single sign-on (SSO), if users complete MFA using the identity provider’s service, the Salesforce MFA challenge is redundant. You can bypass the Salesforce MFA challenge by setting the directBridge2 parameter to true while bridging the OAuth session via frontdoor.jsp. To bypass MFA with the directBridge2 parameter, the Use Salesforce MFA for this SSO Provider setting must be disabled for your authentication provider or SAML single sign-on settings, depending on what type of SSO flow you're using. For more information, see SAML SSO with Salesforce as the Service Provider and Authentication Provider SSO with Salesforce as the Relying Party.

To use the directBridge2 parameter, make sure that the session ID value is an OAuth 2.0 access token with the web scope and that it’s passed in the POST body, not a query string. The mobile app must use the OAuth 2.0 hybrid app token flows and be able to manage session cookies in web view. The directBridge2 parameter isn't supported in standard web browsers.

Important If you’re not using the Reset to Default Division on Login setting, we don’t recommend using frontdoor.jsp with hybrid app token flows. Instead, bridge into the web session by setting domain SIDs in the session cookies.

Here’s an example form that posts the SID to frontdoor.jsp and includes the directBridge2 parameter.

<form method="POST" action="https://domain_name/secur/frontdoor.jsp">
<input type="hidden" name="directBridge2" 
      value="true" />
<input type="hidden" name="sid" 
      value="full_sessionID_value" />
<input type="submit" name="Submit" />
</form>

To learn more about hybrid app token flows, see OAuth 2.0 Authorization and Session Management for Hybrid Apps.

Full Session ID

An example of a full session ID is the access_token obtained from OAuth authentication. One of the scopes specified when you create an external client app must be web or full.

Note Not all session types are supported with frontdoor.jsp, such as Experience Cloud site API sessions. For these sessions, consider using SAML for single sign-on, instead.

You have several ways to get a Session ID, such as from UserInfo.getSessionId() in Apex, $Api.SessionID and other sources. Sometimes the ID values from these sources vary depending on context, don't work with frontdoor.jsp, and can pose security risks as you use them. Use the access_token from an OAuth authentication for a secure, reliable value.

Relative URL to Open

You can optionally include a URL-encoded relative path to redirect users to the Salesforce user interface or a particular record, object, report, or Visualforce page, for example, /apex/MyVisualforcePage.