Edit the SAML Just-in-Time Handler
Finish the custom SAML Just-in-Time (JIT) configuration process by editing the Apex provisioning handler class. You can customize the way Salesforce provisions users when they log in to Salesforce with SAML single sign-on (SSO) for the first time.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
Before you can edit the custom SAML JIT Apex handler, configure SAML SSO with Salesforce as a service provider and enable JIT provisioning with the Custom SAML JIT with Apex handler User Provisioning Type.
If you set up Standard JIT provisioning, editing an Apex handler class isn’t necessary, and you test the SSO connection directly.
Edit the Apex handler class in Salesforce Setup.
- In Setup, in the Quick Find box, enter Apex Classes, and then select Apex Classes.
- To map fields between SAML and Salesforce, edit the generated Apex SAML JIT handler. In
addition, you can modify the generated code to support these options.
- Custom fields
- Fuzzy profile matching
- Fuzzy role matching
- Contact lookup by email
- Account lookup by account number
- Standard user provisioning into an Experience Cloud site
- Standard user login into an Experience Cloud site
- Default profile ID usage for portal Just-in-Time provisioning
- Default portal role usage for portal Just-in-Time provisioning
- Username generation for portal Just-in-Time provisioning
For example, to support custom fields in the generated handler code, find the “Handle custom fields here” comment in the generated code. After that code comment, insert your custom field code.
You can also customize the way your JIT handler processes encrypted SAML assertions. If the assertion is encrypted, Salesforce decrypts it and sends it to the JIT handler in the attribute map. With access to the decrypted assertion, you can write custom code to extract the user information you need.
For more information and examples, see the SamlJitHandler Interface documentation in the Apex Reference Guide.
Note If your identity provider sends JIT attributes for the Contact or Account object in the same assertion as the User object, the generated handler usually can’t make updates. For a list of User fields that can’t be updated simultaneously with Contact or Account fields, see Objects That Cannot Be Used Together in DML Operations in the Apex Developer Guide. - Save your changes.
After editing your custom SAML JIT Apex handler class, test your SSO connection by trying to access the identity provider’s application. Your identity provider directs the user’s browser to POST a form containing SAML assertions to the Salesforce login page. Each assertion is verified, and if successful, users can log in with SSO.
If you have difficulty using SSO, use the SAML Assertion Validator.
If your users have problems using SSO, review the SAML login history to determine the problem, and share what you find with your identity provider.
If you’re using SAML version 2.0, the OAuth 2.0 Token Endpoint field is populated after you configure SAML. Use the token with the OAuth 2.0 Web Server Flow.
