Skip links

How To Optimize Automated Tests and Securely Log in to Salesforce Without Verification Code or MFA?

Like in any software testing, automation testing of Salesforce solutions is a reliable approach to verify the functionality and integrity of the platform. Automated tests are designed to run automatically, reducing manual effort and ensuring a fast-to-market approach. 

According to the Katalon research, 63% of surveyed QA teams reported positive returns on investment (ROIs) from their testing efforts, demonstrating the time and cost efficiency achieved through automation. Moreover, based on the Kobiton report, approximately 33% of companies seek to automate between 50% to 75% of their testing process, while around 20% aim to automate more than 75% of the testing process.

However, during the execution of automated tests in Salesforce, QA engineers (and I personally) are facing a challenge with Salesforce authentication that often requires extra steps, like MFA. When users log in to Salesforce from an unfamiliar browser or device, they are required to verify their identity as a security precaution. Typically, this occurs during the initial login, and a cookie is saved. But it looks like, when running automation scripts, browser cookies are cleared for security reasons.

Why Authentification Questions Are Important for QA Teams?

Starting from Spring ’23, Salesforce is automatically enabling MFA for direct logins to production orgs. Also, from Summer ’24, Salesforce scheduled the enforcement to allow MFA to as a permanent part of the direct login process. 

Apparently, when your org reaches the MFA enforcement milestone in the future, Salesforce will remove the option to disable the MFA.

When I was looking for a solution and navigating through forums, I found only tips to use IP Trusted Range (if we need to verify identity) or disable MFA for profiles/org level. Unfortunately, these solutions demand manual management and have some security issues. For example, you will need to add new IP addresses constantly, and every person can reach your instance knowing the right address and credentials.

So, I’ve created my own solution for how to securely log in to Salesforce without passing identity verification and MFA.

Login in to Salesforce via Salesforce CLI

My solution involves using frontdoor.jsp to open necessary org without providing a username and password. The “frontdoor” is a technical webpage managed by Salesforce to access a Salesforce org or Communities (Experience Cloud) in the browser.

To generate the link to that page, we will use Salesforce’s own tool, Salesforce CLI. Now I guide you step-by-step through the whole process. The only requirement is to have the installed Salesforce CLI.

First of all, we need to log in to our Salesforce org via CLI. One of the advantages of my solution is that you should do it only once. When you log in for the first time, you will be navigated to the Salesforce login screen and key in credentials. To do so, type the command below in your local terminal. To make it easier to manage your Salesforce orgs, set an alias that you will refer to later:

sf org login web --alias myOrgForAutotests

If everything is correct, you will see a message about successful login:

Successful login via CLI

Now you can easily open the needed org without entering a username and password by running the following command:

sf org open --target-org myOrgForAutotests

How does it work? In Salesforce, the access token and refresh token are stored upon initial authentication. You can navigate to the $HOME directory on your computer and cd into the .sfdx folder to see that for each org there will be a .json file with some information.

How Can We Use This Feature for Autotest’s Execution?

Autotest should pass the authorization to the org, generate the frontdoor URL link, and ask a browser to follow it. A simple way to authorize in Salesforce during autotest’s execution is to use the sfdxAuthUrl value. The SFDX URL can be used to authenticate to the Salesforce CLI without needing any JWT Token or using the browser to key in credentials.

To get the sfdxAuthUrl value, just type this command (−−json flag format output as json):

sf org display --target-org myOrgForAutotests --verbose --json

The resulting JSON file contains the URL in the “sfdxAuthUrl” property of the “result” object:

Authorize in Salesforce via CLI

If you want to save this value later other than to copy it from the terminal, you can directly save it locally by redirecting output to the file. To do that, add > ./authFile.json at the end of the command:

sf org display --target-org myOrgForAutotests --verbose --json > ./authFile.json

To make an authorization to org using the SFDX authorization URL in the ./authFile.json file, use this command:

sf org login sfdx-url --sfdx-url-file ./authFile.json --alias myOrgForAutotests

To generate the frontdoor URL, you should type an already known command, but with a special flag −−url-only. This provides a navigation URL but does not open the browser automatically. So the command will look like this:

sf org open --target-org myOrgForAutotests --url-only --json

The resulting JSON contains the URL in the “url” property of the “result” object.

Successful Login via Salesforce CLI

Great job! It’s precisely what we were looking for!

Security Considerations

Salesforce has robust security measures to safeguard user accounts and confidential information. We share these values. So, I strongly recommend using my solution wisely to ensure the Client_ID and Client_Secret values are not exposed. Make security your priority and store the SFDX auth URL in an environment variable that cannot be easily reached except for authorized personnel. As an example, you can keep it in the GitLab variables.

Store SFDX auth URL in the GitLab variables

The Result

Here is a small hands-on example of the autotest based on node.js that shows my solution. In this test, you also may note the clearLogs function. It is a util function that clears characters from the terminal output.

import exec from 'executive'

describe('Open an org only with sfdx url', () => {
    it('open org', async () => {
        await exec.quiet(`sf org login sfdx-url --sfdx-url-file ./authFile.json --alias myOrgForAutotests`)
        let frontdoor = await exec.quiet(`sf org open --target-org myOrgForAutotests --url-only --json`)
        let url = (await clearLogs(frontdoor.stdout)).result.url
        await browser.url(url)
        await browser.pause(3000)
    })
})

export async function clearLogs(str) {
    let result = str
        .replace(/\x1B\[97m/g, '')
        .replace(/\x1B\[94m/g, '')
        .replace(/\x1B\[93m/g, '')
        .replace(/\x1B\[92m/g, '')
        .replace(/\x1B\[91m/g, '')
        .replace(/\x1B\[90m/g, '')
        .replace(/\x1B\[39m/g, '')
        .replace(/\x1B\[34m/g, '')
        .replace(/\x1B\[32m/g, '')
    return JSON.parse(result)
}

Log in to Salesforce without MFA