Log in to Salesforce with MFA
Salesforce requires Multi-Factor Authentication (MFA) for all user interface logins, including your automated tests. Tosca Cloud handles the MFA step automatically, using a one-time password (OTP) secret key that you store in a key vault.
Before you start
Make sure you have the following ready:
-
A supported key vault installed and running on the machine where you run your tests.
-
A Personal Agent or Team Agent to run your tests.
-
A Salesforce test user with TOTP-based MFA and no System Administrator profile. Salesforce applies phishing-resistant MFA to system admins, which Tosca Cloud doesn't support.
Get the OTP secret key from Salesforce
To generate time-based one-time password (TOTP) codes during your test run, Tosca Cloud needs the Base32-encoded OTP secret key for your test user. To get it, open Salesforce and follow these steps:
-
Log in to Salesforce with the test user account.
-
From Settings, search for Advanced User Details in the Quick Find box and select it. If it doesn't appear, search for Personal Information instead.
-
Under App Registration: One-Time Password Authenticator, select Connect. If an authenticator app is already connected, select Disconnect first, then Connect. For more details on this step, check Register a Third-Party Authenticator App (opens in new tab).
-
Enter the email verification code when prompted.
-
On the Connect an Authenticator App screen, select I Can't Scan the QR Code. Salesforce displays the Base32 OTP secret key. Copy the key and keep the registration window open.
Store the credentials in your key vault
Store the following values together in your key vault:
-
The Salesforce username.
-
The Salesforce password.
-
The OTP secret key from the previous section.
The steps for storing secrets depend on which key vault you use. For the exact steps, check your provider's documentation.
Once you've stored the credentials, go back to Salesforce and use an authenticator app (e.g., Google Authenticator) to generate a TOTP code from the secret key. Enter the code into the open registration window to complete the MFA setup.
Build the login test case
Now that your credentials are in the key vault, set up test steps for both the credential fields and the MFA prompt:
-
Open the Salesforce login page in a browser and use XScan to scan the login form. Create modules for the username field, password field, and Log In button.
-
Log in manually to trigger the MFA prompt, then scan that screen separately. Create modules for the verification code field and the Verify button.
-
Create a new test case with test steps for the full login sequence: open the Salesforce login page, enter the username and password, click Log In, enter the MFA code, and click Verify. Use the following values for each test step, both fetched from your key vault at runtime:
Test step
Value
DataType
Username, password
{SECRET}
Secret
MFA code
{OTP}
Secret
Keep in mind that TOTP codes expire after about 30 seconds, so don't add wait steps between Log In and Verify.
Run the test
Before you run your test case, make sure the following conditions are met:
-
The key vault is running and you're signed in to it.
-
The key vault CLI is on the system PATH. If Tosca Cloud can't find the key vault CLI, specify the path using the KeyVaultPath TCP.
-
The key vault responds within 20 seconds. If it takes longer, specify a longer timeout using the KeyVaultCommandTimeout TCP.
-
Your machine clock is synchronized. TOTP codes are valid for approximately 30 seconds, so clock drift can cause authentication to fail.
Once all conditions are met, run your test case. Tosca Cloud fetches the credentials from your key vault, generates a TOTP code, and enters it into the MFA prompt automatically.
What's next
Your login test is ready. Next, automate the rest of your Salesforce workflow with the Salesforce controls.