AuthProvider

Represents an Authentication Provider (or Auth Provider) in your organization. An Auth Provider enables users to log into your Salesforce organization using their login credentials from an external service provider such as Facebook© or Janrain©. It extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication Providers are stored in the authproviders directory. The file name matches the URL suffix and the extension is .authprovider. For example, an Auth Provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication Providers are available in API version 27.0 and later.

Special Access Rules

Only users with the “Customize Application” and “Manage AuthProviders” permissions can access this object.

Fields

Field Name	Field Type	Description
authorizeUrl	string	Required, but only if providerType is `OpenIdConnect`. The OAuth authorization endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.
consumerKey	string	Required. The app’s key that is registered at the third-party Single Sign-On provider.
consumerSecret	string	Required. The consumer secret of the app that is registered at the third-party Single Sign-On provider. This field cannot be updated. When using `create()` this field must be encrypted. To create an encrypted form of the consumer secret from plain text: Create an Auth Provider with the consumerSecret plain text value. Save the Auth Provider. Create an outbound change set that includes the Auth Provider component. The new change set .xml file will have an entry in the form `<consumerSecret>++XYZ++</consumerSecret>` where ++XYZ++ is the encrypted secret.
defaultScopes	string	Required, but only if providerType is `OpenIdConnect` The scopes to be sent with the authorization request, if not specified when a flow is started. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.
DeveloperName	string	Required. Used when referring to the Auth Provider from a program.
errorUrl	string	A custom error URL for the provider to use to report any errors.
executionUserId	string	The user that runs the Apex handler class. The user must have the “Manage Users” permission. A user is required if you specify a registration handler class.
friendlyName	string	Required. A user-friendly name for the provider.
iconUrl	string	The path to an icon to use as a button on the login page for a community. Users click the button to log in to a community with the associated authentication provider, such as Twitter© or LinkedIn©. Available in API version 32.0 and later.
idTokenIssuer	string	Only available if providerType is `OpenIdConnect`. This value identifies the source of the authentication token in the form `https: URI` . Used only with OpenID Connect authentication providers. If provided, Salesforce validates the returned `id_token` value. The OpenID Connect specification requires an `id_token` value to be returned with the `access_token` value. Available in API version 30.0 and later.
providerType	`AuthProviderType` (enumeration of type string)	Required. The third-party Single Sign-On provider to use. Valid values are: `Facebook` `Salesforce` `Janrain` `LinkedIn` (Available in API version 32.0 and later.) `Twitter` (Available in API version 32.0 and later.) `OpenIdConnect` (Available in API version 29.0 and later.) This type requires values for the following fields: authorizeUrl defaultScopes tokenUrl userInfoUrl Note `MicrosoftACS` Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service like SharePoint® Online. (Available in API version 31.0 and later.)
registrationHandler	string	An existing Apex class that implements the `Auth.RegistrationHandler` interface.
sendAccessTokenInHeader	boolean	Required only if providerType is `OpenIdConnect`. When `true`, the access token is sent to the userInfoUrl in a header instead of a query string. Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
sendClientCredentialsInHeader	boolean	Required only if providerType is `OpenIdConnect`. When `true`, the client credentials are sent in a header, instead of a query string, to the tokenUrl. The credentials are in the standard OpenID Connect Basic Credentials header form, which is `Basic <token>`, where `<token>` is the base64-encoded string `"clientkey:clientsecret"`. Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
tokenUrl	string	Required, but only if providerType is `OpenIdConnect`. The OAuth token endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.
userInfoUrl	string	Required, but only if providerType is `OpenIdConnect`. The OpenID Connect endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

Declarative Metadata Sample Definition

1swfobject.registerObject("clippy.codeblock-0", "9");<?xml version="1.0" encoding="UTF-8"?>
2<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
3    <consumerKey>yourappkey</consumerKey>
4    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
5    <executionUser>admin@your.org</executionUser>
6    <friendlyName>FacebookAuthProvider</friendlyName>
7    <providerType>Facebook</providerType>
8    <registrationHandler>RegistrationHandler</registrationHandler>
9</AuthProvider>

The following is an example package manifest that references the previous AuthProvider definition.

1swfobject.registerObject("clippy.codeblock-1", "9");<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>AuthProvider</members>
5        <name>FacebookProvider</name>
6    </types>
7    <version>28.0</version>
8</Package>
9

Metadata API Developer’s Guide