Metadata API Developer’s Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
ActionLinkGroupTemplate
AnalyticSnapshot
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTrigger
AppMenu
ApprovalProcess
AssignmentRules
AuraDefinitionBundle
AuthProvider
AutoResponseRules
CallCenter
Community (Zone)
ConnectedApp
CorsWhitelistOrigin
CustomApplication
CustomApplicationComponent
CustomLabels
Custom Metadata Types (CustomObject)
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
Dashboard
DataCategoryGroup
Document
EmailTemplate
EntitlementProcess
EntitlementTemplate
EscalationRules
ExternalDataSource
FlexiPage
Flow
FlowDefinition
Folder
Group
HomePageComponent
HomePageLayout
InstalledPackage
Layout
Letterhead
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
NamedCredential
Network
Package
PathAssistant
PermissionSet
Portal
PostTemplate
Profile
Queue
QuickAction
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
Translations
Workflow
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthProvider

Represents an Authentication Provider (or Auth Provider) in your organization. An Auth Provider enables users to log into your Salesforce organization using their login credentials from an external service provider such as Facebook© or Janrain©. This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication Providers are stored in the authproviders directory. The file name matches the URL suffix and the extension is .authprovider. For example, an Auth Provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication Providers are available in API version 27.0 and later.

Special Access Rules

Only users with the “Customize Application” and “Manage AuthProviders” permissions can access this object.

Fields

Field Name Field Type Description
authorizeUrl string Required, but only if providerType is OpenIdConnect. The OAuth authorization endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
consumerKey string Required. The app’s key that is registered at the third-party Single Sign-On provider.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
consumerSecret string Required. The consumer secret of the app that is registered at the third-party Single Sign-On provider. This field cannot be updated. When using create() this field must be encrypted. To create an encrypted form of the consumer secret from plain text:
  1. Create an Auth Provider with the consumerSecret plain text value.
  2. Save the Auth Provider.
  3. Create an outbound change set that includes the Auth Provider component.
The new change set .xml file will have an entry in the form <consumerSecret>++XYZ++</consumerSecret> where ++XYZ++ is the encrypted secret.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
defaultScopes string Required, but only if providerType is OpenIdConnect The scopes to be sent with the authorization request, if not specified when a flow is started. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
DeveloperName string Required. Used when referring to the Auth Provider from a program.
errorUrl string A custom error URL for the provider to use to report any errors.
executionUserId string The user that runs the Apex handler class. The user must have the “Manage Users” permission. A user is required if you specify a registration handler class.
friendlyName string Required. A user-friendly name for the provider.
iconUrl string The path to an icon to use as a button on the login page for a community. Users click the button to log in to a community with the associated authentication provider, such as Twitter© or LinkedIn©. Available in API version 32.0 and later.
idTokenIssuer string Only available if providerType is OpenIdConnect. This value identifies the source of the authentication token in the form https: URI . Used only with OpenID Connect authentication providers. If provided, Salesforce validates the returned id_token value. The OpenID Connect specification requires an id_token value to be returned with the access_token value. Available in API version 30.0 and later.
logoutUrl string Provides a specific destination for users after they log out if they authenticated using the single sign-on flow. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com. Available in API version 33.0 and later.
providerType AuthProviderType (enumeration of type string) Required. The third-party Single Sign-On provider to use. Valid values are:
  • Facebook
  • Google
  • Salesforce
  • Janrain
  • LinkedIn (Available in API version 32.0 and later.)
  • Twitter (Available in API version 32.0 and later.)
  • OpenIdConnect (Available in API version 29.0 and later.)

    This type requires values for the following fields:

    • authorizeUrl
    • defaultScopes
    • tokenUrl
    • userInfoUrl

    Note

  • MicrosoftACS Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service like SharePoint® Online. (Available in API version 31.0 and later.)
registrationHandler string An existing Apex class that implements the Auth.RegistrationHandler interface.
sendAccessTokenInHeader boolean Required only if providerType is OpenIdConnect. When true, the access token is sent to the userInfoUrl in a header instead of a query string. Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
sendClientCredentialsInHeader boolean Required only if providerType is OpenIdConnect. When true, the client credentials are sent in a header, instead of a query string, to the tokenUrl. The credentials are in the standard OpenID Connect Basic Credentials header form, which is Basic <token>, where <token> is the base64-encoded string "clientkey:clientsecret". Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
tokenUrl string Required, but only if providerType is OpenIdConnect. The OAuth token endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
userInfoUrl string Required, but only if providerType is OpenIdConnect. The OpenID Connect endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed Auth. Provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce , LinkedIn, Twitter or Google authentication. For more information, see the Usage section.

Declarative Metadata Sample Definition

1swfobject.registerObject("clippy.codeblock-0", "9");
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17<?xml version="1.0" encoding="UTF-8"?>
18<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
19    <consumerKey>yourappkey</consumerKey>
20    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
21    <executionUser>admin@your.org</executionUser>
22    <friendlyName>FacebookAuthProvider</friendlyName>
23    <providerType>Facebook</providerType>
24    <registrationHandler>RegistrationHandler</registrationHandler>
25</AuthProvider>
The following is an example package manifest that references the previous AuthProvider definition.
1swfobject.registerObject("clippy.codeblock-1", "9");
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17<?xml version="1.0" encoding="UTF-8"?>
18<Package xmlns="http://soap.sforce.com/2006/04/metadata">
19    <types>
20        <members>AuthProvider</members>
21        <name>FacebookProvider</name>
22    </types>
23    <version>28.0</version>
24</Package>
25

Usage

For API version 33.0 and later. when implementing the Salesforce-managed authentication provider configuration, you can have Salesforce create and manage the following fields for you:

  • authorizeUrl
  • consumerKey
  • consumerSecret
  • defaultScopes
  • tokenURL
  • userInfoUrl

To configure a Salesforce-managed authentication provider, set up a Facebook, Salesforce, LinkedIn, Twitter or Google Auth. Provider and leave all of the listed fields blank. Salesforce automatically creates values for you. However, if you provide a value for any of these fields, then consumerKey and consumerSecret must be also be specified.