Metadata API Developer’s Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
ActionLinkGroupTemplate
AnalyticSnapshot
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTrigger
AppMenu
ApprovalProcess
AssignmentRules
AuraDefinitionBundle
AuthProvider
AutoResponseRules
CallCenter
Community (Zone)
ConnectedApp
CorsWhitelistOrigin
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomLabels
Custom Metadata Types (CustomObject)
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
Dashboard
DataCategoryGroup
Document
EmailTemplate
EntitlementProcess
EntitlementTemplate
EscalationRules
ExternalDataSource
FlexiPage
Flow
FlowDefinition
Folder
Group
HomePageComponent
HomePageLayout
InstalledPackage
Layout
Letterhead
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
NamedCredential
Network
Package
PathAssistant
PermissionSet
PlatformCachePartition
Portal
PostTemplate
Profile
Queue
QuickAction
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TransactionSecurityPolicy
Translations
WaveTemplateBundle
Workflow
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SamlSsoConfig

Represents a SAML Single Sign-On configuration. This type extends the Metadata metadata type and inherits its fullName field. Single sign-on is a process that allows network users to access all authorized network resources without having to log in separately to each resource. Single sign-on allows you to validate usernames and passwords against your corporate user database or other client application rather than having separate user passwords managed by Salesforce.

File Suffix and Directory Location

SamlSsoConfig components have the suffix .samlssoconfig and are stored in the samlssoconfigs folder.

Version

SamlSsoConfig components are available in API version 28.0 and later.

Fields

Field Name Field Type Description
attributeName string The name of the identity provider’s application. Get this from your identity provider.
attributeNameIdFormat string For SAML 2.0 only and when identityLocation is set to Attribute. Possible values include unspecified, emailAddress or persistent. All legal values can be found in the “Name Identifier Format Identifiers” section of the Assertions and Protocols SAML 2.0 specification.
decryptionCertificate string The name of the certificate to use for decrypting incoming SAML assertions. This certificate is saved in the organization’s Certificate and Key Management list. Available in API version 30.0 and later.
errorUrl string The URL of the page users should be directed to if there’s an error during SAML login. It must be a publicly accessible page, such as a public site Visualforce page. The URL can be absolute or relative.
executionUserId string The user that runs the Apex handler class. The user must have the “Manage Users” permission. A user is required if you specify a SAML JIT handler class.
identityLocation SamlIdentityLocationType (enumeration of type string) The location in the assertion where a user should be identified. Valid values are:
  • SubjectNameId — The identity is in the <Subject> statement of the assertion.
  • Attribute — The identity is specified in an <AttributeValue>, located in the <Attribute> of the assertion.
identityMapping SamlIdentityType (enumeration of type string) The identifier the service provider uses for the user during Just-in-Time user provisioning. Valid values are:
  • Username — The user’s Salesforce username.
  • FederationId — The federation ID from the user object; the identifier used by the service provider for the user.
  • UserId — The user ID from the user’s Salesforce organization.
issuer string The identification string for the Identity Provider.
loginUrl string For SAML 2.0 only: The URL where Salesforce sends a SAML request to start the login sequence.
logoutUrl string For SAML 2.0 only: The URL to direct the user to when they click the Logout link. The default is http://www.salesforce.com.
name string The unique name used by the API and managed packages. The name must begin with a letter and use only alphanumeric characters and underscores. The name cannot end with an underscore or have two consecutive underscores.
oauthTokenEndpoint string For SAML 2.0 only: The ACS URL used with enabling Salesforce as an identity provider in the Web single sign-on OAuth assertion flow.
redirectBinding boolean If you’re using My Domain, chose the binding mechanism your identity provider requests for your SAML messages. Values are:
  • HTTP POST — HTTP POST binding sends SAML messages using base64-encoded HTML forms.
  • HTTP Redirect — HTTP Redirect binding sends base64-encoded and URL-encoded SAML messages within URL parameters.
requestSignatureMethod string The method that’s used to sign the SAML request. Valid values are RSA-SHA1 and RSA-SHA256.
salesforceLoginUrl string The URL associated with login for the Web single sign-on flow.
samlEntityId string The issuer in SAML requests generated by Salesforce, and is also the expected audience of any inbound SAML Responses. If you don’t have domains deployed, this value is always https://saml.salesforce.com. If you have domains deployed, Salesforce recommends that you use your custom domain name.
samlJitHandlerId string The name of an existing Apex class that implements the Auth.SamlJitHandler interface.
samlVersion SamlType (enumeration of type string) The SAML version in use. Valid values are:
  • SAML1_1 — SAML 1.1
  • SAML2_0 — SAML 2.0
userProvisioning boolean If true, Just-in-Time user provisioning is enabled, which creates users on the fly the first time they try to log in. Specify Federation ID for the identityMapping value to use this feature.
validationCert string The certificate used to validate the request. Get this from your identity provider.

Declarative Metadata Sample Definition

The following is an example of a SamlSsoConfig component. The validation certificate string has been truncated for readability.

1<?xml version="1.0" encoding="UTF-8"?>
2<SamlSsoConfig xmlns="http://soap.sforce.com/2006/04/metadata">
3  <identityLocation>SubjectNameId</identityLocation>
4  <identityMapping>FederationId</identityMapping>
5  <issuer>https://my-idp.my.salesforce.com</issuer>
6  <loginUrl>
7    https://my-idp.my.salesforce.com/idp/endpoint/HttpRedirect
8  </loginUrl>
9  <logoutUrl>https://www.salesforce.com</logoutUrl>
10  <name>SomeCompany</name>
11  <oauthTokenEndpoint>
12    https://login.salesforce.com/services/oauth2/token?so=00DD0000000JxeI
13  </oauthTokenEndpoint>
14  <redirectBinding>true</redirectBinding>
15  <requestSignatureMethod>RSA-SHA1</requestSignatureMethod>
16  <salesforceLoginUrl>
17    https://login.salesforce.com?so=00DD0000000JxeI
18  </salesforceLoginUrl>
19  <samlEntityId>
20    https://saml.salesforce.com/customPath
21  </samlEntityId>
22  <samlVersion>SAML2_0</samlVersion>
23  <userProvisioning>false</userProvisioning>
24  <validationCert>
25    MIIEojCCA4qgAwIBAgIOATtxsoBFAAAAAD4...
26  </validationCert>
27</SamlSsoConfig>