Metadata API Developer Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
ActionLinkGroupTemplate
AnalyticSnapshot
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
ApprovalProcess
AssignmentRules
AuraDefinitionBundle
AuthProvider
AutoResponseRules
BrandingSet
CallCenter
CampaignInfluenceModel
CaseSubjectParticle
Certificate
ChatterExtension
CleanDataService
Community (Zone)
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomLabels
Custom Metadata Types (CustomObject)
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DelegateGroup
Document
DuplicateRule
EclairGeoData
EmailTemplate
EntitlementProcess
EntitlementTemplate
EscalationRules
EventDelivery
EventSubscription
ExternalDataSource
ExternalServiceRegistration
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FlexiPage
Flow
FlowDefinition
Folder
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
InstalledPackage
KeywordList
Layout
Letterhead
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
ModerationRule
NamedCredential
Network
NetworkBranding
Package
PathAssistant
PermissionSet
PlatformCachePartition
Portal
PostTemplate
Profile
ProfileActionOverride
ProfilePasswordPolicy
Queue
QuickAction
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TopicsForObjects
TransactionSecurityPolicy
Translations
UserCriteria
WaveApplication
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveTemplateBundle
Wavexmd
Workflow
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthProvider

Represents an authentication provider (or auth provider) in your organization. An auth provider enables users to log in to your Salesforce organization using their login credentials from an external service provider such as Facebook© or Janrain©.This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication providers are stored in the authproviders directory. The file name matches the URL suffix and the extension is .authprovider. For example, an auth provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication providers are available in API version 27.0 and later.

Special Access Rules

Only users with the “Customize Application” and “Manage AuthProviders” permissions can access this object.

Fields

Field Name Field Type Description
authorizeUrl string Required, but only if providerType is OpenIdConnect. The OAuth authorization endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
consumerKey string Required. The app’s key that is registered at the third-party single sign-on provider.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
consumerSecret string Required. The consumer secret of the app that is registered at the third-party single sign-on provider. This field cannot be updated. When using create() this field must be encrypted. To create an encrypted form of the consumer secret from plain text:
  1. Create an auth provider with the consumerSecret plain text value.
  2. Save the auth provider.
  3. Create an outbound change set that includes the auth provider component.
The new change set .xml file will have an entry in the form <consumerSecret>++XYZ++</consumerSecret> where ++XYZ++ is the encrypted secret.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
customMetadataTypeRecord string Required, but only with custom authentication provider plug-ins, when ProviderType is Custom. The API name of the authentication provider. Available in API version 36.0 and later.
defaultScopes string Required, but only if providerType is OpenIdConnect The scopes to be sent with the authorization request, if not specified when a flow is started. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
DeveloperName string Required. Used when referring to the auth provider from a program.
errorUrl string A custom error URL for the provider to use to report any errors.
executionUserId string The user that runs the Apex handler class. The user must have the “Manage Users” permission. A user is required if you specify a registration handler class.
friendlyName string Required. A user-friendly name for the provider.
iconUrl string The path to an icon to use as a button on the login page for a community. Users click the button to log in to a community with the associated authentication provider, such as Twitter© or LinkedIn©. Available in API version 32.0 and later.
idTokenIssuer string Only available if providerType is OpenIdConnect. This value identifies the source of the authentication token in the form https: URI. Used only with OpenID Connect authentication providers. If provided, Salesforce validates the returned id_token value. The OpenID Connect specification requires an id_token value to be returned with the access_token value. Available in API version 30.0 and later.
logoutUrl string Provides a specific destination for users after they log out if they authenticated using the single sign-on flow. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com. Available in API version 33.0 and later.
plugin string An existing Apex class that extends the Auth.AuthProviderPluginClass abstract class. Available in API version 36.0 and later.
providerType AuthProviderType (enumeration of type string) Required. The third-party single sign-on provider to use. Valid values are:
  • Facebook
  • Google
  • Salesforce
  • Janrain
  • LinkedIn (Available in API version 32.0 and later.)
  • Twitter (Available in API version 32.0 and later.)
  • OpenIdConnect (Available in API version 29.0 and later.)

    This type requires values for the following fields:

    • authorizeUrl
    • defaultScopes
    • tokenUrl
    • userInfoUrl

    Note

  • MicrosoftACS Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service like SharePoint® Online. (Available in API version 31.0 and later.)
  • GitHub—Use the GitHub provider to log in users of your Force.com app to GitHub using OAuth. When logged in to GitHub, your app can make calls to GitHub APIs. The GitHub provider isn’t available as a single sign-on provider, so users can’t log in to your Salesforce org using their GitHub login credentials. (Available in API version 35.0 and later.)
  • Custom—A provider configured with a custom authentication provider plug-in. (Available in API version 36.0 and later.)
registrationHandler string An existing Apex class that implements the Auth.RegistrationHandler interface.
sendAccessTokenInHeader boolean Required only if providerType is OpenIdConnect. When true, the access token is sent to the userInfoUrl in a header instead of a query string. Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
sendClientCredentialsInHeader boolean Required only if providerType is OpenIdConnect. When true, the client credentials are sent in a header, instead of a query string, to the tokenUrl. The credentials are in the standard OpenID Connect Basic Credentials header form, which is Basic <token>, where <token> is the base64-encoded string "clientkey:clientsecret". Used only with OpenID Connect authentication providers. Available in API version 30.0 and later.
tokenUrl string Required, but only if providerType is OpenIdConnect. The OAuth token endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.
userInfoUrl string Required, but only if providerType is OpenIdConnect. The OpenID Connect endpoint URL. Used only with OpenID Connect authentication providers. Available in API version 29.0 and later.

In API version 33.0 and later, the behavior of this field changed to support the Salesforce-managed auth provider configuration, which allows Salesforce to manage the value for Facebook, Salesforce, LinkedIn, Twitter or Google authentication. For more information, see the Usage section.

Declarative Metadata Sample Definition

1<?xml version="1.0" encoding="UTF-8"?>
2<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
3    <consumerKey>yourappkey</consumerKey>
4    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
5    <executionUser>admin@your.org</executionUser>
6    <friendlyName>FacebookAuthProvider</friendlyName>
7    <providerType>Facebook</providerType>
8    <registrationHandler>RegistrationHandler</registrationHandler>
9</AuthProvider>
The following is an example package manifest that references the previous AuthProvider definition.
1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>FacebookAuthProvider</members>
5        <name>AuthProvider</name>
6    </types>
7    <version>28.0</version>
8</Package>

Usage

For API version 33.0 and later when implementing the Salesforce-managed authentication provider configuration, you can have Salesforce create and manage the following fields for you:

  • authorizeUrl
  • consumerKey
  • consumerSecret
  • defaultScopes
  • tokenURL
  • userInfoUrl

To configure a Salesforce-managed authentication provider, set up a Facebook, Salesforce, LinkedIn, Twitter or Google auth provider and leave all of the listed fields blank. Salesforce automatically creates values for you. However, if you provide a value for any of these fields, then consumerKey and consumerSecret must also be specified.