Metadata API Developer Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Metadata Coverage Report
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
AccountRelationshipShareRule
ActionLinkGroupTemplate
AnalyticSnapshot
AnimationRule
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
AppointmentSchedulingPolicy
ApprovalProcess
AssignmentRules
Audience
AuraDefinitionBundle
AuthProvider
AutoResponseRules
Bot
BotVersion
BrandingSet
CallCenter
CampaignInfluenceModel
CaseSubjectParticle
Certificate
ChatterExtension
CleanDataService
CMSConnectSource
Community (Zone)
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomHelpMenuSection
CustomLabels
Custom Metadata Types (CustomObject)
CustomNotificationType
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DelegateGroup
Document
DuplicateRule
EclairGeoData
EmailServicesFunction
EmailTemplate
EmbeddedServiceBranding
EmbeddedServiceConfig
EmbeddedServiceFieldService
EmbeddedServiceFlowConfig
EmbeddedServiceLiveAgent
EntitlementProcess
EntitlementTemplate
EscalationRules
EventDelivery
EventSubscription
ExperienceBundle (Pilot)
ExternalDataSource
ExternalServiceRegistration
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FlexiPage
Flow
FlowCategory
FlowDefinition
Folder
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
InstalledPackage
KeywordList
Layout
Letterhead
LightningBolt
LightningComponentBundle
LightningExperienceTheme
LightningMessageChannel (Developer Preview)
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
ManagedContentType
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
MlDomain (Beta)
MobileApplicationDetail
ModerationRule
NamedCredential
NavigationMenu
Network
NetworkBranding
OauthCustomScope
Package
PathAssistant
PermissionSet
PermissionSetGroup (Beta)
PlatformCachePartition
PlatformEventChannel
PlatformEventChannelMember
Portal
PostTemplate
PresenceDeclineReason
PresenceUserConfig
Profile
ProfileActionOverride
ProfilePasswordPolicy
ProfileSessionSetting
Prompt
Queue
QueueRoutingConfig
QuickAction
RecommendationStrategy
RecordActionDeployment
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
ServiceChannel
ServicePresenceStatus
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TimeSheetTemplate
TopicsForObjects
TransactionSecurityPolicy
Translations
UserCriteria
WaveApplication
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveTemplateBundle
WaveXmd
Workflow
WorkSkillRouting
WorkSkillRoutingAttribute
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SamlSsoConfig

Represents a SAML Single Sign-On configuration. This type extends the Metadata metadata type and inherits its fullName field. Single sign-on (SSO) lets users access authorized network resources with one login. You validate usernames and passwords against your corporate user database or other client app rather than Salesforce managing separate passwords for each resource.

File Suffix and Directory Location

SamlSsoConfig components have the suffix .samlssoconfig and are stored in the samlssoconfigs folder.

Version

SamlSsoConfig components are available in API version 28.0 and later.

Fields

Field Name Field Type Description
attributeNameIdFormat string For SAML 2.0, only and when identityLocation is set to Attribute. Possible values include unspecified, emailAddress or persistent. All legal values can be found in the “Name Identifier Format Identifiers” section of the Assertions and Protocols SAML 2.0 specification.
attributeName string The name of the identity provider’s application. Get this name from your identity provider.
decryptionCertificate string The name of the certificate to use for decrypting incoming SAML assertions. This certificate is saved in the organization’s Certificate and Key Management list. Available in API version 30.0 and later.
errorUrl string The URL of the page to direct users if there’s an error during SAML login. It must be a publicly accessible page, such as a public site Visualforce page. The URL can be absolute or relative.
executionUserId string The user that runs the Apex handler class. The user must have the Manage Users permission. If you specify a SAML JIT handler class, a user is required.
identityLocation SamlIdentityLocationType (enumeration of type string) The location in the assertion where a user is identified. Valid values are:
  • SubjectNameId — The identity is in the <Subject> statement of the assertion.
  • Attribute — The identity is specified in an <AttributeValue>, located in the <Attribute> of the assertion.
identityMapping SamlIdentityType (enumeration of type string) The identifier the service provider uses for the user during Just-in-Time user provisioning. Valid values are:
  • Username — The user’s Salesforce username.
  • FederationId — The federation ID from the user object; the identifier used by the service provider for the user.
  • UserId — The user ID from the user’s Salesforce organization.
issuer string The identification string for the Identity Provider.
loginUrl string For SAML 2.0 only: The URL where Salesforce sends a SAML request to start the login sequence.
logoutUrl string For SAML 2.0 only: The URL to direct the user to when they click the Logout link. The default is http://www.salesforce.com.
name string The unique name used by the API and managed packages. The name must begin with a letter and use only alphanumeric characters and underscores. The name cannot end with an underscore or have two consecutive underscores.
oauthTokenEndpoint string For SAML 2.0 only: The ACS URL used with enabling Salesforce as an identity provider in the web single sign-on OAuth assertion flow.
redirectBinding boolean If you’re using My Domain, choose the binding mechanism your identity provider requests for your SAML messages. Values are:
  • HTTP POST — HTTP POST binding sends SAML messages using base64-encoded HTML forms.
  • HTTP Redirect — HTTP Redirect binding sends base64-encoded and URL-encoded SAML messages within URL parameters.
requestSignatureMethod string The method that’s used to sign the SAML request. Valid values are RSA-SHA1 and RSA-SHA256.
requestSigningCertId string The 18-digit ID for the certificate used to generate the signature on a SAML request to the identity provider. The certificate is saved in the Certificate and Key Management page in Setup.
salesforceLoginUrl string The URL associated with login for the web single sign-on flow.

When encryption is enabled, the URL has a parameter containing the ID of the SAML configuration, sc=samlSsoConfigId. For example, https://mycompany.my.salesforce.com?sc=0LEB0000000CCC. This change applies to API Version 47.0 and later.

Note
samlEntityId string The issuer in SAML requests generated by Salesforce, and is also the expected audience of any inbound SAML Responses. If you don’t have domains deployed, this value is always https://saml.salesforce.com. If you have domains deployed, Salesforce recommends that you use your custom domain name.
samlJitHandlerId string The name of an existing Apex class that implements the Auth.SamlJitHandler interface.
samlVersion SamlType (enumeration of type string) The SAML version in use. Valid values are:
  • SAML1_1 — SAML 1.1
  • SAML2_0 — SAML 2.0
singleLogoutBinding SamlSpSLOBinding (enumeration of type string) The HTTP binding type. This value determines where to put the LogoutRequest or LogoutResponse in the SAML request during single logout (SLO). The value is base64 encoded. Valid values are:
  • RedirectBinding — Sent in the query string, deflated.
  • PostBinding — Sent in the POST body, not deflated.
singleLogoutUrl string The SAML single logout endpoint. This URL is the endpoint where Salesforce sends LogoutRequests (when Salesforce initiates a logout), or LogoutResponses (when the identity provider initiates a logout).
userProvisioning boolean If true, Just-in-Time user provisioning is enabled, which creates users on the fly the first time they try to log in. Specify Federation ID for the identityMapping value to use this feature.
validationCert string The certificate used to validate the request. Get this certificate from your identity provider.

Declarative Metadata Sample Definition

The following is an example of a SamlSsoConfig component. The validation certificate string has been truncated for readability.

1<?xml version="1.0" encoding="UTF-8"?>
2<SamlSsoConfig xmlns="http://soap.sforce.com/2006/04/metadata">
3  <identityLocation>SubjectNameId</identityLocation>
4  <identityMapping>FederationId</identityMapping>
5  <issuer>https://my-idp.my.salesforce.com</issuer>
6  <loginUrl>
7    https://my-idp.my.salesforce.com/idp/endpoint/HttpRedirect
8  </loginUrl>
9  <logoutUrl>https://www.salesforce.com</logoutUrl>
10  <name>SomeCompany</name>
11  <oauthTokenEndpoint>
12    https://login.salesforce.com/services/oauth2/token?so=00DD0000000
13  </oauthTokenEndpoint>
14  <redirectBinding>true</redirectBinding>
15  <requestSignatureMethod>RSA-SHA1</requestSignatureMethod>
16  <salesforceLoginUrl>
17    https://login.salesforce.com?so=00DD0000000JxeI
18  </salesforceLoginUrl>
19  <samlEntityId>
20    https://saml.salesforce.com/customPath
21  </samlEntityId>
22  <samlVersion>SAML2_0</samlVersion>
23  <userProvisioning>false</userProvisioning>
24  <validationCert>
25    MIIEojCCA4qgAwIBAgIOATtxsoBFAAAAAD4...
26  </validationCert>
27</SamlSsoConfig>

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.