Metadata API Developer Guide

Introduction to Metadata API
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Metadata Coverage Report
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
AccountRelationshipShareRule
ActionLinkGroupTemplate
ActionPlanTemplate
ActivationPlatform
ActivationPlatformField
ActvPfrmDataConnectorS3
ActvPlatformAdncIdentifier
ActvPlatformFieldValue
AIApplication
AIApplicationConfig
AnalyticSnapshot
AnimationRule
ArticleType
ApexClass
ApexComponent
ApexEmailNotifications
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
AppointmentAssignmentPolicy
AppointmentSchedulingPolicy
ApprovalProcess
AssignmentRules
Audience
AuraDefinitionBundle
AuthProvider
AutoResponseRules
BatchCalcJobDefinition
BatchProcessJobDefinition
BlacklistedConsumer
Bot
BotVersion
BrandingSet
BriefcaseDefinition
BusinessProcessGroup
CallCenter
CallCoachingMediaProvider
CampaignInfluenceModel
CaseSubjectParticle
CareSystemFieldMapping
CareProviderSearchConfig
Certificate
ChatterExtension
CleanDataService
CMSConnectSource
Community (Zone)
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
ContractType
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomHelpMenuSection
CustomLabels
Custom Metadata Types (CustomObject)
CustomNotificationType
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DataPackageKitObject
DataPackageKitDefinition
DataConnectorS3
DataSource
DataSourceBundleDefinition
DataSourceObject
DataSourceField
DataSrcDataModelFieldMap
DataStreamDefinition
DecisionTable
DecisionTableDatasetLink
DelegateGroup
DiscoveryAIModel
DiscoveryGoal
Document
DuplicateRule
EclairGeoData
EmailServicesFunction
EmailTemplate
EmbeddedServiceBranding
EmbeddedServiceConfig
EmbeddedServiceFieldService
EmbeddedServiceFlowConfig
EmbeddedServiceLiveAgent
EmbeddedServiceMenuSettings
EntitlementProcess
EntitlementTemplate
EscalationRules
ESignatureConfig
ESignatureEnvelopeConfig
EventDelivery
EventSubscription
ExperienceBundle
ExternalDataConnector
ExternalDataSource
ExternalAIModel
ExternalServiceRegistration
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FieldRestrictionRule
FieldSrcTrgtRelationship
FlexiPage
Flow
FlowCategory
FlowDefinition
Folder
ForecastingSourceDefinition
ForecastingType
ForecastingTypeSource
FunctionReference
GatewayProviderPaymentMethodType
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
InboundCertificate
InboundNetworkConnection
IdentityVerificationProcDef
IdentityVerificationProcDtl
IdentityVerificationProcFld
InstalledPackage
IPAddressRange
KeywordList
Layout
Letterhead
LightningBolt
LightningComponentBundle
LightningExperienceTheme
LightningMessageChannel
LightningOnboardingConfig
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
LoyaltyProgramSetup
ManagedContentType
ManagedTopics
MarketingAppExtension
MatchingRule
Metadata
MetadataWithContent
MilestoneType
MlDomain
MktCalcInsightObjectDef
MktDataTranObject
MLDataDefinition
MLPredictionDefinition
MobileApplicationDetail
ModerationRule
MutingPermissionSet
MyDomainDiscoverableLogin
NamedCredential
NavigationMenu
Network
NetworkBranding
NotificationTypeConfig
OauthCustomScope
ObjectSourceTargetMap
OcrSampleDocument
OcrTemplate
OutboundNetworkConnection
Package
PathAssistant
PaymentGatewayProvider
PermissionSet
PermissionSetGroup
PermissionSetLicenseDefinition (Developer Preview)
PlatformCachePartition
PlatformEventChannel
PlatformEventChannelMember
PlatformEventSubscriberConfig
Portal
PostTemplate
PresenceDeclineReason
PresenceUserConfig
Profile
ProfileActionOverride
ProfilePasswordPolicy
ProfileSessionSetting
Prompt
Queue
QueueRoutingConfig
QuickAction
RecordAlertCategory
RedirectWhitelistUrl
RecommendationStrategy
RecordActionDeployment
RemoteSiteSetting
Report
ReportType
RestrictionRule
Role
RoleOrTerritory
SalesWorkQueueSettings
SamlSsoConfig
SchedulingRule
Scontrol
ServiceAISetupDefinition
ServiceAISetupField
ServiceChannel
ServicePresenceStatus
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
SvcCatalogCategory
SvcCatalogFulfillmentFlow
SvcCatalogItemDef
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TimeSheetTemplate
TopicsForObjects
TransactionSecurityPolicy
Translations
UserAuthCertificate
UserCriteria
UserProvisioningConfig
WaveApplication
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveRecipe
WaveTemplateBundle
WaveXmd
WebStoreTemplate
Workflow
WorkSkillRouting
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthProvider

Represents an authentication provider (auth provider). An auth provider lets users log in to your Salesforce org from an external service provider, such as Facebook, Google, or GitHub. This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication providers are stored in the authproviders directory. The file name matches the URL suffix, and the extension is .authprovider. For example, an auth provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication providers are available in API version 27.0 and later.

Special Access Rules

Only users with the Customize Application and Manage AuthProviders permissions can access this object.

Fields

Field Name Field Type Description
authorizeUrl string Required when creating an OpenID Connect authentication provider. The OAuth authorization endpoint URL. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
consumerKey string The app’s key that is registered at the third-party (external) authentication provider.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
consumerSecret string The consumer secret of the app that is registered at the third-party provider. After it’s set, you can’t change the value. When using create(), this field must be encrypted. To create an encrypted form of the consumer secret from plaintext:
  1. Create an authentication provider with the consumerSecret plaintext value.
  2. Save the authentication provider.
  3. Create an outbound change set that includes the authentication provider component.
The new change set .xml file has an entry in the form <consumerSecret>++XYZ++</consumerSecret> where ++XYZ++ is the encrypted secret.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
customMetadataTypeRecord string Required when creating a custom authentication provider plug-in. The API name of the custom authentication provider. Available in API version 36.0 and later.
defaultScopes string For OpenID Connect authentication providers, the scopes to send with the authorization request, if not specified when a flow starts. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. See Usage.
errorUrl string A custom error URL for the authentication provider to use to report errors.
executionUser string

Required when specifying a registration handler class. The username of the Salesforce admin or system user who runs the Apex handler, which provides the context in which the Apex handler runs. For example, if the Apex handler creates a contact, the creation can be easily traced back to the registration process. In production, use a system user. The user must have the Manage Users permission. Available in API version 27.0 and later.
friendlyName string Required. A user-friendly name for the authentication provider.
iconUrl string The path to an icon to use as a button on the login page. Users click the button to log in with the associated authentication provider, such as Twitter or Facebook. Available in API version 32.0 and later.
idTokenIssuer string Available when configuring an OpenID Connect authentication provider, the source of the authentication token in https: URI format. If provided, Salesforce validates the returned id_token value. OpenID Connect requires returning an id_token value with the access_token value. Available in API version 30.0 and later.
includeOrgIdInIdentifier Boolean Used to differentiate between users with the same user ID from two sources (such as two sandboxes). If enabled (true), Salesforce stores the org ID of the third-party identity in addition to the user ID. After you enable this setting, you can’t disable it. Applies only to a Salesforce-managed auth provider. Available in API version 32.0 and later.
LinkKickoffUrl string The URL for linking existing Salesforce users to a third-party account. This field is read-only. Available in API version 43.0 and later.
logoutUrl string The destination for users after they log out if they authenticated using single sign-on. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com. Available in API version 33.0 and later.
oauthKickoffUrl string The URL for obtaining OAuth access tokens for a third party. This field is read-only. Available in API version 43.0 and later.
plugin string An existing Apex class that extends the Auth.AuthProviderPluginClass abstract class. Available in API version 36.0 and later.
portal string This field is used only with portals, which are deprecated. Salesforce doesn’t support creating portals, but existing portals are supported.
providerType AuthProviderType (enumeration of type string) Required. The third-party authentication provider to use. Valid values include:
  • Apple
  • Custom—A provider configured with a custom authentication provider plug-in. Available in API version 36.0 and later.
  • Facebook.
  • GitHub—Provides authentication for a GitHub provider. Used to log in users of your Lightning Platform app to GitHub using OAuth. When logged in to GitHub, your app can make calls to GitHub APIs. The GitHub provider isn’t available as an SSO provider, so users can’t log in to your Salesforce org using their GitHub login credentials. Available in API version 35.0 and later.
  • Google.
  • Janrain.
  • LinkedIn. Available in API version 32.0 and later.
  • MicrosoftACS—Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service, like SharePoint Online. Available in API version 31.0 and later.
  • OpenIdConnect. Available in API version 29.0 and later.
  • Salesforce.
  • Slack. Available in API version 54.0 and later.
  • Twitter. Available in API version 32.0 and later.
registrationHandler string An existing Apex class that implements the Auth.RegistrationHandler interface.
sendAccessTokenInHeader boolean If enabled (true), the access token is sent to the UserInfoUrl in a header instead of a query string. Available in API version 30.0 and later.
sendClientCredentialsInHeader boolean Required when creating an OpenID Connect authentication provider. If enabled (true), the client credentials are sent in a header to the tokenUrl instead of a query string. The credentials are in the standard OpenID Connect Basic Credentials header format, which is Basic <token>, where <token> is the base64-encoded string "clientkey:clientsecret". Available in API version 30.0 and later.
sendSecretInApis boolean
Determines whether the encrypted consumer secret appears in API responses. If enabled (default), the secret appears in the response. If disabled (false), responses don’t include the consumer secret. For security, you can disable the setting. However, keep in mind that:
  • By disabling this setting, the consumer secret is excluded from API responses in all API versions.
  • Change sets and other metadata deployments break because both the consumer key and secret are expected. To fix this problem, insert the consumer key manually during deployment.
Available in API version 47.0 and later.
SsoKickoffUrl string The URL for performing single sign-on into Salesforce from a third party by using its third-party credentials. This field is read-only. Available in API version 43 and later.
tokenUrl string The OAuth token endpoint URL of an OpenID Connect authentication provider.Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
userInfoUrl string The OpenID Connect endpoint URL of the OpenID Connect authentication provider. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.

Declarative Metadata Sample Definition

1<?xml version="1.0" encoding="UTF-8"?>
2<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
3    <consumerKey>yourappkey</consumerKey>
4    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
5    <executionUser>admin@your.org</executionUser>
6    <friendlyName>FacebookAuthProvider</friendlyName>
7    <providerType>Facebook</providerType>
8    <registrationHandler>RegistrationHandler</registrationHandler>
9    <sendSecretInApis>true</sendSecretInApis>     
10</AuthProvider>
This example package manifest references the previous AuthProvider definition.
1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>FacebookAuthProvider</members>
5        <name>AuthProvider</name>
6    </types>
7    <version>28.0</version>
8</Package>

Usage

Salesforce provides default authentication providers, called Salesforce-managed auth providers, to simplify setting up these service providers for authentication.

  • Apple
  • Facebook
  • GitHub
  • Google
  • Janrain
  • LinkedIn
  • Salesforce
  • Slack
  • Twitter

To use a Salesforce-managed auth provider, leave these fields blank when creating your auth provider from the Auth. Provider Setup page.

  • authorizeUrl
  • consumerKey
  • consumerSecret
  • defaultScopes
  • tokenURL
  • userInfoUrl

If you provide a value for one of these fields, you must also provide a value for consumerKey and consumerSecret.

Note

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.