Metadata API Developer Guide

Introduction to Metadata API
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Metadata Coverage Report
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
AccountRelationshipShareRule
ActionLinkGroupTemplate
ActionPlanTemplate
ActivationPlatform
ActivationPlatformField
ActvPfrmDataConnectorS3
ActvPlatformAdncIdentifier
ActvPlatformFieldValue
AdvAccountForecastSet
AIApplication
AIApplicationConfig
AIUsecaseDefinition
AnalyticSnapshot
AnimationRule
ArticleType
ApexClass
ApexComponent
ApexEmailNotifications
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
AppointmentAssignmentPolicy
AppointmentSchedulingPolicy
ApprovalProcess
AssignmentRules
AssessmentQuestion
AssessmentQuestionSet
Audience
AuraDefinitionBundle
AuthProvider
AutoResponseRules
BatchCalcJobDefinition
BatchProcessJobDefinition
BlacklistedConsumer
Bot
BotTemplate
BotVersion
BrandingSet
BriefcaseDefinition
BusinessProcessGroup
CallCenter
CallCoachingMediaProvider
CampaignInfluenceModel
CaseSubjectParticle
CareSystemFieldMapping
CareProviderSearchConfig
Certificate
ChatterExtension
CleanDataService
CMSConnectSource
Community (Zone)
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomHelpMenuSection
CustomLabels
Custom Metadata Types (CustomObject)
CustomNotificationType
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DataConnectorIngestApi
DataPackageKitObject
DataPackageKitDefinition
DataConnectorS3
DataSource
DataSourceBundleDefinition
DataSourceObject
DataSourceField
DataSrcDataModelFieldMap
DataStreamDefinition
DataStreamTemplate
DecisionTable
DecisionTableDatasetLink
DecisionMatrixDefinition
DelegateGroup
DigitalExperienceBundle (Beta)
DigitalExperienceConfig (Beta)
DiscoveryAIModel
DiscoveryGoal
DiscoveryStory
Document
DocumentChecklistSettings
DuplicateRule
EclairGeoData
EmailServicesFunction
EmailTemplate
EmbeddedServiceBranding
EmbeddedServiceConfig
EmbeddedServiceFieldService
EmbeddedServiceFlowConfig
EmbeddedServiceLiveAgent
EmbeddedServiceMenuSettings
EntitlementProcess
EntitlementTemplate
EscalationRules
EventDelivery
EventRelayConfig
EventSubscription
ExperienceBundle
ExplainabilityMsgTemplate
ExpressionSetDefinition
ExpressionSetObjectAlias
ExternalCredential
ExternalDataConnector
ExternalDataSource
ExternalDataTranObject
ExternalAIModel
ExternalServiceRegistration
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FieldRestrictionRule
FieldSrcTrgtRelationship
FlexiPage
Flow
FlowCategory
FlowDefinition
FlowTest
Folder
ForecastingFilter
ForecastingFilterCondition
ForecastingSourceDefinition
ForecastingType
ForecastingTypeSource
FunctionReference
GatewayProviderPaymentMethodType
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
InboundCertificate
InboundNetworkConnection
IdentityVerificationProcDef
IdentityVerificationProcDtl
IdentityVerificationProcFld
InstalledPackage
IPAddressRange
KeywordList
Layout
Letterhead
LightningBolt
LightningComponentBundle
LightningExperienceTheme
LightningMessageChannel
LightningOnboardingConfig
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
LoyaltyProgramSetup
ManagedContentType
ManagedTopics
MarketingAppExtension
MatchingRule
MessagingChannel
Metadata
MetadataWithContent
MfgProgramTemplate
MilestoneType
MlDomain
MktCalcInsightObjectDef
MktDataTranObject
MLDataDefinition
MLPredictionDefinition
MobileApplicationDetail
ModerationRule
MutingPermissionSet
MyDomainDiscoverableLogin
NamedCredential
NavigationMenu
Network
NetworkBranding
NotificationTypeConfig
OauthCustomScope
ObjectSourceTargetMap
OcrSampleDocument
OcrTemplate
OmniScript
OutboundNetworkConnection
Package
PathAssistant
PaymentGatewayProvider
PermissionSet
PermissionSetGroup
PermissionSetLicenseDefinition (Developer Preview)
PlatformCachePartition
PlatformEventChannel
PlatformEventChannelMember
PlatformEventSubscriberConfig
Portal
PortalDelegablePermissionSet
PostTemplate
ProductAttributeSet
PresenceDeclineReason
PresenceUserConfig
Profile
ProfileActionOverride
ProfilePasswordPolicy
ProfileSessionSetting
Prompt
Queue
QueueRoutingConfig
QuickAction
RecordAlertCategory
RedirectWhitelistUrl
RecommendationStrategy
RecordActionDeployment
RelationshipGraphDefinition
RemoteSiteSetting
Report
ReportType
RestrictionRule
Role
RoleOrTerritory
SalesWorkQueueSettings
SamlSsoConfig
SchedulingObjective
SchedulingRule
Scontrol
ServiceAISetupDefinition
ServiceAISetupField
ServiceChannel
ServicePresenceStatus
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
StreamingAppDataConnector
SustainabilityUom
SvcCatalogCategory
SvcCatalogFulfillmentFlow
SvcCatalogItemDef
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TimelineObjectDefinition
TimeSheetTemplate
TopicsForObjects
TransactionSecurityPolicy
Translations
UserAuthCertificate
UserCriteria
UserProvisioningConfig
WaveApplication
WaveComponent
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveRecipe
WaveTemplateBundle
WaveXmd
WebStoreTemplate
Workflow
WorkSkillRouting
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthProvider

Represents an authentication provider (auth provider). An auth provider lets users log in to Salesforce from an external service provider such as Facebook, Google, or GitHub. This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication providers are stored in the authproviders directory. The file name matches the URL suffix, and the extension is .authprovider. For example, an auth provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication providers are available in API version 27.0 and later.

Special Access Rules

Only users with the Customize Application and Manage AuthProviders permissions can access this object.

Fields

Field Name Field Type Description
appleTeam string Required when using Apple as a third-party authentication provider. A 10-character team ID, obtained from an Apple developer account. Available in API version 48.0 and later.
authorizeUrl string Required when creating an OpenID Connect authentication provider. The OAuth authorization endpoint URL. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
consumerKey string The app’s key that is registered at the third-party (external) authentication provider.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
consumerSecret string The consumer secret of the app that is registered at the third-party provider. After it’s set, you can’t change the value. When using create(), this field must be encrypted. To create an encrypted form of the consumer secret from plaintext:
  1. Create an authentication provider with the consumerSecret plaintext value.
  2. Save the authentication provider.
  3. Create an outbound change set that includes the authentication provider component.
The new change set .xml file has an entry in the form <consumerSecret>++XYZ++</consumerSecret> where ++XYZ++ is the encrypted secret.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.

Starting in November 2022, in API version 30.0 and later, if a consumer secret is defined on an authentication provider, the consumer secret is always exported as a placeholder value, not as an encrypted secret.

customMetadataTypeRecord string Required when creating a custom authentication provider plug-in. The API name of the custom authentication provider. Available in API version 36.0 and later.
defaultScopes string For OpenID Connect authentication providers, the scopes to send with the authorization request, if not specified when a flow starts. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. See Usage.
ecKey string Required when using Apple as a third-party authentication provider. A private key generated by Apple. Available in API version 48.0 and later.
errorUrl string A custom error URL for the authentication provider to use to report errors.
executionUser string

Required when specifying a registration handler class. The username of the Salesforce admin or system user who runs the Apex handler, which provides the context in which the Apex handler runs. For example, if the Apex handler creates a contact, the creation can be easily traced back to the registration process. In production, use a system user. The user must have the Manage Users permission. Available in API version 27.0 and later.
friendlyName string Required. A user-friendly name for the authentication provider.
iconUrl string The path to an icon to use as a button on the login page. Users click the button to log in with the associated authentication provider, such as Twitter or Facebook. Available in API version 32.0 and later.
idTokenIssuer string The source of the authentication token in https: URI format. This field is available when configuring an OpenID Connect or Microsoft authentication provider. If provided, Salesforce validates the returned id_token value. OpenID Connect requires returning an id_token value with the access_token value. Available in API version 30.0 and later.
includeOrgIdInIdentifier Boolean Used to differentiate between users with the same user ID from two sources (such as two sandboxes). If enabled (true), Salesforce stores the org ID of the third-party identity in addition to the user ID. After you enable this setting, you can’t disable it. Applies only to a Salesforce-managed auth provider. Available in API version 32.0 and later.
linkKickoffUrl string The URL for linking existing Salesforce users to a third-party account. This field is read-only. Available in API version 43.0 and later.
logoutUrl string The destination for users after they log out if they authenticated using single sign-on. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com. Available in API version 33.0 and later.
oauthKickoffUrl string The URL for obtaining OAuth access tokens for a third party. This field is read-only. Available in API version 43.0 and later.
plugin string An existing Apex class that extends the Auth.AuthProviderPluginClass abstract class. Available in API version 36.0 and later.
portal string This field is used only with portals, which are deprecated. Salesforce doesn’t support creating portals, but existing portals are supported.
providerType AuthProviderType (enumeration of type string) Required. The third-party authentication provider to use. Valid values include:
  • Apple
  • Custom—A provider configured with a custom authentication provider plug-in. Available in API version 36.0 and later.
  • Facebook.
  • GitHub—Provides authentication for a GitHub provider. Used to log in users of your Lightning Platform app to GitHub using OAuth. When logged in to GitHub, your app can make calls to GitHub APIs. The GitHub provider isn’t available as an SSO provider, so users can’t log in to your Salesforce org using their GitHub login credentials. Available in API version 35.0 and later.
  • Google.
  • Janrain.
  • LinkedIn. Available in API version 32.0 and later.
  • Microsoft—Provides authentication for all services that can be accessed via Microsoft Azure Active Directory. Available in API version 55.0 and later.
  • MicrosoftACS—Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service, like SharePoint Online. The MicrosoftACS provider doesn't support SSO. Available in API version 31.0 and later.
  • OpenIdConnect. Available in API version 29.0 and later.
  • Salesforce.
  • Slack. Available in API version 54.0 and later.
  • Twitter. Available in API version 32.0 and later.
registrationHandler string An existing Apex class that implements the Auth.RegistrationHandler interface.
sendAccessTokenInHeader boolean If enabled (true), the access token is sent to the UserInfoUrl in a header instead of a query string. Available in API version 30.0 and later.
sendClientCredentialsInHeader boolean Required when creating an OpenID Connect authentication provider. If enabled (true), the client credentials are sent in a header to the tokenUrl instead of a query string. The credentials are in the standard OpenID Connect Basic Credentials header format, which is Basic <token>, where <token> is the base64-encoded string "clientkey:clientsecret". Available in API version 30.0 and later.
sendSecretInApis boolean
Determines whether the encrypted consumer secret appears in API responses. If enabled (default), the secret appears in the response. If disabled (false), responses don’t include the consumer secret. For security, you can disable the setting. However, keep in mind that:
  • By disabling this setting, the consumer secret is excluded from API responses in all API versions.
  • Change sets and other metadata deployments break because both the consumer key and secret are expected. To fix this problem, insert the consumer key manually during deployment.
Available in API version 47.0 and later.

Starting in November 2022, in API version 30.0 and later, the consumer secret is always included in the response as a placeholder value, regardless of the value provided for sendSecretInApis.

ssoKickoffUrl string The URL for performing single sign-on into Salesforce from a third party by using its third-party credentials. This field is read-only. Available in API version 43 and later.
tokenUrl string The OAuth token endpoint URL of an OpenID Connect authentication provider. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.
userInfoUrl string The OpenID Connect endpoint URL of the OpenID Connect authentication provider. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.

Declarative Metadata Sample Definition

Starting in November 2022, enter the consumerSecret value as plaintext, for example, <consumerSecret>yourplaintextconsumersecret</consumerSecret>. Existing consumer secrets that were entered as encrypted values can be deployed throughout the Winter ‘23 release.

Note

1<?xml version="1.0" encoding="UTF-8"?>
2<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
3    <consumerKey>yourappkey</consumerKey>
4    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
5    <executionUser>admin@your.org</executionUser>
6    <friendlyName>FacebookAuthProvider</friendlyName>
7    <providerType>Facebook</providerType>
8    <registrationHandler>RegistrationHandler</registrationHandler>
9    <sendSecretInApis>true</sendSecretInApis>     
10</AuthProvider>
This example package manifest references the previous AuthProvider definition.
1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>FacebookAuthProvider</members>
5        <name>AuthProvider</name>
6    </types>
7    <version>28.0</version>
8</Package>

Usage

Salesforce provides default authentication providers, called Salesforce-managed auth providers, to simplify setting up these service providers for authentication.

  • Apple
  • Facebook
  • GitHub
  • Google
  • Janrain
  • LinkedIn
  • Microsoft
  • Microsoft Access Control Service
  • Salesforce
  • Slack
  • Twitter

To use a Salesforce-managed auth provider, leave these fields blank when creating your auth provider from the Auth. Provider Setup page.

  • authorizeUrl
  • consumerKey
  • consumerSecret
  • defaultScopes
  • tokenURL
  • userInfoUrl

If you provide a value for one of these fields, you must also provide a value for consumerKey and consumerSecret.

Note

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.