Metadata API Developer Guide

Introduction to Metadata API
Using Metadata API
Metadata API Context MCP Tool (Beta)
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Metadata Coverage Report
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
Metadata Type Limits
Data 360 Metadata Types
AccountPlanObjMeasCalcDef
AccountRelationshipShareRule
AccountingFieldMapping
AccountingModelConfig
ActionLinkGroupTemplate
ActionPlanTemplate
ActionableListDefinition
AdvAccountForecastSet
AffinityScoreDefinition
AIApplication
AIApplicationConfig
AiAuthoringBundle
AiEvaluationDefinition
AIScoringModelDefinition
AIUsecaseDefinition
AnalyticsDashboard
AnalyticSnapshot
AnalyticsVisualization
AnalyticsWorkspace
AnimationRule
AppFrameworkTemplateBundle
ArticleType
ApexClass
ApexComponent
ApexEmailNotifications
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
AppointmentAssignmentPolicy
AppointmentSchedulingPolicy
ApprovalProcess
AssignmentRules
AssessmentQuestion
AssessmentQuestionSet
Audience
AuraDefinitionBundle
AuthProvider
AutoResponseRules
BatchCalcJobDefinition
BatchProcessJobDefinition
BillingSettings
BlacklistedConsumer
Bot
BotBlock
BotTemplate
BotVersion
BrandingSet
BriefcaseDefinition
BusinessProcessGroup
CallCenter
CallCenterRoutingMap
CallCoachingMediaProvider
CampaignInfluenceModel
CaseSubjectParticle
CareBenefitVerifySettings
CareLimitType
CareSystemFieldMapping
CareProviderSearchConfig
CareRequestConfiguration
CatalogedApi
CatalogedApiArtifactVersionInfo
CatalogedApiVersion
Certificate
ChatterExtension
ChoiceList
ClaimFinancialSettings
ClauseCatgConfiguration
CleanDataService
CMSConnectSource
Community (Zone)
CommerceSettings
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
ContentTypeBundle
ContextDefinition
ConversationMessageDefinition
ConversationMessageDefinitionTranslation
ConversationVendorInfo
ConvIntelligenceSignalRule
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomFieldDisplay
CustomHelpMenuSection
CustomIndex
CustomLabels
Custom Metadata Types (CustomObject)
CustomNotificationType
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DataObjectSearchIndexConf
DataWeaveResource
DecisionTable
DecisionTableDatasetLink
DecisionMatrixDefinition
DelegateGroup
DgtAssetMgmtProvider
DgtAssetMgmtPrvdLghtCpnt
DigitalExperienceBundle
DigitalExperienceConfig
DisclosureDefinition
DisclosureDefinitionVersion
DisclosureType
DiscoveryAIModel
DiscoveryGoal
DiscoveryStory
Document
DocumentCategory
DocumentCategoryDocumentType
DocumentChecklistSettings
DocumentType
DuplicateRule
EclairGeoData
EmailServicesFunction
EmailTemplate
EmbeddedServiceBranding
EmbeddedServiceConfig
EmbeddedServiceFieldService
EmbeddedServiceFlowConfig
EmbeddedServiceLiveAgent
EmbeddedServiceMenuSettings
EnablementMeasureDefinition
EnablementProgramDefinition
EnblProgramTaskSubCategory
EntitlementProcess
EntitlementTemplate
EscalationRules
EventDelivery
EventRelayConfig
EventSubscription
ExperienceBundle
ExperiencePropertyTypeBundle (Beta)
ExplainabilityMsgTemplate
ExpressionSetDefinition
ExpressionSetMessageToken
ExpressionSetObjectAlias
ExternalAuthIdentityProvider
ExternalClientApplication
ExternalCredential
ExternalAIModel
ExternalServiceRegistration
ExtlClntAppCanvasSettings
ExtlClntAppConfigurablePolicies
ExtlClntAppGlobalOauthSettings
ExtlClntAppMobileConfigurablePolicies
ExtlClntAppMobileSettings
ExtlClntAppNotificationSettings
ExtlClntAppOauthConfigurablePolicies
ExtlClntAppOauthSettings
ExtlClntAppPushConfigurablePolicies
ExtlClntAppPushSettings
ExtlClntAppSamlConfigurablePolicies
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FieldMappingConfig
FieldRestrictionRule
FlexiPage
Flow
FlowCategory
FlowDefinition
FlowTest
FlowValueMap
Folder
ForecastingFilter
ForecastingFilterCondition
ForecastingSourceDefinition
ForecastingType
ForecastingTypeSource
FuelType
FuelTypeSustnUom
FunctionReference
FundraisingConfig
GatewayProviderPaymentMethodType
GenAiFunction
GenAiPlanner
GenAiPlannerBundle
GenAiPlugin
GenAiPluginInstructionDef
GenAiPromptTemplate
GenAiPromptTemplateActv
GiftEntryGridTemplate
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
GoogleAppsSettings
Group
HomePageComponent
HomePageLayout
IdentityVerificationProcDef
IdentityVerificationProcDtl
IdentityVerificationProcFld
InboundCertificate
InboundNetworkConnection
IndustriesPricingSettings
IndustriesRatingSettings
IndustriesUnifiedInventorySettings
InstalledPackage
IntegArtifactDef
IntegrationProviderDef
IPAddressRange
InvocableActionExtension
KeywordList
Layout
LearningItemType
Letterhead
LightningBolt
LightningComponentBundle
LightningExperienceTheme
LightningMessageChannel
LightningOnboardingConfig
LightningTypeBundle
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
LoyaltyProgramSetup
ManagedContentType
ManagedEventSubscription (Beta)
ManagedTopics
MarketingAppExtension
MatchingRule
MessagingChannel
Metadata
MetadataWithContent
MfgProgramTemplate
MilestoneType
MlDomain
MLDataDefinition
MLPredictionDefinition
MobileApplicationDetail
MobileSecurityAssignment
MobileSecurityPolicy
MobSecurityCertPinConfig
ModerationRule
MutingPermissionSet
MyDomainDiscoverableLogin
NamedCredential
NavigationMenu
Network
NetworkBranding
NotificationTypeConfig
OauthCustomScope
OauthTokenExchangeHandler
OcrSampleDocument
OcrTemplate
OmniSupervisorConfig
OutboundNetworkConnection
OnboardingDataObjectGroup
Package
ParticipantRole
PathAssistant
PaymentGatewayProvider
PermissionSet
PermissionSetGroup
PermissionSetLicenseDefinition (Developer Preview)
PersonAccountOwnerPowerUser
PipelineInspMetricConfig
PlatformCachePartition
PlatformEventChannel
PlatformEventChannelMember
PlatformEventSubscriberConfig
Portal
PortalDelegablePermissionSet
PostTemplate
ProductAttributeSet
PresenceDeclineReason
PresenceUserConfig
PricingActionParameters
PricingRecipe
Profile
ProfileActionOverride
ProfilePasswordPolicy
ProfileSessionSetting
Prompt
PublicKeyCertificate
PublicKeyCertificateSet
Queue
QueueRoutingConfig
QuickAction
RedirectWhitelistUrl
RecommendationStrategy
RecordActionDeployment
RecordAggregationDefinition
RecordAlertCategory
RegisteredExternalService
ReferencedDashboard
RelatedRecordAssocCriteria
RelationshipGraphDefinition
RemoteSiteSetting
Report
ReportType
RestrictionRule
RetrievalSummaryDefinition
Role
RoleOrTerritory
RpaRobotPoolMetadata
SalesWorkQueueSettings
SamlSsoConfig
SchedulingObjective
SchedulingRule
Scontrol
SearchCustomization
SearchOrgWideObjectConfig
ServiceAISetupDefinition
ServiceAISetupField
ServiceChannel
ServicePresenceStatus
ServiceProcess
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
StageAssignment
StageDefinition
SustainabilityUom
SustnUomConversion
SvcCatalogCategory
SvcCatalogFulfillmentFlow
SvcCatalogItemDef
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TimelineObjectDefinition
TimeSheetTemplate
TopicsForObjects
TransactionSecurityPolicy
Translations
UIBundle (Beta)
UiFormatSpecificationSet
UIObjectRelationConfig
UiPreviewMessageTabDef
UserAccessPolicy
UserAuthCertificate
UserCriteria
UserProfileSearchScope
UserProvisioningConfig
VirtualVisitConfig
WaveAnalyticAssetCollection
WaveApplication
WaveComponent
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveRecipe
WaveTemplateBundle
WaveXmd
WebStoreBundle
WebStoreTemplate
Workflow
WorkSkillRouting
Headers
Appendices
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SamlSsoConfig

Represents a SAML Single Sign-On configuration. This type extends the Metadata metadata type and inherits its fullName field. Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.

File Suffix and Directory Location

SamlSsoConfig components have the suffix .samlssoconfig and are stored in the samlssoconfigs folder.

Version

SamlSsoConfig components are available in API version 28.0 and later.

Special Access Rules

As of Summer ’20 and later, only users with the View Setup and Configuration permission or both the Customize Application and Modify All Data permissions can access this type.

Fields

Field Name Field Type Description
attributeNameIdFormat string For SAML 2.0, only and when identityLocation is set to Attribute. Possible values include unspecified, emailAddress, or persistent. All legal values can be found in the “Name Identifier Format Identifiers” section of the Assertions and Protocols SAML 2.0 specification.
attributeName string The name of the identity provider’s application. Get this name from your identity provider.
decryptionCertificate string The name of the certificate to use for decrypting incoming SAML assertions. This certificate is saved in the organization’s Certificate and Key Management list. Available in API version 30.0 and later.
errorUrl string When there's an error during login, specify the URL of the page where users are directed. It must be publicly accessible, such as a public site Visualforce page. The URL can be absolute or relative.
executionUserId string The user that runs the Apex handler class. The user must have the Manage Users permission. If you specify a SAML JIT handler class, a user is required.
identityLocation SamlIdentityLocationType (enumeration of type string) The location in the assertion where a user is identified. Valid values are:
  • SubjectNameId — The identity is in the <Subject> statement of the assertion.
  • Attribute — The identity is specified in an <AttributeValue>, located in the <Attribute> of the assertion.
identityMapping SamlIdentityType (enumeration of type string) The identifier the service provider uses for the user during Just-in-Time user provisioning. Valid values are:
  • Username — The user’s Salesforce username.
  • FederationId — The federation ID from the user object; the identifier used by the service provider for the user.
  • UserId — The user ID from the user’s Salesforce organization.
issuer string The identification string for the Identity Provider.
loginUrl string For SAML 2.0 only: The URL where Salesforce sends a SAML request to start the login sequence.
logoutUrl string For SAML 2.0 only: The URL to direct the user to when they click the Logout link. The default is https://salesforce.com.
name string The unique name used by the API and managed packages. The name must begin with a letter and use only alphanumeric characters and underscores. The name cannot end with an underscore or have two consecutive underscores.
oauthTokenEndpoint string For SAML 2.0 only: The ACS URL used with enabling Salesforce as an identity provider in the web single sign-on OAuth assertion flow.
redirectBinding boolean Choose the binding mechanism your identity provider requests for your SAML messages. Values are:
  • HTTP POST — HTTP POST binding sends SAML messages using base64-encoded HTML forms.
  • HTTP Redirect — HTTP Redirect binding sends base64-encoded and URL-encoded SAML messages within URL parameters.
requestSignatureMethod string The method that’s used to sign the SAML request. Valid values are RSA-SHA1 and RSA-SHA256.
requestSigningCertId string The 18-digit ID for the certificate used to generate the signature on a SAML request to the identity provider. The certificate is saved in the Certificate and Key Management page in Setup.
salesforceLoginUrl string The URL associated with login for the web single sign-on flow.

When encryption is enabled, the URL has a parameter containing the ID of the SAML configuration, sc=samlSsoConfigId. For example, https://mycompany.my.salesforce.com?sc=0LEB0000000CCC. This change applies to API Version 47.0 and later.

Note
samlEntityId string The issuer in SAML requests generated by Salesforce, and is also the expected audience of any inbound SAML Responses. Salesforce recommends that you use your My Domain login URL.
samlJitHandlerId string The name of an existing Apex class that implements the Auth.SamlJitHandler interface.
samlVersion SamlType (enumeration of type string) The SAML version in use. Valid values are:
  • SAML1_1 — SAML 1.1
  • SAML2_0 — SAML 2.0
singleLogoutBinding SamlSpSLOBinding (enumeration of type string) The HTTP binding type. This value determines where to put the LogoutRequest or LogoutResponse in the SAML request during single logout (SLO). The value is base64 encoded. Valid values are:
  • RedirectBinding — Sent in the query string, deflated.
  • PostBinding — Sent in the POST body, not deflated.
singleLogoutUrl string The SAML single logout endpoint. This URL is the endpoint where Salesforce sends LogoutRequests (when Salesforce initiates a logout), or LogoutResponses (when the identity provider initiates a logout).
useConfigRequestMethod boolean If true, applies the selected Request Signature Method (RSM) during single logout. If false, the default RSM (RSA-SHA1) is applied.
useSameDigestAlgoForSigning boolean If true, uses a digest algorithm based on the selected Request Signature Method (RSM). For example, if the selected RSM is RSA-SHA256, the digest algorithm is set to SHA-256.

If false, uses the default digest algorithm (SHA-1), regardless of the selected RSM.

This field is available in API version 55.0 and later. You can edit this field only for legacy SAML configurations created before Spring ’22. For configurations created after Spring ’22, this field is true by default.
userProvisioning boolean If true, Just-in-Time user provisioning is enabled, which creates users the first time they log in. Specify Federation ID for the identityMapping value to use this feature.
validationCert string The certificate used to validate the request. Get this certificate from your identity provider.

Declarative Metadata Sample Definition

The following is an example of a SamlSsoConfig component. The validation certificate string has been truncated for readability.

1<?xml version="1.0" encoding="UTF-8"?>
2<SamlSsoConfig xmlns="http://soap.sforce.com/2006/04/metadata">
3  <identityLocation>SubjectNameId</identityLocation>
4  <identityMapping>FederationId</identityMapping>
5  <issuer>https://my-idp.my.salesforce.com</issuer>
6  <loginUrl>
7    https://my-idp.my.salesforce.com/idp/endpoint/HttpRedirect
8  </loginUrl>
9  <logoutUrl>https://www.salesforce.com</logoutUrl>
10  <name>SomeCompany</name>
11  <oauthTokenEndpoint>
12    https://login.salesforce.com/services/oauth2/token?so=00DD0000000
13  </oauthTokenEndpoint>
14  <redirectBinding>true</redirectBinding>
15  <requestSignatureMethod>RSA-SHA1</requestSignatureMethod>
16  <salesforceLoginUrl>
17    https://login.salesforce.com?so=00DD0000000JxeI
18  </salesforceLoginUrl>
19  <samlEntityId>
20    https://saml.salesforce.com/customPath
21  </samlEntityId>
22  <samlVersion>SAML2_0</samlVersion>
23  <useConfigRequestMethod>true</useConfigRequestMethod>
24  <userProvisioning>false</userProvisioning>
25  <validationCert>
26    MIIEojCCA4qgAwIBAgIOATtxsoBFAAAAAD4...
27  </validationCert>
28</SamlSsoConfig>

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.