AuthorizeUrl |
- Type
- url
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
- Required, but only if ProviderType
is OpenIdConnect.
The OAuth authorization
endpoint URL. Used only with OpenID Connect
authentication providers. Available in API
version 29.0 and later.
|
ConsumerKey |
- Type
- string
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
- Required. The app’s key that is registered at the
third-party Single Sign-On provider.
|
ConsumerSecret |
- Type
- string
- Properties
- Create, Nillable
- Description
-
Required. The consumer secret of the app that is
registered at the third-party Single Sign-On
provider. This field cannot be updated. When using
create() this
field must be encrypted. To create an encrypted form
of the consumer secret from plain text:
- Create an authentication provider with the
ConsumerSecret plain text value.
- Save the authentication provider.
- Create an outbound change set that includes
the authentication provider component.
The new change set .xml file has an entry in
the form <consumerSecret>++XYZ++</consumerSecret>
where ++XYZ++ is the encrypted secret.
|
CustomMetadataTypeRecord |
- Type
- string
- Properties
- Create, Filter, Group, Nillable, Sort, Update
- Description
-
Required, but only with custom
authentication provider plug-ins, when
ProviderType is Custom. The API name
of the authentication provider. Available in
API version 36.0 and later.
|
DefaultScopes |
- Type
- string
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
Required, but only if
ProviderType is OpenIdConnect
The scopes to be sent
with the authorization request, if not specified
when a flow is started. Used only with OpenID
Connect authentication providers. Available
in API version 29.0 and later.
|
DeveloperName |
- Type
- string
- Properties
- Create, Filter, Group, Sort, Update
- Description
-
Required. Used when referring to the authentication
provider from a program.
|
ErrorUrl |
- Type
- string
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
A custom error URL for the authentication provider to
use to report any errors.
|
ExecutionUserId |
- Type
- reference
- Properties
- Create, Filter, Group, Nillable, Sort, Update
- Description
-
The user that runs the Apex handler class. The user
must have the “Manage Users”
permission. A user is required when you specify a
registration handler class.
|
FriendlyName |
- Type
- string
- Properties
- Create, Filter, Group, Sort, Update
- Description
-
Required. A user-friendly name for the provider.
|
IconUrl |
- Type
- url
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
The path to an icon to use as a
button on the login page. Users click the button
to log in with the associated authentication
provider.
|
IdTokenIssuer |
- Type
- string
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
Only available if
ProviderType is OpenIdConnect. This
value identifies the source of the authentication
token in the form https:
URI. Used only with OpenID Connect
authentication providers. If provided, Salesforce validates the returned id_token value. The
OpenID Connect specification requires an id_token value to be
returned with the access_token value. Available in API
version 30.0 and later.
|
LinkKickoffUrl |
- Type
- url
- Properties
- Nillable
- Description
- Provides the URL for linking existing Salesforce users
to a third-party account. This field is read-only.
Available in API version 43.0 and later.
|
LogoutUrl |
- Type
- url
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
Provides a specific destination
for users after they log out if they authenticated
using social sign-on. The URL must be fully
qualified with an http or
https prefix, such as
https://acme.my.salesforce.com.
Available in API version 33.0 and later.
|
OauthKickoffUrl |
- Type
- url
- Properties
- Nillable
- Description
- Provides the URL for obtaining OAuth access tokens for a
third party. This field is read-only. Available in API
version 43.0 and later.
|
OptionsIncludeOrgIdInId |
- Type
- boolean
- Properties
- Create, Filter, Update
- Description
-
Includes the organization
ID to differentiate between users with the same
user ID from two sources (such as two sandboxes). Only available for Salesforce authentication providers. Once set to true, it can’t be set
to false.
Available in API version 32.0 and later.
|
OptionsSendAccessTokenInHeader |
- Type
- boolean
- Properties
- Create, Filter, Update
- Description
-
Required only if
ProviderType is OpenIdConnect. When
true, the
access token is sent to the
UserInfoUrl in a header
instead of a query string. Used only with OpenID
Connect authentication providers. Available in API
version 30.0 and later.
|
OptionsSendClientCredentialsInHeader |
- Type
- boolean
- Properties
- Create, Filter, Update
- Description
-
Required only if
ProviderType is OpenIdConnect. When
true, the
client credentials are sent in a header, instead
of a query string, to the
tokenUrl. The credentials are
in the standard OpenID Connect Basic Credentials
header form, which is Basic <token>, where <token> is the
base64-encoded string "clientkey:clientsecret". Used only with
OpenID Connect authentication providers. Available
in API version 30.0 and later.
|
ProviderType |
- Type
- picklist
- Properties
- Create, Filter, Group, Restricted picklist, Sort, Update
- Description
-
Required. The third-party Single Sign-On provider to
use. Valid values are:
- Facebook
- Salesforce
- Janrain
-
LinkedIn
(Available in API version 32.0 and later.)
-
Twitter
(Available in API version 32.0 and later.)
-
OpenIdConnect (Available in API version
29.0 and later.)

Note
This type requires values
for the following fields:
- AuthorizeUrl
- DefaultScopes
- TokenUrl
- UserInfoUrl
-
MicrosoftACS Microsoft Access Control
Service typically provides authentication for a
Microsoft Office 365 service like SharePoint®
Online. (Available in API version 31.0 and
later.)
-
GitHub—Use the
GitHub
provider to log in users of your Lightning
Platform app to GitHub using OAuth. When logged in
to GitHub, your app can make calls to GitHub APIs.
The GitHub
provider isn’t available as a single sign-on
provider, so users can’t log in to your Salesforce
org using their GitHub login credentials.
(Available in API version 35.0 and later.)
-
Custom
(Available in API version 36.0 and later.)
|
PluginId |
- Type
- reference
- Properties
- Create, Filter, Group, Nillable, Sort, Update
- Description
-
An existing Apex class that extends
the Auth.AuthProviderPluginClass abstract
class. Available in API version 39.0 and
later.
|
RegistrationHandlerId |
- Type
- reference
- Properties
- Create, Filter, Group, Nillable, Sort, Update
- Description
-
An existing Apex class that implements the Auth.RegistrationHandler interface.
|
SsoKickoffUrl |
- Type
- url
- Properties
- Nillable
- Description
- Provides the URL for performing single sign-on into
Salesforce from a third party by using its third-party
credentials. This field is read-only. Available in API
version 43.0 and later.
|
TokenUrl |
- Type
- url
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
- Required, but only if ProviderType
is OpenIdConnect.
The OAuth token endpoint URL.
Used only with OpenID Connect authentication
providers. Available in API version 29.0 and
later.
|
UserInfoUrl |
- Type
- url
- Properties
- Create, Filter, Nillable, Sort, Update
- Description
-
Required, but only if
Provider-type is OpenIdConnect. The OpenID Connect endpoint
URL. Used only with OpenID Connect authentication
providers. Available in API version 29.0 and
later.
|