Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Understand the Authentication Status for External Credentials

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Understand the Authentication Status for External Credentials

            The Authentication Status field tells you when you’ve completed all of the required steps to configure an external credential. If your external credential shows a Not Configured status, there’s more work to do before you can use your external credential to make authenticated callouts with a named credential. Learn how to reach a Configured status for each authentication protocol.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: all editions
            Note
            Note The Authentication Status field indicates when the external credential is fully configured, but it doesn’t verify that your connection with the external system works correctly.

            These fields represent external credentials in metadata and are required for all external credentials, but they’re not included in the runtime callout to the external system.

            Object Field
            External Credential
            • Label
            • Name
            • Authentication Protocol
            External Credential Principal
            • Parameter Name
            • Sequence Number

            Use these tables to understand the additional fields to populate and the actions to take to configure external credentials fully.

            AWS Signature Version 4

            The AWS Signature Version 4 authentication protocol supports only the Named Principal identity type. A named principal applies the same credential or authentication configuration for an entire org.

            AWS Signature Version 4 Variant External Credential Fields External Credential Principal Fields Additional Steps
            Access Key and Secret
            • Service
            • Region
            • Access Key
            • Secret
            STS
            • Service
            • Region
            • Obtain Temporary IAM Credentials via STS
            • STS Access Key
            • STS Secret
            		 IAM Role ARN
            IAM Roles Anywhere
            • Service
            • Region
            • Obtain Temporary IAM Credentials via STS
            • Trust Anchor ARN
            • Profile ARN
            • Signing Certificate
            		 IAM Role ARN

            Basic Authentication

            Identity Type External Credential Fields External Credential Principal Fields Additional Steps
            Named Principal
            • Identity Type
            • Username
            • Password
            Per User Principal Identity Type

            Enable the external credential principal on a permission set or user profile.

            Then, at least one user must authenticate to the external system from the External Credentials page in their personal settings.

            Custom Authentication

            The Custom authentication protocol supports only the Named Principal identity type. A named principal applies the same credential or authentication configuration for an entire org.

            When you create a principal on an external credential that uses the Custom authentication protocol, the authentication status is always Unknown. Because an admin defines the Custom authentication protocol, Salesforce can’t verify when external credentials that use this protocol are configured fully.

            JWT

            Identity Type External Credential Fields External Credential Principal Fields Additional Steps
            Named Principal
            • Signing Certificate
            • Signing Algorithm
            		 Identity Type Review the JWT body claims that Salesforce created when you saved the external credential. You can modify some default claims or create your own custom claims.
            Per User Principal
            • Signing Certificate
            • Signing Algorithm
            		 Identity Type

            Review the JWT body claims that Salesforce created when you saved the external credential. You can modify some default claims or create your own custom claims.

            Then, enable the external credential principal on a permission set or user profile. Assign that permission set or profile to at least one user.

            No Authentication

            The No Authentication protocol supports only the Named Principal identity type. A named principal applies the same credential or authentication configuration for an entire org.

            If your external credential uses the No Authentication protocol, no additional fields are required on the external credential or its principal. External credentials have a Configured authentication status as soon as you create and save the principal.

            OAuth 2.0

            In addition to the fields required for all external credentials, external credentials that use an OAuth 2.0 authentication protocol also require the Authentication Flow Type field. The other fields that are required to fully configure an OAuth 2.0 external credential depend on the OAuth variant and the identity type of the external credential’s principal.

            OAuth 2.0 Variant Identity Type External Credential Fields External Credential Principal Fields Additional Steps
            Browser Flow Named Principal Authentication Provider Identity Type Authenticate to the external system on behalf of all users in your Salesforce organization. On the External Credential page, select Authenticate from the principal’s Actions menu. Then, authenticate to the system.
            Per User Principal Authentication Provider Identity Type

            Enable the external credential principal on a permission set or user profile.

            Then, at least one user must authenticate to the external system from the External Credentials page in their personal settings.
            Client Credentials with Client Secret Flow Named Principal Identity Provider URL
            • Client ID
            • Client Secret
            Client Credentials with JWT Assertion Flow Named Principal
            • Identity Provider URL
            • Signing Certificate
            • Signing Algorithm
            		 Client ID Review the JWT body claims that Salesforce created when you saved the external credential. You can modify some default claims or create your own custom claims.
            JWT Bearer Flow Named Principal
            • Identity Provider URL
            • Signing Certificate
            • Signing Algorithm
            		 Identity Type Review the JWT body claims that Salesforce created when you saved the external credential. You can modify some default claims or create your own custom claims.
            Per User Principal
            • Identity Provider URL
            • Signing Certificate
            • Signing Algorithm
            		 Identity Type

            Review the JWT body claims that Salesforce created when you saved the external credential. You can modify some default claims or create your own custom claims.

            Then, enable the external credential principal on a permission set or user profile. Assign that permission set or profile to at least one user.

            See Also

             
            Loading
            Salesforce Help | Article