Create or Edit an External Auth Identity Provider
If you plan to create named and external credentials that use OAuth2.0 authentication, first create an external auth identity provider. External auth identity providers obtain OAuth tokens for outbound callouts to external systems.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To view external credentials: | View Setup and Configuration |
| To create, edit, or delete external credentials: | Manage Named Credentials or Customize Applications |
External systems often require additional parameters to specify which tenant to access. External auth identity providers support additional request parameters to customize and extend requests to the identity provider’s token endpoint. When you create an external auth identity provider, you can attach account IDs or tenant IDs as header or query parameters for seamless integration with multi-tenant services like NetSuite, Zendesk, or Dropbox.
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click the External Auth Identity Providers tab.
- To create an external auth identity provider, click New. Or open an existing external auth identity provider in the list, and then click Edit.
- Complete the fields.
Field Description Label A user-friendly name for the external auth identity provider that’s shown in the Salesforce user interface, such as in list views. Name A unique identifier that’s used to refer to this external auth identity provider from callout definitions and through the API. The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores. Description A description for the external auth identity provider. Authentication Authentication Protocol Select the same authentication protocol that you plan to use for the external credential.
Currently, only OAuth 2.0 is supported.
Authentication Flow Type Select the authentication flow that authenticates users and gets authorization to access protected resources.
Currently, authorization code flow and client credentials flow auth types are supported.
Client Identification Client ID Enter the unique identifier that's used to authenticate the client. Client Secret Enter the secret for your client. Pass client credentials in request body Optional. Sends the client ID and client secret in the callout’s request body instead of its header.
By default, client credentials are sent in the callout’s authorization header. With this format, the client_id is appended to the client_secret in the format
client_id:client_secret, and the resulting value is Base64-encoded.Sending client credentials in the authorization header aligns with section 2.3.1 Client Password in The OAuth 2.0 Authorization Framework from the Internet Engineering Task Force. If the external system requires that you pass client credentials in the request body instead, use this option.
Identity Provider URLs Authorize Endpoint URL Specify the OAuth authorization URL from the external system. For example, https://accounts.google.com/o/oauth2/authorize. Token Endpoint URL Specify the OAuth token URL from the external system. For example, https://accounts.google.com/o/oauth2/accessToken. User Info Endpoint URL Specify the OAuth user info URL from the external system. For example, https://www.googleapis.com/oauth2/v3/userinfo. Use Proof Key for Code Exchange (PKCE) Extension Select this option to automatically enable the OAuth 2.0 PKCE extension, which improves security. - Save your changes.
- On the external auth identity provider detail page, scroll to Custom Request Parameters and
click New.Use custom request parameters to customize the interaction and OAuth handshake with external systems. To understand the parameters needed and where to place them, consult the external system’s documentation.
- Enter the parameter details.
Field Description Name Enter a name for the parameter. For example, Tenant ID. Enter audience if your identity provider requires this request parameter. Value Enter the parameter’s value. For example, enter the tenant ID value for the external system. Request Type Select whether this is a parameter for the token request, authorize request, or refresh request. Parameter Location Select whether the parameter is located in the query, HTTP header, or request body. Select Body Parameter if your identity provider requires the audience request parameter. Sequence Number Assign an optional sequence number to specify the order of parameters to apply. Priority is from lower to higher numbers. - Save the parameter.
Now that you created the external auth identity provider and custom request parameters, it’s time to create the external credential to link it to. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
