Named Credentials
Created when you want to Integrate Salesforce with third party application from Salesforce.
A named credential specifies the URL of a callout endpoint and its required authentication parameters in one definition. To simplify the setup of authenticated callouts, specify a named credential as the callout endpoint.
Named credentials are supported in these types of callout definitions.
Apex callouts
External data sources
External Services
What Difference the Named Credentials Make:
By using Named credentials you can avoid hardcoding the sensitive details like Consumer Key, Consumer Secret, User name n Passwords in the code.
Salesforce manages all authentication for callouts that specify a named credential as the callout endpoint. You can also skip remote site settings, which are otherwise required for callouts to external sites, for the site defined in the named credential.
All credentials stored by this feature set are encrypted under a framework that’s consistent with other encryption frameworks on the platform. Salesforce encrypts your credentials by auto-creating org-specific keys.
By separating the endpoint URL and authentication from the callout definition, named credentials make callouts easy to maintain. For example, if an endpoint URL changes, you update only the named credential. All callouts that reference the named credential continue to work.
If you have multiple orgs, you can create a named credential with the same name but with a different endpoint URL in each org. You can then package and deploy one callout definition on all the orgs that references the shared name of those named credentials. For example, the named credential in each org can have a different endpoint URL to accommodate differences in development and production environments. If an Apex callout specifies the shared name of those named credentials, the Apex class that defines the callout can be packaged and deployed on all those orgs without programmatically checking the environment.
A named credential supports various authentication protocols. You can set up each named credential to use an org-wide named principal or per-user authentication. A named principal applies the same credential or authentication configuration for the entire org, while per-user authentication provides access control at the individual user level.
Let’s Configure the Named Credential
Step 1: “Set up Permission Sets”
Set up - in Quick find box type “Permission Sets” - Click on Permission Sets-New-Give name for the Permission Set in Label- API name gets Auto populated- Check Activate-Save.
Step2: “Assign Users to the Permission Sets”
Click on Manage Assignments-Add Assignments-Choose the Users you would like to give the Permissions-Next
If you would like provide access for some period of time you can specify the Time frame here or choose “No Expiration Date”- Assign.
Step 3: “Set up Auth Providers”
Set Up- In quick find type “Auth Providers”-New- Choose Provider Type- Choose the Third party app which you are integrating with from the Drop down- Choose “Salesforce” if you are want to integrate 2 Salesforce Orgs- Choose “Open ID Connect” if you are trying to connect to an app which is not listed in the Drop down.
By Choosing the apps available from the list you get to the screen below
Where the Authorization, Token and EndPoint URL will be auto populated.
You need to provide the Name for this Auth Provider configuration. Fill in the Consumer Key and Consumer Secret-Save.
Note: To get the Consumer key and Consumer Secret you have to log in to the 3rd Party app and follow the instructions to get these details.
If you Choose the Open ID you would get the screen below.
You need to Provide the Name for this Configuration and fill in the details like Consumer Key, Consumer Secret, Authorization Endpoint URL, Token Endpoint URL - SAVE.
Note: To get all these details you have to log into the 3rd Party app and follow the API Documentation given by them.
Once you save the Details it takes you to the Page which gives the Salesforce Configuration as shown in the picture.
Copy the EndPoint URL given here and update the same in the 3rd party application where you need to give the END point URL.
STEP 4: “Create External Credentials”
Setup - Named Credentials - External Credentials - New
Provide the details like Name for the External Credentials and choose “Authentication Protocol” depending upon the API Documentation given by the 3rd party application.
Choose OAuth for OAuth authentication and AWS for AWS Signature and for any all other kind of Authentication you can choose “Custom”.If you Choose “Custom” - SAVE.
For OAuth:
You get to choose either "Browser Flow” or “JWT Bearer Flow” for the “Authentication Flow Type” depending upon
the API Document. Normally we choose “Browser Flow”- Choose the “Authorization Provider” which you configured in the previous step - SAVE.
For AWS Authentication:
Provide the Name for the External Credentials in Label - Fill in Service and Region Fields - SAVE.
STEP 5: “Create Principal In External Credentials”
After you create External Credentials - New (Next to Principals)
Provide the Name for this Principal and can Provide the Sequence Number as desired(Useful when you have more Principals added)- In “Identity Type” Choose the option “Named Principal” if you want to keep same log in for the whole Org - Choose “Per User Principal” if you want the log in to be separate for each user in the org - SAVE.
STEP 6: “Add External Principal Access to the Permission sets”
Setup-Permission Sets- Choose the permission set you created before - Under APPS click on “External Credential Principal Access”
EDIT (External Credential Principal Access) -Choose the Principal Access you created before from “Available” to “Enabled External Principal Access” - SAVE.
STEP 7: “Create Named Credentials”
Setup - Named Credentials - New - Provide the Name for this Named Credentials - For URL you can provide the End point URL of the 3rd party application(Doesn’t need to be the exact path but the Base URL) - Enable for Callouts - Choose the External Credentials you created in the above step - Client Certificate for extra security(recommended by Salesforce)
Choose the “Callout Options” as per the API Documentation either as “ Generate Authorization Header” or “Allow Formulas in HTTP Header” or “ Allow Formulas in HTTP Body” - SAVE.
Hurray!!!! You have created your Named Credentials which can be used in HTTP Callouts through FLOWS or APEX.
It's very informative and well explained !!