Skip to main content

NamedCredential

Bill Appleton
  • Updated

Metadata Type: NamedCredential

NamedCredential is a crucial metadata type in Salesforce that simplifies and secures the process of integrating with external services. This research paper explores the NamedCredential metadata type, its deployment challenges, and best practices for Salesforce administrators.

Introduction to NamedCredential

NamedCredential is part of Salesforce's External Credentials framework, designed to streamline authentication for external callouts. It allows developers and administrators to securely store authentication details, such as usernames, passwords, and tokens, separately from the code that uses them. This separation enhances security and simplifies the management of external integrations.

Key Components of NamedCredential

A NamedCredential typically consists of the following elements:

  • Label and Name: Human-readable identifiers for easy reference
  • URL: The base endpoint of the external service
  • Identity Type: Specifies whether the integration uses a shared credential (Named Principal) or individual user credentials (Per User)
  • Authentication Protocol: Defines how Salesforce authenticates with the external service (e.g., OAuth 2.0, Password Authentication, JWT Bearer Token Flow)
  • Custom Headers: Optional additional headers required by the external API

Deployment Challenges

While NamedCredentials offer numerous benefits, deploying them can present some challenges:

1. Sensitive Data Handling

The Metadata API, which is commonly used for deployments, cannot move certain sensitive configurations between orgs. This limitation is due to security concerns about retrieving and deploying secret values in clear text. As a result, shared secrets like API keys cannot be easily migrated between environments using standard deployment tools.

2. Certificate Management

When certificates are required for authentication, they cannot be packaged or easily deployed between orgs. This restriction is likely due to the sensitive nature of distributing trusted identities. Administrators must manage and configure certificates separately in each environment.

3. Permission Set Mappings

In some cases, permission set mappings associated with NamedCredentials may not deploy correctly. This issue can occur when using custom authentication protocols or when working with the newer External Credential format. Administrators may need to manually update these mappings in target environments.

4. OAuth Token Refresh

An unexpected issue can arise with OAuth token refresh for the Metadata API. Even when the connected app is configured with offline_access and refresh_token scopes, the automatic refresh may not occur as expected. This is due to the Metadata API returning an HTTP 500 error instead of a 401 when a session expires, preventing the Named Credentials infrastructure from initiating a token refresh.

Best Practices for Salesforce Administrators

To effectively manage and utilize NamedCredentials, Salesforce administrators should follow these best practices:

1. Secure Credential Storage

Always use NamedCredentials to store authentication details instead of hardcoding them in Apex classes or configuration files. This practice enhances security and simplifies credential management.

2. Implement Proper Access Controls

Utilize permission sets, field-level security, and org-wide security controls to restrict access to sensitive NamedCredential data. Ensure that only authorized users can view or modify these credentials.

3. Regular Credential Rotation

Implement a process for regularly updating and rotating credentials stored in NamedCredentials. This practice aligns with security best practices and helps maintain the integrity of your integrations.

4. Thorough Testing in Sandboxes

Always validate NamedCredential configurations and associated integrations in a non-production environment before deploying to production. This approach helps identify and resolve potential issues early in the deployment process.

5. Documentation and Change Management

Maintain comprehensive documentation of your NamedCredential configurations, including their purposes, associated integrations, and any special considerations. Implement a change management process to track modifications to these credentials over time.

6. Leverage External Credentials

For more complex scenarios, consider using the enhanced External Credentials framework introduced in the Winter '23 release. This framework offers additional capabilities such as custom headers, permission set assignments, and credential reuse across multiple endpoints.

7. Monitor Usage and Performance

Regularly review the usage and performance of integrations utilizing NamedCredentials. Monitor for any unexpected behavior, failed callouts, or performance issues that may indicate problems with the credential configuration or the external service.

Conclusion

The NamedCredential metadata type is a powerful tool for managing external integrations in Salesforce. While it presents some deployment challenges, particularly around sensitive data and permission mappings, the benefits of enhanced security and simplified management make it an essential component of Salesforce development best practices. By following the outlined best practices and staying aware of potential deployment issues, Salesforce administrators can effectively leverage NamedCredentials to build robust, secure, and maintainable integrations with external services.

Related to

Powered by Zendesk