Identity and Access Management provides you with an upgraded version of the Multi-Factor Authentication Assistant, which includes a step that helps you preview multi-factor authentication (MFA) during your evaluation period. Other improvements include updates to OAuth 2.0 flows and connected app access to Customer Data Platform (CDP) ingest API services. And you can secure email address updates by requiring password resets. Customer 360 Identity provides extra customer protection with secure Embedded Login redirects and verification of email address updates. We‘re deprecating Identity Connect 2.1 and Identity Connect 3.0.1.2. You can upgrade to Identity Connect 7 when it’s released later this spring. In the Winter ‘22 release, Salesforce is increasing the length of one-time passwords to improve security.
- Manage Your Customer Identities in a Central Location with Salesforce Customer Identity Plus
Salesforce Customer Identity Plus brings together the power of Salesforce and Auth0’s identity-as-a-service SaaS to deliver our latest consumer identity and access management (CIAM) solution. With Customer Identity Plus, connect to all of your customers, apps, and products by managing customer identities centrally for Commerce Cloud, Sales Cloud, and third-party applications. Customer Identity Plus makes identity configuration easy through simple clicks and SDKs that can seamlessly integrate an identity layer into existing applications. And if you want customization capabilities, Customer Identity Plus gives you full control over design and authentication flows. - Get More Guidance from the Multi-Factor Authentication Assistant
The Multi-Factor Authentication Assistant now includes a step that helps you preview multi-factor authentication (MFA) during your evaluation period. While you’re getting ready to roll out MFA for Salesforce, we recommend turning it on for a few of your Salesforce champions. Conducting a preview or pilot with some trusted users lets you test the rollout process and collect early feedback on the MFA user experience. Use these insights to ensure there are no gaps in your rollout or change management plans. You can also determine the kinds of onboarding materials your users need when you’re ready to launch MFA more broadly. - Get Assigned Scopes with Access Tokens in the OAuth 2.0 JWT Bearer Flow
With the OAuth 2.0 JWT bearer flow, for connected apps that are preauthorized, standard and custom scopes are automatically returned with an access token. Previously, only standard scopes or scopes issued with former access tokens were returned. - Improve Performance Times of the OAuth 2.0 Hybrid App Flows
Improve performance times of the OAuth 2.0 hybrid app flows by directly bridging an access token into a web session without using frontdoor.jsp. With the hybrid app token flow, a hybrid app sets the domains’ associated SIDs in the session cookies. It then directly bridges its own web session. During the hybrid refresh token flow, when a new access token is granted, the hybrid app receives updated domain SIDs. It can directly reset the session cookies and avoid interruptions. - Give Authorized Access to Salesforce CDP Ingestion API Data
To authorize a connected app to access Salesforce CDP Ingestion API data, assign it the new OAuth scope: Access and manage your Salesforce CDP Ingestion API data. Customers can use the associated external app to upload and maintain external data sets in the Salesforce CDP platform. - Redirect Expired Tabs to a Custom Logout URL
For Salesforce sessions, you can now redirect all expired tabs in your browser to a custom logout URL. Previously, the redirect URL wasn’t applied to all expired tabs. Instead, only one tab was being redirected correctly, and the other tabs were redirected to Salesforce.com. - Require Password Changes for Email Address Updates
You can now require a user to change passwords before an admin-initiated email address update is approved. To quickly update your users’ email addresses, you can change email addresses without requiring a password reset. But, for better security, you can require users to change their passwords before email address updates are approved. - Require Verification When Experience Cloud Users, Partners, and Customers Change Their Email Address (Update, Enforced)
To protect user accounts against security threats, Salesforce now requires Experience Cloud users, partners, and customers to verify their email address changes. This update, first available in Winter ’21, was scheduled for auto-enforcement in Spring ’21, but was postponed to and is enforced in Summer ’21. - Block Customer Redirects to Unknown URLs
Protect your customers with a new Embedded Login setting that blocks redirects to unknown URLs. After customers successfully log in to your Experience Cloud site with Embedded Login, they’re redirected to URLs that are located in the same host or domain as the site or that are allow-listed. - Identity Connect 2.1 and Identity Connect 3.0.1.2 Are Being Deprecated
As of the Winter ’22 release, we’re deprecating Identity Connect 2.1 and Identity Connect 3.0.1.2, and you can no longer download these versions of the product. We recommend that you upgrade to Identity Connect 7 when it becomes available. - One-Time Passwords Are Getting Longer in Winter ’22
In Winter ’22, to improve security, Salesforce is increasing the length of one-time passwords (OTPs) used for identity verification from five digits to six digits. If you have customizations that rely on six-digit OTPs, such as custom Apex implementations for multi-factor authentication (MFA) or passwordless login, change them before the Winter ’22 release.