Use the External Client App Manager in Setup to create and manage external client apps, and check out the new flows for external client apps. Also in Setup, define and enable OAuth 2.0 token exchange handlers for the OAuth 2.0 token exchange flow. Create uninterrupted user experiences across Salesforce and custom interfaces with the new Single-Access UI Bridge API.
- Customize SMS One-Time Password Delivery for Experience Cloud Sites (Beta)
To provide branded, personalized identity verification experiences for external users, create an Apex handler to send one-time passwords (OTPs) via an SMS messaging provider of your choice. Customize the content of the message and the short code that tells users who sent it. Use the handler to send OTPs for any Experience Cloud identity verification use case, such as multi-factor authentication (MFA) and passwordless login. - Brand the Welcome Email for Passwordless Registration
Take control of identity experiences for customers and partners. Use the new Welcome New Member for Passwordless Registration email template to customize the one-time password (OTP) email that users receive when they sign up for your Experience Cloud site using passwordless registration. - Create External Client Apps While Maintaining Security and Defined User Roles
Try the new External Client App Manager to create, manage, and update your external client apps. You can still do all these things with Metadata API, but this new user interface means that now you don’t have to. With External Client App Manager,you can create a local app just for your org or design one to package and distribute. - Use More OAuth Features with External Client Apps
The external client apps framework, a new and improved generation of connected apps, is catching up to connected apps fast. The new framework now supports headless login, passwordless login, and guest user flows using the Authorization Code and Credentials Flow. You can also configure an external client app to issue JSON Web Token (JWT)-based access tokens. - Integrate Custom App Experiences with the Salesforce UI
Give users uninterrupted access across custom apps and Salesforce. With the new Single-Access UI Bridge API, use an existing Salesforce access token to load a new session in a Salesforce UI, such as a Visualforce site or mobile app. For example, when users are logged in to a headless app, redirect them to your Experience Cloud site to view Support cases without making them log in again. - Create Token Exchange Handlers More Easily
For better usability when configuring the OAuth 2.0 token exchange flow, define and enable OAuth 2.0 token exchange handlers in Setup instead of using Metadata API. Create a handler definition, link it to an Apex class, and set some of its properties, such as what types of tokens it supports and whether it can create users. - Migrate to a Multiple-Configuration SAML Framework (Release Update)
If you see this release update, your Salesforce instance is using our original single-configuration SAML framework, which supports single sign-on (SSO) with only one external identity provider. With this release update, we’re removing support for the single-configuration SAML framework and supporting only the multiple-configuration SAML framework. To preserve your existing configuration, follow the steps to apply this update. If you don’t, your SSO configuration stops working when this update is enforced. This update was first made available in Spring ’24. It was scheduled to be enforced for all instances in Summer ’24, but we postponed the enforcement date for production instances to Spring ’25. This update is still enforced for sandboxes in Summer ’24. - Enter New Firebase Information Required for Android Push Notifications
The legacy Firebase Cloud Messaging API server key is no longer accepted for configuring Android push notifications on mobile connected apps. Because of a change in how Google handles push notifications, Android mobile connected apps now require the Admin SDK private key and project ID from a Google Firebase project. - Use REST API for Access to External Client App OAuth Consumer Credentials (Release Update)
To follow recommended security standards, use the newcredentialsConnect REST API resource instead of Metadata API to access External Client App OAuth consumer credentials. - Verify Email Addresses to Meet the Email Verification Requirement
To complete enforcement of the email verification requirement introduced in the Spring ’22 major release, Salesforce now requires all users in all orgs and Experience Cloud sites to verify their email address. If a user sends an email from an unverified email address, Salesforce rejects this email message and doesn’t complete the send. Unverified email addresses can’t be used for sends until the user verifies their email address or resets their password. To avoid disruptions, ensure that all user email addresses are verified. - Stay on Top of MFA Compliance
Multi-factor authentication (MFA) is turned on by default for direct logins to production orgs as of April 8, 2024. Starting in Summer ’24, admins get in-app reminders if they don’t comply with the MFA requirement. - Forced Login is Permanently Disabled in Winter ’25
To improve security, in Winter ’25, users can no longer log in to Salesforce by passing a username and password as URL query string parameters in the login URL, also known as forced login. This change will break implementations and third-party integrations that use a forced login via a URL, as well as direct login (autologin) links. To avoid service disruptions, update integrations that use forced login. - Identify the Origin IP Address for Logins with One or More Proxies
To monitor login activity more thoroughly and prevent potential threats, you can now see what value the client passed in theX-Forwarded-Forheader of their HTTP request to Salesforce. For logins that redirect users to one or more proxies, theX-Forwarded-Forfield is sometimes used to store the origin IP address of the client. Use the new Forwarded for IP column in the Login History and related fields to track the origin IP address. This change isn’t available for OAuth and single sign-on (SSO) logins. - Password Reset Login Subtype Label Is Changed
For more consistency with naming conventions, we renamed the label for the password reset login subtype in the Login History. When a user resets their password, the Login Subtype column now displays UI Password Reset instead of Change Password. - Enable Embedded Login
Although Salesforce doesn’t recommend it, if you must use Embedded Login with your Experience Cloud Site, you can enable it on the Login & Registration page. In Summer ’24, Salesforce disabled Embedded Login by default to encourage users to move to OAuth 2.0 Web Server Flow or OAuth 2.0 User-Agent Flow. - Take Advantage of Apex Enhancements for Processing JSON Web Tokens (JWTs)
With changes to how JSON Web Tokens (JWTs) are processed, it’s now easier to extract data from JWTs generated by methods in theAuth.JWTUtilclass. We also clarified what methods we support for a JWT depending on where it came from. And you can get more test coverage by mocking HTTP callouts when processing JWTs. - Use the Token Exchange Flow with More Identity Providers
With new support for larger tokens, use the OAuth 2.0 token exchange flow with a wider range of third-party identity providers. When you send third-party tokens to Salesforce in thesubject_tokenparameter, the value can be up to 10,000 characters long. Previously, the maximum length for values in this parameter was 2,000 characters. - Simultaneous Token Requests Are Blocked During the Refresh Token Flow
To reduce performance issues, we now prevent client apps from sending simultaneous token requests with the same refresh token when using the OAuth 2.0 refresh token flow. Previously, identical token requests sent at the same time didn’t fail, but they did lead to system issues across Salesforce. To avoid disruptions, update integrations that use the refresh token flow to stop sending simultaneous, identical requests to the token endpoint. Improve the efficiency of your integrations by reusing access tokens instead of continually requesting new ones.