As a Salesforce admin, you can grant designated admins permission to connect Salesforce orgs as data sources to cross-cloud Salesforce applications, such as Customer 360 Data Manager. Connecting an org as a data source lets you connect customer data across your enterprise to create a single view of your customer. For example, service agents can view a customer’s order history in Service Console without swiveling their chairs to Commerce Cloud.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: This user permission was added in the Winter ’20 release.

Who: The Connect Org to Customer 360 Data Manager permission is automatically enabled for Salesforce admins.

How: In your org, create a permission set that grants the Connect Org to Customer 360 Data Manager permission. Assign the permission set to the designated admin who is creating the connection. The admin is required to log in to the org to create the connection.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_360_connect_org_user_perm.htm&release=224&type=5

If a Salesforce content, Visualforce, or Lightning page doesn’t load, you can use a new child_session parameter in the Salesforce OpenID Connect token introspection endpoint to discover its session status. For example, a page with a status of inactive (an expired session) or missing (a non-existent session) no longer has an authorized session, so the user must log back in to the Salesforce org.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: OAuth supports the extension of access tokens as a bridge to other authorization frameworks. In Salesforce, this extension is implemented when users access Salesforce content, Visualforce, and Lightning pages after successfully logging in to a Salesforce org. These pages launch as child sessions, using the org’s authenticated session as a bridge. However, if the child sessions don’t have a current access token from the org’s session, they fail to launch.

How: Include the new child_sessions parameter in POST requests to the Salesforce OpenID Connect token introspection endpoint. You can only include this parameter for introspection of active org sessions. It doesn’t work with introspection of refresh tokens.

https://help.salesforce.com/s/articleView?id=release-notes.rn_auth_child_session_status.htm&release=224&type=5

You now have two hours to approve access to connected apps on the OAuth Approval page. Previously, the page timed out after 15 minutes.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_auth_oauth_approval_timeout.htm&release=224&type=5

For single sign-on, the Request Signature Method (RSM) applies a hashing algorithm—either RSA-SHA1 or RSA-SHA256—for encrypted requests. You can now apply the selected single sign-on RSM to your single logout (SLO) settings.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions for Federated Authentication, and in Professional, Enterprise, Performance, Unlimited, Developer, and Database.com editions for Delegated Authentication.

How: Select Use Selected Request Signature Method for Single Logout to apply the selected Request Signature Method during SLO. If you don’t select this option, the default RSM (RSA-SHA1) is applied.

https://help.salesforce.com/s/articleView?id=release-notes.rn_auth_rsm_slo.htm&release=224&type=5

To enhance security, you can restrict community and portal (external) user access to Salesforce APIs through connected apps that are installed in your org. Previously, you weren’t able to restrict only external user access to Salesforce APIs.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

Who: This feature applies to external users only.

How: Contact Salesforce Customer Support to enable API Access Control for your org. Then enable For external users, limit API access to only installed connected apps. Install a connected app on the Connected Apps OAuth Usage page.

https://help.salesforce.com/s/articleView?id=release-notes.rn_auth_limit_api_access.htm&release=224&type=5

All new Salesforce orgs are now set up so that identity verification by email occurs only if the user has no other identity verification methods registered. Possible identity verification methods include Salesforce Authenticator, SMS, time-based one-time password (TOTP), physical key (U2F), and email. The new setting, Prevent identity verification by email when other methods are registered, appears on Identity Verification and Session Settings Setup pages. To increase security in your existing orgs, Salesforce recommends that you enable this setting.

Where: This feature applies to all editions of Salesforce Classic and Lightning Experience. It also applies to all Lightning and Salesforce Tabs + Visualforce communities accessed through Lightning Experience and Salesforce Classic in Essentials, Enterprise, Performance, Unlimited, and Developer editions. SMS verification messaging is available in Lightning Experience, Salesforce Classic, and all versions of the Salesforce app. The Identity Verification Credits add-on license is available for purchase for all editions.

Who: Customers who have an Identity Verification Credits license and use device activation by text message can enable identity verification by text message. If you don’t know your org’s limit of SMS messages for identity verification, contact your Salesforce account rep. On external users’ profiles, the option Enable Device Activation allows external users to verify their identity by text message.

How: From Setup, in the Quick Find box, enter Identity Verification, and then select Prevent identity verification by email when other methods are registered.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_prevent_email_verification.htm&release=224&type=5

Some external services require you to prove control over your domain name. You can now verify your domain name from the Domains Setup page.

Where: This change applies to Lightning communities accessed through Lightning Experience and Salesforce Classic in Enterprise, Essentials, Performance, Unlimited, and Developer editions.

Why: External services use various methods to prove domain ownership. Some external services, such as Sign In with Apple, provide you with a verification file that you download to your computer. Store the file on your domain at a location specified by the external service. If the service can locate the file, your domain is verified.

How: You verify your My Domain or community domain from the Domains Setup page. Next to the domain, select Verify, and then choose the verification file that you downloaded from the external service. Salesforce then stores the file at the location specified by the external service.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_verify_domain.htm&release=224&type=5

Using the new Apple authentication provider, your customers can log in to a Salesforce org or community with their Apple ID.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: To let users log in with their Apple ID, create an Apple authentication provider from the Salesforce Auth. Providers Setup page. After configuring the authentication provider and adding the Apple sign-in button to your Salesforce and Communities login pages, users can log in with their Apple credentials.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_apple_provider.htm&release=224&type=5

Enable Apple sign-in for your orgs and communities, allowing users to authenticate with their Apple ID, Face ID, or Touch ID. Enhance identity verification security by storing domain verification files for external services and enabling verification methods that are more secure than email. Restrict external user access to Salesforce APIs through connected apps that are installed in your org or community. And apply the Request Signature Methods to single logout, have extra time to approve OAuth authentication requests, and troubleshoot bridged OAuth sessions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=224&type=5

Access to UserPreference records of other users in the SOAP API is available for users with the View All Data or Manage Users permission, but all users can access their own UserPreference record.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_user_manage.htm&release=224&type=5