Now your custom domain can use your HTTPS certificate to serve your Experience Cloud site in Hyperforce. Previously, this feature was unavailable in Hyperforce.

Where: This change applies to Aura, LWR, and Visualforce sites and accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Use Your Certificate to Serve Your Custom Domain in Your Experience Cloud Sites (salesforce.com)

This update restricts users’ access to navigation menus in the Experience Cloud sites that they’re a member of. This change improves site security by enforcing existing user access permissions when you use an Apex controller in a custom component to query the NavigationLinkSet or NavigationMenuItem objects. Navigation menus that are queried using Connect APIs already enforce user access permissions and are therefore unaffected by this change. This update was first available in Winter ’23.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

When: Salesforce enforces this update in Spring ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

How: Before you enable this update in production, we recommend that you test your sites with this update enabled in a sandbox or Developer Edition org.

When this update is activated, only the NavigationLinkSet and the NavigationMenuItem objects from Experience Cloud sites that a user is a member of are returned when a custom component queries them using Apex controllers. After you enable the test run, ensure that custom navigation menus in your sites work as expected for all users. If they don’t, make relevant adjustments.

To activate this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Apply User Access Permissions to Navigation Menus Retrieved by Apex in Experience Cloud Sites, follow the testing and activation steps.

Apply User Access Permissions to Navigation Menus Retrieved by Apex in Experience Cloud Sites (Release Update) (salesforce.com)

Salesforce is upgrading its SAML framework as part of regular maintenance. This update can affect integrations with third-party systems, such as integrations with SAML identity providers and SAML-enabled applications. This update applies to all SAML-based integrations, including Identity for Employees and Salesforce Customer Identity, including Experience Cloud. This update was first made available in Summer ’22.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: Salesforce enforces this update in Spring ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: This maintenance update improves your security posture and can increase the platform’s performance. Some single sign-on (SSO) URLs are now encoded. For service provider-initiated SSO, the Identity Provider URL and Assertion Consumer Service (ACS) URL are encoded. For all single logout configurations, the Single Logout Endpoint and relay state parameter are encoded. All existing SAML-based integrations can be affected.

How: Because Salesforce uses SAML to integrate with third-party systems, this upgrade can break integrations on the third party’s side. To avoid disruptions, apply this release update and test your SAML integrations.

Upgrade SAML Single Sign-On Framework (Release Update) (salesforce.com)

Improve site security with Salesforce’s CDN, upgrade your SAML single sign-on, enjoy improvements to custom domains, and more.

• Upgrade SAML Single Sign-On Framework (Release Update)
  Salesforce is upgrading its SAML framework as part of regular maintenance. This update can affect integrations with third-party systems, such as integrations with SAML identity providers and SAML-enabled applications. This update applies to all SAML-based integrations, including Identity for Employees and Salesforce Customer Identity, including Experience Cloud. This update was first made available in Summer ’22.
• Apply User Access Permissions to Navigation Menus Retrieved by Apex in Experience Cloud Sites (Release Update)
  This update restricts users’ access to navigation menus in the Experience Cloud sites that they’re a member of. This change improves site security by enforcing existing user access permissions when you use an Apex controller in a custom component to query the NavigationLinkSet or NavigationMenuItem objects. Navigation menus that are queried using Connect APIs already enforce user access permissions and are therefore unaffected by this change. This update was first available in Winter ’23.
• Use Your Certificate to Serve Your Custom Domain in Your Experience Cloud Sites
  Now your custom domain can use your HTTPS certificate to serve your Experience Cloud site in Hyperforce. Previously, this feature was unavailable in Hyperforce.
• Specify Trusted Domains for Clickjack Protection on Your Site
  Now you can specify the third-party domains that you trust to frame your Aura or LWR site. For consistency, the labels for adding trusted domains for clickjack protection on Visualforce pages are updated. Previously, the Trusted Domains list was titled Domains, and the Add Trusted Domain button was labeled Add Domain.
• Test Custom Domain Subdomains That Serve Your Site
  To improve your site’s security, custom domain subdomains can no longer use cookies set by the custom domain.
• Add Server Name Indication (SNI) for Requests to Custom Domains That Serve Your Experience Cloud Site
  If you use Salesforce Edge Network, update your API client callers to include the SNI extension. This extension is required to provide the correct certificate for incoming custom domain requests.
• IP Addresses Are No Longer Allowed for Domain Certificates That Serve Your Experience Cloud Site
  If you use A records that point to IP addresses for your custom domains serving your Experience Cloud site, you can no longer view or use the IP addresses on the Certificate and Key Management page in Setup.

Security and Sharing (salesforce.com)

In Winter ’22, Salesforce discontinued the Run Flows permission for the Guest User profile in new orgs. The change improves site security by requiring explicit guest user permissions to run flows. Without the Run Flows permission, you’re free to use the more granular permission structure embedded in Flows and give your users the detailed access they need. In Spring ’23, Salesforce removes Run Flows from the Guest User profile in all orgs. To avoid future access issues, we recommend updating your sites to the new permission structure before Spring ’23. This update was first available in Summer ’22.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

When: Salesforce enforces this update in Spring ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Require Granular Flow Permissions for Experience Cloud Guest Users (Release Update) (salesforce.com)

To improve the security of your data, Salesforce is removing guest user assignments from permission sets and permission set groups associated with permission set licenses that contain View All, Modify All, edit, and delete standard object permissions. You can no longer assign guest users permission sets or permission set groups that are associated with permission set licenses that contain the restricted permissions. The only standard object permissions allowed for guest users are read and create. This update was first available in Spring ’22 and is enforced in Winter ’23.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

When: Starting in Spring ’22, you can no longer assign guest users permission sets or permission set groups associated with permission set licenses that contain View All, Modify All, edit, and delete standard object permissions.

During the Winter ’23 release, Salesforce enforces this update and removes the affected permission set and permission set group assignments from guest users. If you’re affected, Salesforce Customer Support contacts you directly about your process and timeframe for the update.

Why: This update protects the security of your data by preventing guest users from being granted object permissions not required for their business needs.

How: Customizations, such as workflows, that rely on guest users being granted these object permissions can be affected after this change. To prevent disruptions in functionality, we recommend that you review and remove overly permissive permission sets, permission set groups, and licenses from guest users before the Winter ’23 release. In the Summer ’22 release, some replacement permission set licenses that are intended for guest users and that contain only the allowed permissions became available.

To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions, follow the testing and activation steps.

Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions (Release Update) (salesforce.com)

Remove guest user assignments from permission sets and require granular flow permissions for your guest users.

• Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions (Release Update)
  To improve the security of your data, Salesforce is removing guest user assignments from permission sets and permission set groups associated with permission set licenses that contain View All, Modify All, edit, and delete standard object permissions. You can no longer assign guest users permission sets or permission set groups that are associated with permission set licenses that contain the restricted permissions. The only standard object permissions allowed for guest users are read and create. This update was first available in Spring ’22 and is enforced in Winter ’23.
• Require Granular Flow Permissions for Experience Cloud Guest Users (Release Update)
  In Winter ’22, Salesforce discontinued the Run Flows permission for the Guest User profile in new orgs. The change improves site security by requiring explicit guest user permissions to run flows. Without the Run Flows permission, you’re free to use the more granular permission structure embedded in Flows and give your users the detailed access they need. In Spring ’23, Salesforce removes Run Flows from the Guest User profile in all orgs. To avoid future access issues, we recommend updating your sites to the new permission structure before Spring ’23. This update was first available in Summer ’22.

Guest User Security (salesforce.com)

As of Data Loader v.56, Enable OAuth login from browser is enabled by default. Previously, it was disabled by default in Data Loader Settings.

How: Use these instructions to revert this setting to the v.55 behavior.

1. Open Data Loader.
2. Click Settings, and select Settings from the dropdown menu.
3. Deselect the checkbox next to Enable OAuth login from browser.
4. Click OK.

Revert Data Loader Settings to Disable OAuth Login from Browser (salesforce.com)

Download Data Loader from https://developer.salesforce.com/tools/data-loader. Previously, the Data Loader installers for Windows and macOS were hosted within Setup and also available on GitHub.

Why: Salesforce developer tools, including the Data Loader installation files, are now available from the Tools section of the Salesforce Developers website.

Download Data Loader v56 Installer Files From a New Location (salesforce.com)

Find your Data Loader Release Notes and installer files at Salesforce.com.

• Download Data Loader v56 Installer Files From a New Location
  Download Data Loader from https://developer.salesforce.com/tools/data-loader. Previously, the Data Loader installers for Windows and macOS were hosted within Setup and also available on GitHub.
• Revert Data Loader Settings to Disable OAuth Login from Browser
  As of Data Loader v.56, Enable OAuth login from browser is enabled by default. Previously, it was disabled by default in Data Loader Settings.

Data Loader (salesforce.com)