With Salesforce permanently disabling forced login via URL query parameters, it’s time for admins and developers to revisit their integrations and ensure they’re compliant with this change. If your implementation or third-party integrations rely on forced login through a URL, here's what you need to know to keep your systems running smoothly.
What’s Changing with Forced Login?
Forced login has been a convenient, though insecure, way to access Salesforce by passing a username and password directly in the URL. Going forward, this approach is no longer supported due to potential security vulnerabilities. Any integrations or autologin links that rely on forced login will need to be updated to use safer, more robust authentication methods.
How to Identify Forced Login in Your Salesforce Org
To understand your org’s dependency on forced login, you’ll need to dive into Login History in Salesforce:
Access Login History: In Setup, type "Login History" into the Quick Find box. Select Login History to view recent login attempts.
Filter for Forced Login: Look at the HTTP Method column. Forced login attempts typically show "GET" with no associated Login Subtype. It’s worth noting that some GET entries might also relate to password resets, so ensure no Login Subtype is indicated to confirm forced login usage.
Informing Users and Transitioning to More Secure Alternatives
If any users or applications still depend on forced login, communicate the upcoming changes to ensure no one is caught off guard. Users should be encouraged to update their login methods, and integrations must migrate to more secure, modern approaches.
Migrating to External Client or Connected Apps
With the end of forced login, it’s essential to switch to authentication methods that align with Salesforce’s best practices:
Use Connected Apps: Connected Apps support OAuth 2.0, providing a secure, token-based method for accessing Salesforce. OAuth offers a reliable alternative by ensuring users and integrations log in securely without passing credentials directly.
Set Up External Client Apps: For third-party applications, setting up client apps that use secure APIs or tokens provides a safer path forward.
Final Checklist for Disabling Forced Login
Review your org’s login history to pinpoint any forced login usage.
Notify impacted users about the change and provide guidance on alternative login methods.
Update your integrations to utilize Connected Apps or other secure login solutions.
Conculsion
By proactively identifying dependencies on forced login and migrating to secure alternatives, you’ll help keep your org safe and maintain seamless access for users and integrations alike. Ready to improve your org’s security? Dive into your login history and start planning today.
Comments