Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Learn What’s New with Identity Management for Winter ‘25

Learning Objectives

After completing this unit, you’ll be able to:

  • Create an external client app from App Manager.
  • Customize user experience for authentication providers using a URL parameter allowlist.
  • Adopt a headless identity flow that conforms to the OAuth 2.0 draft standard.
  • Customize SMS one-time password delivery for Experience Cloud sites.

Create an External Client App from App Manager

When creating a connected app in App Manager, you can now choose to create an external client app instead. These apps offer a more secure way to connect third-party applications with your Salesforce data. Designed for second-generation (2GP) packaging, source-driven development, and scratch org compatibility, external client apps are easier to manage and distribute. They maintain a clean separation between proprietary developer settings and customizable admin-defined policies, and will eventually support the majority of connected app use cases.

When you click New Connected App in App Manager, a window opens with options to either continue creating a connected app or open the External Client App Manager and create an external client app.

This change applies to Lightning Experience and Salesforce Classic (not available in all orgs) in Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

Customize User Experience and Functionality for Authentication Providers

Deliver different user experiences with a single authentication provider by using a URL parameter allowlist. This feature enhances the flexibility of single sign-on (SSO) flows, since you can add a custom URL parameter to an authentication provider URL. Use a single authorization provider and a parameter instead of requiring the configuration of multiple authentication providers.

For example, imagine that you host a site on Experience Cloud. Users go to your Experience Cloud site, select their language preference, and are redirected to your login page, where you display an option to log in with Google. Previously, the only way to specify the display language for that user was to configure a different authentication provider for each language and statically specify the user's locale. Now, you can configure just one authentication provider and add a locale parameter to your authentication provider allowlist. When the user chooses their language, Salesforce forwards the parameter value to the authentication provider URL so that it can then be passed to Google. This approach eliminates the need to manage multiple authentication providers and enhances user experience by dynamically adapting to user preferences.

Use the URL Parameter Allowlist for Authentication Providers

Select your metadata development tool of choice, such as Salesforce CLI, to create an AuthProvParamFwdAllowlist metadata type that stores the URL parameter you want to add. Each instance of AuthProvParamFwdAllowlist stores one allowlisted parameter. If your SSO flow passes any allowlisted parameters to Salesforce, Salesforce automatically forwards the parameters to your authentication provider's client configuration URLs. This new ability to forward parameters means you can pass important information to Authentication Providers in multiple instances using a single configuration. This eliminates the need for redundant configurations to cover multiple scenarios.

This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Be an Early Adopter of a Headless Identity Draft Standard

Stay current with industry developments for Open Authorization (OAuth) 2.0 and Salesforce headless identity. Headless identity helps you separate back-end authentication processes from front-end identity experiences. With headless identity, you can embed identity features and extend Salesforce APIs and data into any app built on any platform.

Headless Identity Flows Now Conform to the OAuth 2.0 Standard

Headless identity relies on APIs to handle authentication tasks such as login, registration, and password resets. Salesforce headless identity flows now conform to Open Authorization (OAuth) 2.0, which is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

When Salesforce first released Headless Identity APIs, there was no proposed standard for headless app authorization, so Salesforce provided proprietary flows built on top of OAuth. Now you can set up headless username-password login, passwordless login, and registration flows that conform to the OAuth 2.0 for First-Party Applications draft standard. When finalized, this will become a widely accepted standard and all of your Headless Identity Flows will be compatible with the broader industry.

This change applies to Lightning Experience and Salesforce Classic (not available in all orgs) in Enterprise, Unlimited, and Developer editions.

Note

OAuth 2.0 for First-Party Applications is still in a draft state. For more information, see OAuth 2.0 for First-Party Applications.

Customize SMS One-Time Password Delivery for Experience Cloud Sites

To provide branded, personalized identity verification experiences for external users, create an Apex handler to send one-time passwords (OTPs) via an SMS messaging provider of your choice. Customize the content of the message and the shortcode that tells users who sent it. Use the handler to send OTPs for any Experience Cloud identity verification use case. This customization enhances security and user trust by ensuring that OTPs are delivered in a recognizable and consistent manner, tailored to your brand’s identity.

  • For Experience Cloud sites, use a custom OTP provider for any identity verification use case that uses SMS, such as MFA, passwordless login and registration, self-registration with SMS, and device activation.
  • For headless apps, use a custom OTP provider to send SMS messages during headless passwordless login and registration flows.

These changes apply to LWR, Aura, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Unlimited, and Developer editions. Review the definitions of these Experience Cloud Site terms in the Experience Cloud Glossary.

To get access to this feature, contact Salesforce Customer Support.

To implement custom OTP delivery:

  1. Create a custom one-time password delivery handler Apex class. This class defines how the OTPs are sent and allows for customization of the message content and shortcode.
  2. Configure Experience Cloud login and registration settings in the Customized OTP Delivery section. Select your newly created OTP Delivery Handler Apex class to enable custom OTP delivery.
  3. Ensure consistency across all sites. Enabling this feature affects all Experience Cloud sites. To avoid disruptions, create an OTP Delivery Handler Apex class for all sites to ensure consistent OTP delivery.

By following these steps, you can achieve a branded, personalized identity verification experience.

You’ve just reviewed the latest updates to identity management. These include how to create an external client app and customize authentication provider experiences using a URL parameter allowlist. You also learned how to adopt a headless identity flow conforming to the OAuth 2.0 draft standard, and customize SMS one-time password delivery for Experience Cloud sites. In the next unit, you review recent updates to help you optimize your integration processes and enhance data security and efficiency.

Resources

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback