Determine the Required Authentication Updates After a My Domain Change
If your My Domain login URL or site URL changes, authentication updates are required. Determine whether these changes apply to your My Domain change. Then understand the types of updates required.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions |
Connections to Salesforce
When you deploy a My Domain change, all connections to Salesforce are reset. Active user sessions are terminated and security tokens are revoked.
After you deploy the My Domain change, users are required to log in to Salesforce again. If a feature that connects to Salesforce stops working, the user can reauthenticate. For example, in Salesforce CLI, use force:org:open to log in again. Also, after you deploy a My Domain change, functionality delivered by a managed package can require that you log in again. For example, if you use Declarative Lookup Rollup Summaries (DLRS), access the summary tool after you deploy your My Domain change and reestablish your connection.
We recommend that you notify your users about this behavior before and after a My Domain change. For more information, see Notify Users and Customers About a My Domain Change.
Determine Whether Your Change Requires an Authentication Update
If you make one of these changes, your My Domain login URL changes and authentication methods can fail.
- Renaming your My Domain.
- Changing your My Domain suffix.
- Sandboxes only: enabling enhanced domains.
- Enabling or disabling partitioned domains in a Developer Edition org, scratch org, patch org, demo org, free org, or Trailhead Playground.
If you make one of these changes, your Experience Cloud site or Salesforce Site URL changes and authentication methods for your site can fail.
- Enabling enhanced domains.
- Renaming your My Domain in an org with enhanced domains.
- Enabling or disabling partitioned domains in a Developer Edition org, scratch org, patch org, demo org, free org, or Trailhead Playground.
Authentication against your site login URL is affected only if you use the system-managed site URL to authenticate. System-managed site URLs end in *.my.site.com for Experience Cloud sites and *.my.salesforce-sites.com for Salesforce Sites. If you authenticate via a custom domain, such as https://www.example.com, that serves your Experience Cloud site or Salesforce Site, then the corresponding single sign-on (SSO) configuration and MFA verification methods aren’t affected.
Named Credentials
To simplify the setup of authenticated callouts, you can use a named credential as the callout endpoint. The named credential specifies the URL of a callout endpoint and its required authentication parameters.
When your My Domain login URL or site login URL changes, named credentials that use that URL stop working. To reestablish the impacted authentication callouts, update the URL field for the affected named credentials. For more information, see Update Named Credentials After a My Domain Change.
Impacted Authentication Methods
When your My Domain login URL or site URL changes, authentication methods such as SSO and multi-factor authentication (MFA) can stop working.
To preserve access to Salesforce and prevent end-user frustration, verify backup methods and communicate to your users before you deploy the change. For more information, see Preserve Login Access During a My Domain Login URL Change.
When Salesforce acts as the service provider, authentication is delegated via an identity provider (IdP). If your My Domain login URL or site URL changes, work with your IdP to update your configuration to allow these methods to authenticate against the new URL. These changes can only be made after you deploy the change to your My Domain.
| Method | Example | How to Detect Whether This Method Is In Use |
|---|---|---|
| SAML SSO with Salesforce as the Service Provider | Authentication is delegated to a third-party identity provider such as Okta, OneLogin, Azure, or another Salesforce org. | From Setup, in the Quick Find box, enter Single Sign-On, and then select Single Sign-On Settings. Active records exist in the SAML Single Sign-On Settings table. If you’re not sure whether a given SAML Single Sign-On setting or Auth. Provider record is in use, review your login history. |
| Salesforce acts as the service provider for single sign-on (SSO) via an Authentication Provider or OpenID Connect | Authentication is delegated to a third-party identity provider such as Google, Facebook, or a third party that operates over the OpenID Connect protocol. Or authentication is delegated to a custom authentication provider that supports OAuth 2.0. | From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers. Active Auth. Provider records exist that aren’t Salesforce Managed. As a reminder, Salesforce Managed Auth. Providers aren’t recommended. |
For instructions on how to update your IdP in these cases, see Update Your SAML SSO IdP Configuration After a Login or Site URL Change and Update Your Auth Provider or OpenID Connect IdP Configuration After a Login URL Change.
When Salesforce acts as the identity provider, users can log in to an external service provider or relying party with credentials from your Salesforce org. With these methods, if your My Domain or site login URL changes, share the updated endpoints with the third-party service providers to allow them to authenticate against the new URL. These changes can only be made after you deploy the change to your My Domain.
| Method | Example | How to Detect Whether This Method Is In Use |
|---|---|---|
| Salesforce as a SAML Identity Provider | Your Salesforce org acts as a SAML identity provider. Users log in to external services such as Google Apps with their Salesforce or site credentials. | From Setup, in the Quick Find box, enter Identity Provider, and then select Identity Provider. Enable Identity Provider is selected. To view the history of outbound usage for Salesforce as an identity provider via SAML, use the Identity Provider Event Log. |
| A connected app uses Salesforce as an Identity Provider through OpenID Connect | A custom app is integrated as a connected app with OpenID Connect. Your users can log in to the custom app with their Salesforce or site credentials. | From Setup, in the Quick Find box, enter Apps, and select App Manager. View or edit each app. If Enable OAuth Settings is selected, then third parties can use Salesforce as an identity provider for that app. The Enable OAuth Settings setting only indicates that third parties can use the app. To determine whether the app is in use, note the third-party service represented by the application. Then work with your partners to determine whether they use your Salesforce org as an identity provider or if they reference your My Domain or site login URL for OAuth authentication. |
For instructions on how to update your service provider in these cases, see Update Service Provider Endpoints After a Login or Site URL Change.
Integrated Logins
Before you deploy the change to your My Domain, visit the corresponding login pages and note the available options.
If your users can authenticate with alternate identity providers or a SAML Single Sign-On (SSO) authentication method from your My Domain login page or Experience Cloud site login page, those authentication methods stop working when the page’s URL changes and can be removed from the page. To restore these authentication methods:
- For each authentication method, update the corresponding authentication service.
- For alternate identity providers, such as Google, Facebook, or a third party that operates over the OpenID Connect protocol, see Update Your Auth Provider or OpenID Connect IdP Configuration After a Login URL Change.
- For SAML Single Sign-On (SSO) authentication methods include Okta, OneLogin, Azure, or another Salesforce org, see Update Your SAML SSO IdP Configuration After a Login or Site URL Change.
- Verify the authentication method on the login page. If necessary, readd authentication
providers to your login page.
- For your org’s My Domain login page: Add an Authentication Provider to Your Org’s Login Page.
- For your Experience Cloud site’s login page: Add an Authentication Provider to Your Experience Cloud Site’s Login Page.
Login Page Configuration
We also recommend that you review the Authentication Settings on the My Domain Setup page and your site login page configuration. After you deploy the change, verify that those settings are correct with the new URL. For more information, see Customize Your My Domain Login Page with Your Brand, Brand Your Identity Experience, and Manage Salesforce Sites Login and Registration Settings.
DevOps Center
If you use DevOps Center, update the named credentials used to access the DevOps Center environment for your org. For more information, see Update Named Credentials After a My Domain Change.
