Review Connected Apps

Learn about connected apps.

• Manage Connect Apps: Allow Creation of Connected Apps - Off Control
  This security setting globally disables the organizational capability to define, register, or deploy new OAuth-enabled Connected Apps across all interfaces.
• API (Enable OAuth Settings): Enable OAuth Settings Control
  Enabling OAuth settings in a Salesforce Connected App allows the application to use secure, token-based authorization protocols and granular scopes.
• API (Enable OAuth Settings): Enable for Device Flow - Deselected Control
  This security setting manages the availability of the device authorization flow, which allows users to authorize a connected application on a resource-constrained device.
• API (Enable OAuth Settings): Use Digital Signatures - Selected Control
  This security setting mandates the use of asymmetric cryptography by requiring the connected application to sign authentication requests with a validated private key.
• API (Enable OAuth Settings): Select the OAuth Scopes to Apply to the Connected App Control
  OAuth scopes are the "permissions of the token" that define exactly what data and actions a connected app can perform on behalf of a user.
• API (Enable OAuth Settings): Require Proof Key for Code Exchange (PKCE) Control
  An OAuth 2.0 security extension that uses a dynamically created cryptographic "code verifier" to make sure that the application exchanging an authorization code for an access token is the same that originally requested the code.
• API (Enable OAuth Settings): Require Secret for Web Server Flow Control
  This control mandates that the client application provides its cryptographically strong Client Secret during the exchange of an authorization code for an access token to verify the client's identity.
• API (Enable OAuth Settings): Require Secret for Refresh Token Flow Control
  This control mandates that a confidential client application must provide its Client Secret when exchanging a refresh token for a new access token to verify the client's identity.
• API (Enable OAuth Settings): Disable Client Credentials Flow Control
  This control involves disabling the insecure "Client Credentials" flows in favor of high-assurance, certificate-based authentication methods like the JWT Bearer Flow or External Client Apps (ECA).
• API (Enable OAuth Settings): Authorization Code and Credentials Flow Settings Control
  This control configures the specific security requirements for the "Authorization Code and Credentials Flow".
• API (Enable OAuth Settings): Secure Token Exchange Flow Control
  This control determines whether a client application must provide a secret when exchanging a third-party token for a Salesforce access token.
• API (Enable OAuth Settings): Enable Refresh Token Rotation Control
  This control invalidates and replaces each refresh token with a new one every time it is used to obtain a new access token.
• API (Enable OAuth Settings): Issue JSON Web Token (JWT)-based Access Tokens for Named Users Control
  This security setting transitions the Salesforce authorization server from issuing opaque, reference-based access tokens to issuing self-contained, cryptographically signed JSON Web Tokens.
• API (Enable OAuth Settings): Configure ID Token Control
  This security setting defines the cryptographic lifespan and data structure of the OpenID Connect ID token.
• API (Enable OAuth Settings): Enable Asset Tokens Control
  Asset Tokens are a specialized JWT-based authentication method that link a Salesforce session directly to a specific physical device or "asset".
• Web App Settings: After Enabling SAML, Configure the Required Policies Control
  This security setting defines the required cryptographic signing algorithms, assertion validation rules, and service provider endpoints to secure the Security Assertion Markup Language exchange between the identity provider and the web application.
• Web App Settings: Verify Request Signatures - Select Control
  This security setting mandates that the platform validates the digital signature of every incoming SAML or OAuth request against a trusted public certificate to ensure that the sender is authentic.
• Web App Settings: Encrypt SAML Response - Select Control
  This security setting cryptographically obfuscates the entire SAML assertion containing user identity and authorization attributes using a public key provided by the service provider before transmission.
• Web App Settings: Signing Algorithm for SAML Messages - Select SHA256 Control
  This security setting specifies the use of the Secure Hash Algorithm 256-bit variant to generate digital signatures for SAML assertions.
• Mobile App Settings: Mobile PIN Requirement Control
  This security setting mandates a secondary layer of local authentication by requiring users to enter a numerical personal identification number or biometric equivalent before accessing the mobile application interface.
• Canvas App Settings: Canvas Signed Request Security Control
  This security setting determines the authorization protocol for Canvas integrations.
• Canvas App Settings: Canvas SAML Initiation Control
  This security setting determines how the authentication handshake is triggered.
• Configure Trusted IP Ranges for a Connected App: Trusted IP Ranges for a Connected App Control
  This control restricts access to a Connected App so that it only accepts authentication requests originating from a specific list of verified, "allow-listed" IP addresses.
• Manage OAuth Access Policies for a Connected App: Admin-Approved Users Are Pre-Authorized Control
  This setting changes the app's access policy from "All users may self-authorize" to a restricted model where only users with a specific Profile or Permission Set assigned to the app can log in.
• Manage OAuth Access Policies for a Connected App: IP Relaxation Control
  This control determines whether OAuth access tokens issued to a Connected App are restricted to trusted IP ranges.
• OAuth Access Policies for a Connected App: Enable Single and SAML Logout Control
  Single Logout is a mechanism that ensures that when a user logs out of either Salesforce or an external Identity Provider (IdP), the session is simultaneously terminated across all connected applications in the trust circle.
• Manage OAuth Access Policies for a Connected App: Refresh Token Expiration Policy Control
  This policy makes sure that a refresh token is strictly "one-time use," meaning it’s instantly invalidated the moment it’s used to request a new access token.
• Manage Session Policies for a Connected App: Session Timeout Control
  This control defines the maximum duration that an application session can remain idle before the access token expires and the user or system is required to re-authenticate or use a refresh token.
• Manage Session Policies for a Connected App: Connected App High Assurance Required Control
  This security setting mandates that users accessing a specific connected application must possess a session security level categorized as high assurance.
• Manage Mobile Policies for a Connected App: Mobile PIN Timeout Control
  This security setting defines the maximum duration of inactivity permitted before the mobile application locks the interface and requires the user to re-authenticate.
• Manage Mobile Policies for a Connected App: Mobile PIN Complexity Control
  This security setting mandates a specific cryptographic entropy level for local application access by requiring a minimum eight-digit numerical sequence to unlock the mobile interface.
• Manage Other Access Settings for a Connected App: Manage Profiles Control
  This security setting defines the specific user cohorts authorized to access an application by mapping defined administrative profiles to the connected app metadata.
• Manage Other Access Settings for a Connected App: Manage Permission Sets Control
  This security setting enables Salesforce admins to restrict application access to specific users by mapping targeted permission sets to the connected app.
• User Provisioning for Connected Apps: Enable User Provisioning Control
  This security setting automates the exchange of user identity information between Salesforce and external applications.