Valitse organisaatio
Prepare for Global Login Changes — Salesforce Express Connect (SEC) Users and IP Allowlists Blocking Access to Hyperforce
Julkaisupäivä: Apr 21, 2026
Kuvaus
Salesforce plans to migrate global login endpoints from Salesforce-managed first-party (1P) datacenters to Hyperforce. This migration affects customers who use Salesforce Express Connect (SEC) and IP Allowlists Blocking Access to Hyperforce.
- Impacted: First-Party customers who have Salesforce Express Connect (SEC), as well as customers whose network has a firewall policy, IP route, or IP Allowlist that restricts access to Hyperforce public internet ranges.
- Not impacted: Customers already on Hyperforce, customers who use domain allowlists, or customers who do not restrict access to the Internet.
The test.salesforce.com (TSC) endpoints begin migrating in April 2026.
These global login endpoints begin migrating in July 2026:
- login.salesforce.com (LSC)
- login.database.com
- webto.salesforce.com
To proactively identify customers who might experience an outage during the LSC migration to Hyperforce, the rollout will be a staggered process. Salesforce will perform several short-duration rollouts, followed by rollbacks, to track any possible issues. We will repeat this process until no new critical login-related issues are found, at which point we will permanently keep the login service running exclusively on Hyperforce.
Updated Rollout Plan for TSC (Sandboxes):
| TSC Date | Apr 20 | Apr 27 | May 11 | May 18 | May 25 | May 28 | June 4 |
| Duration | 15 mins | 30 mins | 1 hour | 2 hours | 4 hours | 8 hours | Permanent |
| Local time | |||||||
| APAC (Tokyo) | 12:00 PM | 1:00 PM | 2:00 PM | 3:00 PM | 11:00 AM | 10:00 AM | |
| Africa (Johannesburg) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| Europe (Paris) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| South America (Buenos Aires) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| North America (San Francisco) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
Updated Rollout Plan for LSC (Production):
| LSC Date | Jul 20 | Jul 27 | Aug 3 | Aug 10 | Aug 17 | Aug 20 | Aug 27 |
| Duration | 15 mins | 30 mins | 1 hour | 2 hours | 4 hours | 8 hours | Permanent |
| Local time | |||||||
| APAC (Tokyo) | 12:00 PM | 1:00 PM | 2:00 PM | 3:00 PM | 11:00 AM | 10:00 AM | |
| Africa (Johannesburg) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| Europe (Paris) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| South America (Buenos Aires) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
| North America (San Francisco) | 9:00 AM | 10:00 AM | 11:00 AM | 12:00 PM | 8:00 AM | 7:00 AM | |
Note:
All times and durations are targets. Migration can take up to 5 minutes for execution and up to 5 minutes for cascading DNS TTL expiration.
This article describes proactive measures you can take to maintain uninterrupted access through the transition. After login traffic moves from Salesforce first-party infrastructure to Hyperforce, requests routed exclusively via SEC to these endpoints will not reach Hyperforce, causing associated functions to fail unless you take preemptive actions. This issue affects all login services that are moving to Hyperforce, starting with LSC and TSC.
As an SEC customer, you can determine if global login endpoints are in use by reviewing the Login URL field in your Salesforce org's Login History. As shown in the example, the login.salesforce.com URL indicates global login. After the endpoints move to Hyperforce, they may no longer work for you. In contrast, a My Domain URL, *.my.salesforce.com, connects directly to your instance in first-party infrastructure and isn’t affected by the LSC/TSC Hyperforce migration.
Note:
This document is for informational purposes only, and is not part of any legal or otherwise binding agreement. The policies and practices described in this document are subject to change at Salesforce's sole discretion. All dates are subject to change.
Ratkaisu
First, ask your Salesforce Express Connect service provider whether they can resolve the global login changes to maintain uninterrupted connectivity, such as switching to AWS Direct Connect. If they can’t, to maintain uninterrupted connectivity, you must implement at least one of these three mitigation options by end of June 2026. If you don’t implement one of these options, you will lose access to the global endpoints, and login and authentication services using the global URLs will fail.
If you have already implemented any of these solutions, you don’t need to take any further action.
Option 1 (recommended): Upgrade to Hyperforce and Implement AWS DX
Hyperforce is Salesforce’s premiere infrastructure, delivering outstanding security, reliability, and availability to customers’ orgs.
Upgrading to Hyperforce and implementing AWS DX is a long-term solution for direct connectivity to Salesforce. Contact your account team to request a Hyperforce upgrade at any time.
Learn more about Hyperforce in these resources.
- Introducing Hyperforce - General Information and FAQ
- How to Prepare for an Org Migration
- Retain Uninterrupted Access to Salesforce Services on Hyperforce
Option 2: Transition to My Domain and Discontinue Use of TSC and LSC
To avoid impact on login services and continue using SEC, you can transition all use of login.salesforce.com and test.salesforce.com to your org’s My Domain URL. My Domain is available for all Salesforce orgs. To find the URL, from Setup, in the Quick Find box, enter My Domain, and then select My Domain Settings.
Note: If you are using internal or external applications to integrate with Salesforce that have hard-coded login.salesforce.com URLs, update these apps to use My Domain.
To identify where MyDomain is not yet in use, follow these steps:
- Check their login history to download a list of recent login data. Help article.
- Filter for records where the Login URL is login.salesforce.com.
- Work with the relevant application or service team to switch to their MyDomain. For SOAP/API applications, this article explains how to do it.
My Domain provides a number of benefits for customers. It offers improved performance and security while remaining compatible with a wide range of login functions.
Key Benefits
- Improved Performance: Direct My Domain connections avoid extra routing, which improves login performance.
- Enhanced Security: My Domain allows for the application of mTLS authentication and other connection features for stronger security.
Compatible Login and SSO Functions
Most login and SSO functions are compatible with My Domain. We recommend that customers verify if they are using any of the following with login.salesforce.com (LSC) or test.salesforce.com (TSC) and switch to My Domain where possible.
- Username and password logins
- SAML SSO with Salesforce as the Service Provider
- OAuth Endpoints
- OpenID Connect (OIDC) Token Subject in Identity URLs
- JSON Web Token (JWT) Key Retrieval from the JWKS /id/keys endpoint
- SOAP API Login
- Deprecated Legacy Portal Customer Logins, such as this
- Web-To-Case, Web-To-Lead, and Integrated Form Handlers for Web-To hostname
While My Domain offers many benefits, you might encounter some of the challenges listed above when you transition to it. We recommend that you start your analysis and migration work as soon as you can. If you find any blockers, implement AWS DX to unblock access.
Option 3: Add AWS Direct Connect (DX) Alongside SEC Before Login Traffic Transition
AWS Direct Connect (DX) is the direct connectivity solution for Hyperforce. To maintain direct access to Salesforce and related services, add AWS Direct Connect to your network before the login traffic transition begins.
We recommend this option if you require direct connectivity. This approach retains existing functionality and avoids the need for application-level changes. Adding AWS DX now prepares your org for an eventual upgrade to Hyperforce.
Benefits
- Works for all global endpoints migrating to Hyperforce, not just login.
- Prevents disruptions from future org migrations to Hyperforce.
- Proven to work for other SEC customers using both SEC and AWS DX.
Reference
- AWS Documentation: How to Access Salesforce Hyperforce Securely and Reliably with AWS Direct Connect
- Knowledge Article: Set Up AWS Direct Connect (DX) for Hyperforce
Functionality Related to Global Login Endpoint Access
As we migrate global login endpoints, it's important to be aware of the functionalities that require access, so that you can review their behavior and test your solution. If you don’t take any action, these functions could fail.
- Global Auth Providers: Global authentication providers for services such as Google, Facebook, and Microsoft use a global callback URL that requires
login.salesforce.com(LSC) ortest.salesforce.com(TSC). As an alternative, you can Define an Authentication Provider and switch to a My Domain URL for SSO requests. - Login Hints: This feature requires global access to LSC/TSC to function. However, it’s not a login blocker and can be disabled if necessary.
- Custom Apps: Custom apps that use
login.salesforce.com(LSC) ortest.salesforce.com(TSC) for login and OAuth integrations will likely be affected. This includes integrations such as Canvas, Mobile, MailApp, Package Install, and Lightning and Image servlets. - Undetected Clients: You might not be able to identify every client using the global endpoints. Prioritizing the adoption of AWS Direct Connect will help prevent unexpected connectivity issues.
- Application Updates: To make sure your integrations keep working and to retain existing functionality, you may need to update or reconfigure applications installed in your Salesforce organization(s) to use My Domain URLs instead of
login.salesforce.comortest.salesforce.com.
Knowledge-artikkelin numero
005167236
Ratkaisiko tämä artikkeli ongelmasi?
Anna palautetta, jotta voimme kehittyä!
