Preserve Login Access During a My Domain Login URL Change

If you make one of these changes, your My Domain login URL changes and authentication methods can fail.

• Renaming your My Domain.
• Changing your My Domain suffix.
• Sandboxes only: deploying enhanced domains.
• Deploying a change that enables or disables partitioned domains in a Developer Edition org, scratch org, patch org, demo org, free org, or Trailhead Playground.

If you make one of these changes, your Experience Cloud site or Salesforce Site URL changes and authentication methods for your site can fail.

• Deploying enhanced domains.
• Renaming your My Domain in an org with enhanced domains.
• Deploying a change that enables or disables partitioned domains in a Developer Edition org, scratch org, patch org, demo org, free org, or Trailhead Playground.

Authentication against your site login URL is affected only if you use the system-managed site URL to authenticate. System-managed site URLs end in *.my.site.com for Experience Cloud sites and *.my.salesforce-sites.com for Salesforce Sites. If you authenticate via a custom domain, such as https://www.example.com, that serves your Experience Cloud site or Salesforce Site, then the corresponding SSO configuration and MFA verification methods are unaffected.

Note A change to your My Domain login URL or site URL requires updates to your org beyond authentication methods and settings. For details, see Update Your Org for My Domain Changes.

Note Your Configured Authentication Methods and Review Post-Deployment Steps

You can configure your My Domain or site login page to allow users to authenticate through third parties, such as Google. Before you deploy the change to your My Domain, visit the corresponding login pages and note the available options.

We also recommend that you review the Authentication Settings on the My Domain Setup page. Note the selected settings and plan to update the corresponding authentication methods after you deploy your new My Domain. After you deploy the change, verify that the login page settings are correct with the new URL.

For more information on updating authentication after a My Domain change that affects your login URLs, see Update Authentication After a My Domain Change. When you review this section before you deploy a My Domain change, you can gather the list of updates to make before users and third parties access your updated org.

Instruct Admins to Verify Their Backup Authentication Method

Before you deploy one of these changes that affects your My Domain login URL, make sure that your admins can log in without authentication features such as SSO or security keys. For example, they can authenticate via a username and password, with a second factor of Salesforce Authenticator.

Important Ensure that at least one admin registers Salesforce Authenticator or a third-party authenticator app as a backup method before you deploy a change to your My Domain login URL. Otherwise the admin can’t log in and help reset authentication settings or other users’ verification methods after the new My Domain is deployed.

If your admins previously registered Salesforce Authenticator or a third-party authenticator app as a backup method, instruct them to verify that authentication method before you deploy the change.

Help Users Restore Built-In Authenticator and Security Key Verification Methods

When your My Domain login URL or site URL changes, two multi-factor authentication (MFA) verification methods stop working: built-in authenticators and security keys. If any of your users only use these methods to authenticate when they log in to Salesforce, they can’t log in after the login URL changes.

Tip Not sure who in your org has registered built-in authenticators or security keys for MFA logins? Create a custom list view of users or review the Identity Verification Methods report. For more information, see See How Your Users Verify Their Identity. To learn more about built-in authenticators or security keys, see Verification Methods for Multi-Factor Authentication.

Make it easy for these users to restore their authentication methods after the My Domain change.

• Before the scheduled deployment of your My Domain change, instruct affected users to register Salesforce Authenticator or a third-party authenticator app as a backup verification method. These types of verification methods aren't affected by My Domain changes.

  This approach allows your users to restore their original verification methods at their convenience. It can reduce support tickets related to logging in to Salesforce after the My Domain change. Also, if a user loses a device or security key, a backup verification method can preserve their access.

  For more information, see Connect Your Salesforce Account to Salesforce Authenticator or Verify Your Identity with a TOTP Authenticator App.

• As part of your communication for the My Domain change, let users know that they can re-register their built-in authenticator or security key when they log in after the change.
• When you make updates to your org after you deploy the My Domain change, disconnect the built-in authenticator and security key verification methods for all users in Setup.

  After you disconnect the methods, users can reconfigure the verification methods. If one of the affected users didn’t register a backup method before the change, this step is required the first time that they log in to Salesforce with the new login URL.

  For more information on that process, see Disconnect a User’s Verification Method. You can also disconnect security keys for all users through the UserManagement.deregisterVerificationMethod() Apex method.