Menu Icon
https://www.sikich.com

Salesforce Spring ’26: a practical guide for CIOs and CISOs

INSIGHT 7 min read

WRITTEN BY

Dustin Rediess
Salesforce Technology

The Salesforce Spring ’26 release delivers meaningful architectural and security updates that directly impact enterprise IT and security teams. These changes shape identity strategy, certificate lifecycle management, monitoring practices, and integration governance. For CIOs, CISOs, and enterprise architects, this Salesforce release is an inflection point that reinforces a platform model where security architecture, identity controls, and operational rigor require continuous oversight. Organizations that respond with structured governance will strengthen resilience, compliance posture, and integration stability.

Below is a strategic analysis of the most relevant Spring ’26 updates and how IT and security leaders should respond.

Connected Apps migration to External Client Apps: identity architecture modernization

Salesforce has disabled the creation of new Connected Apps and is moving organizations toward External Client Apps, a modernized OAuth and integration framework.

This shift affects SSO configurations, middleware integrations, mobile applications, API access, and identity provider connections across the enterprise.

Implications for IT and security

External Client Apps introduce stronger security controls, modern OAuth flows, and improved packaging support. This represents a structural update to identity and integration architecture.

For many enterprises, legacy Connected Apps serve as critical authentication bridges. Without proactive migration planning, enforcement deadlines can disrupt authentication flows and downstream integrations.

This update requires:

  • A full inventory of all Connected Apps, including managed package dependencies
  • Documentation of OAuth, JWT, and SAML authentication patterns
  • Review of secret storage and token refresh models
  • A phased migration plan aligned to enterprise release cycles

Identity governance teams should treat this as a formal modernization initiative rather than a routine configuration update.

Retirement of Triple DES in SAML configurations: encryption standards enforcement

Salesforce is enforcing the retirement of Triple DES in SAML identity flows, with firm deadlines.

Implications for IT and security

Legacy encryption algorithms within SAML IdP or SP configurations will cause authentication failures once enforcement is active. This affects employee SSO, partner access, and Experience Cloud portals.

For regulated industries, this update also intersects with compliance frameworks requiring modern cryptographic standards.

IT and security leaders should:

  • Audit all SAML metadata and identity provider configurations
  • Validate encryption and signature algorithms meet current standards such as SHA-256 and AES
  • Coordinate with enterprise identity teams using Okta, Azure AD, Ping, or ADFS
  • Incorporate encryption validation into quarterly access control reviews

This change reinforces the importance of centralized identity governance across SaaS platforms.

Organizations should verify specific enforcement timelines in their environments and through Salesforce support channels.

My Trust Center (beta): real-time org security visibility

Spring ’26 introduces My Trust Center in beta, offering personalized org-level monitoring and system health visibility.

Implications for IT and security

My Trust Center provides enhanced awareness of:

  • Instance performance degradation and scheduled maintenance windows
  • MFA status, SAML configuration, and session management security alerts
  • Real-Time Trust notifications
  • Certificate expiration warnings and renewal requirements

For enterprises operating under SOX, ISO 27001, SOC 2, or FedRAMP controls, this capability strengthens oversight and audit defensibility.

Security teams should:

  • Define operational procedures for reviewing and responding to Trust alerts
  • Align Trust Center monitoring with internal incident response processes
  • Plan integration with SIEM tools when APIs or connectors become available
  • Assign ownership within governance or GRC teams

This feature supports a more mature security operations posture within Salesforce environments.

Accelerated certificate expiration cycles: operational discipline required

Salesforce is increasing certificate expiration velocity in Spring ’26.

Implications for IT and security

Shorter certificate lifecycles affect:

  • SAML certificates
  • API integration certificates
  • Mutual TLS configurations
  • Tokens associated with External Client Apps

Frequent expiration increases the need for automated tracking and rotation governance. Enterprises with manual certificate management processes face a higher risk of service disruption.

IT teams should:

  • Update internal certificate rotation policies
  • Align certificate reviews with release management cycles
  • Implement automated alerting for certificates approaching expiration
  • Include certificate validation in change management and integration testing

Certificate lifecycle management should be integrated into platform operations rather than treated as an isolated security task.

File virus and malware scanning in Experience Cloud: portal risk reduction

Salesforce now performs virus and malware scanning on file uploads and downloads within Experience Cloud.

Implications for IT and security

For organizations leveraging document-intensive portals, this capability complements existing security frameworks. Implementations that handle sensitive documents (such as mortgage applications, insurance claims, or financial disclosures) can now benefit from platform-native malware detection alongside application-layer controls, creating defense-in-depth for document workflows. Organizations deploying portal accelerators, like those available from Sikich, should assess how platform-native scanning can reduce custom security development while maintaining existing governance controls.

Security teams should evaluate:

  • Compatibility with file-heavy use cases
  • API-based upload behavior and potential processing delays
  • Updated file size limits up to 10 GB
  • Documentation requirements for compliance audits

This capability strengthens platform-native defense, though governance teams must validate operational impact in high-volume environments.

Domain and URL security enhancements: integration stability and control

Spring ’26 introduces refinements to domain and URL management, including reinforcing My Domain as a stable target for custom domains.

Implications for IT and security

URL stability affects:

  • SSO redirect URIs
  • OAuth callback URLs
  • Hardcoded API endpoints
  • Identity provider configurations

Organizations with hardcoded instance URLs across integrations may encounter fragility as domain strategies evolve.

IT leaders should:

  • Audit integrations for hardcoded instance URLs
  • Standardize on My Domain URLs across environments
  • Validate redirect URIs in identity providers
  • Incorporate domain validation into integration governance

This change supports a more resilient and consistent integration architecture.

Priority matrix for IT and security leaders

Immediate, high-priority reviews

  1. Connected Apps migration to External Client Apps
  2. Triple DES retirement in SAML configurations
  3. Certificate rotation policy updates

Governance and operational enhancements

  • Operationalization of My Trust Center
  • Validation of Experience Cloud file scanning impacts
  • Domain and URL configuration audits

IT and security checklist for Salesforce Spring ’26

CIOs and CISOs should consider the following structured approach:

  • Conduct a Spring ’26 impact assessment workshop across identity, integration, and security teams
  • Assign executive ownership for External Client App migration
  • Formalize certificate lifecycle automation if not already implemented
  • Update security documentation and compliance artifacts
  • Incorporate new monitoring controls into quarterly governance reviews
  • Align release management teams with security architecture oversight

This release reinforces a broader shift toward continuous platform governance. Structured oversight creates long-term operational stability.

Spring ’26 reinforces platform accountability

Salesforce Spring ’26 reinforces a clear expectation that enterprise platforms require disciplined governance, modern identity architecture, and operational rigor. Sikich works alongside IT and security leaders to assess release impacts, modernize authentication frameworks, automate certificate lifecycle management, and strengthen monitoring controls.

Contact Sikich for help in translating these changes into a structured action plan that protects continuity and strengthens long-term platform resilience.

FAQ: Salesforce Spring ’26 for IT and security leaders

What is the most critical security change in Salesforce Spring ’26?

The migration from Connected Apps to External Client Apps represents the most foundational architectural change. It directly impacts identity, API access, and integration security.

How does the retirement of Triple DES affect enterprise SSO?

Organizations using legacy encryption algorithms in SAML configurations must update to modern standards such as SHA-256 and AES to maintain authentication continuity.

Why are certificate expiration changes significant?

Accelerated certificate lifecycles increase operational risk if rotation processes remain manual. Automation and monitoring are essential.

How should enterprises use My Trust Center?

My Trust Center can enhance governance visibility and support compliance controls. Organizations should define ownership and monitoring workflows.

Does file malware scanning impact Experience Cloud integrations?

File scanning improves security posture. IT teams should test API-based file uploads and large file workflows to confirm operational performance.

Salesforce Spring ’26: The enterprise governance series

Salesforce Spring ’26 signals a deeper shift in how enterprise platforms must be governed, architected, and operated. In this series, we examine the release through three distinct lenses: platform operating model, security and identity leadership, and enterprise architecture.

Quickly reference the other two articles in this series:

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

CONTACT
Author

Dustin Rediess is a Salesforce professional with six certifications and over a decade of experience spanning multiple industries, clouds, and product specializations. He is dedicated to driving business transformation by crafting innovative solutions that empower clients to achieve their goals and advance their organizations.

Dustin Rediess

WHAT'S NEW Related Insights