Salesforce Security Guide
jNewer Version Available
Set Up Legacy Transaction Security
| Available in: Salesforce Classic and Lightning Experience |
| Available in: Enterprise, Performance,
Unlimited, and Developer Editions Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. |
| User Permissions Needed | |||
|---|---|---|---|
| To create, edit, and manage transaction security policies: |
Customize Application |
||
| To manage transaction security policies: |
Author Apex |
||
-
Enable transaction security
policies to make them available for use.
- From Setup, enter Transaction Security in the Quick Find box, and then select Transaction Security Policies.
- Click Enable.
When you enable Transaction Security, two policies are created: Concurrent User Session Limit and Lead Data Export. As of the Spring ’20 release, Salesforce no longer creates these sample policies in new orgs, as they are part of the legacy transaction security framework, which is being retired. Orgs created before the Spring ’20 release continue to include these sample policies. For more information and examples, see Transaction Security Policies. -
Set the Transaction Security
preferences for your org.
- On the Transaction Security Policies page, click Edit Preferences.
- Select When users exceed the maximum number of Salesforce sessions allowed, close the oldest session.
Login policies affect programmatic access and access from Salesforce Classic and Lightning Experience. When you create a policy that limits the number of concurrent user sessions, all sessions count toward that limit. Regular logins with a username and password, logins by web applications, logins using Authentication Providers, and all other login types are considered.
The session limit isn’t a problem in Salesforce Classic or Lightning Experience because you’re prompted to select which session or sessions to end. That choice isn’t available from within a program, so the program receives a Transaction Security exception that the session limit has been reached.
To prevent this problem, select When users exceed the maximum number of Salesforce sessions allowed, close the oldest session. Then when a programmatic request is made that exceeds the number of sessions allowed, older sessions are automatically ended until the session count is below the limit. Here’s how the OAuth flows handle login policies with and without the preference being set.Flow Type Action If Preference Is Selected Action If Preference Is Not Selected OAuth 2.0 web server Authorization Code and Access Token granted Older sessions are ended until you’re within policy compliance.
Authorization Code granted, but Access Token not granted Older sessions are ended until you’re within policy compliance.
OAuth 2.0 user-agent Access Token granted Older sessions are ended until you’re within policy compliance.
Access Token granted Older sessions are ended until you’re within policy compliance.
OAuth 2.0 refresh token flow Access Token granted Older sessions are ended until you’re within policy compliance.
TXN_SECURITY_END_SESSION exception OAuth 2.0 JWT bearer token Access Token granted Older sessions are ended until you’re within policy compliance.
TXN_SECURITY_END_SESSION exception OAuth 2.0 SAML bearer assertion Access granted Older sessions are ended until you’re within policy compliance.
TXN_SECURITY_END_SESSION exception OAuth 2.0 username and password Access granted Older sessions are ended until you’re within policy compliance.
Access denied due to more than the number of sessions allowed by the policy SAML assertion Not applicable Not applicable For more information on authentication flows, see Authorize Apps with OAuth in Salesforce Help.