Salesforce Spring '26 Release Updates: What You Must Address Before Go-Live | Vantage Point

Introduction

The Salesforce Spring '26 release is rolling out now, and while it brings exciting features like enhanced Agentforce capabilities and LWC improvements, it also includes several enforced changes that could break your org if you're not prepared.

For Salesforce administrators and technical teams at regulated organizations—whether in financial services, healthcare, insurance, or other compliance-driven industries—these enforced updates demand immediate attention. Unlike optional features you can evaluate at your leisure, enforced changes will affect your org whether you're ready or not.

This comprehensive guide covers the three most critical release updates you must address before go-live, along with practical steps to test and remediate any issues. We'll focus specifically on what matters for organizations in regulated industries where system availability and audit compliance aren't just nice-to-haves—they're requirements.

Understanding the Spring '26 Release Timeline

Before diving into the specifics, let's understand when these changes will affect your org:

Pro Tip: Check your org's exact upgrade date at Trust Status by searching for your instance name.

Critical Update #1: Legacy Hostname Redirections End Permanently

What's Changing

Salesforce introduced Enhanced Domains back in Spring '23, automatically redirecting legacy (non-enhanced) hostnames to new formats. In Spring '26, these redirections stop permanently.

This means any legacy URLs still in use will simply fail—no redirect, no grace period, just broken links and errors.

Legacy vs. Enhanced Hostname Examples

Where Legacy URLs Hide in Regulated Organizations

For financial services, healthcare, and other regulated industries, legacy URLs often lurk in:

• Integration middleware (MuleSoft, Dell Boomi, custom APIs)
• Single Sign-On configurations in your identity provider (Okta, Azure AD, Ping Identity)
• Email templates with hardcoded links
• Client portal bookmarks and documentation
• Compliance documentation and audit records
• Marketing automation platforms (Pardot, HubSpot, Marketo)
• Document generation templates (contracts, statements, disclosures)
• Custom Apex code with hardcoded URLs
• Visualforce pages referencing static resources
• Connected apps and OAuth callback URLs

How to Find and Fix Legacy URLs

Step 1: Run the My Domain Redirection Report

Navigate to Setup → My Domain → Deployment Guidelines → See how your hostname changes affect your org to generate a comprehensive report of affected components.

Step 2: Search Your Codebase

Use VS Code or your preferred IDE to search across your entire codebase for these legacy patterns:

• *.visualforce.com
• *.force.com (not including *.my.site.com or *.lightning.force.com)
• c.cs*.content.force.com
• login.salesforce.com (should be your My Domain instead)

Step 3: Update External Systems

Work with your integration team to update API endpoints, OAuth callback URLs, and SAML assertion consumer service URLs in your identity provider.

Step 4: Communicate Changes

Notify users to update bookmarks and communicate new URLs through your change management process—critical for organizations with compliance documentation requirements.

Critical Update #2: Device Activation Required for SSO Logins

What's Changing

Starting in early 2026, Salesforce enforces Device Activation for Single Sign-On logins that don't meet specific security criteria. The rollout schedule:

• January 26, 2026: OpenID Connect (OIDC) identity providers
• February 9, 2026: SAML identity providers

When enforced, users logging in via SSO from unrecognized devices will receive a device activation prompt—even if they've authenticated through your corporate identity provider.

Why This Matters for Regulated Industries

For organizations bound by SEC, FINRA, HIPAA, or other regulatory frameworks:

1. User Experience Disruption: Field representatives, advisors, or healthcare providers may face unexpected prompts when accessing Salesforce from new devices
2. Help Desk Volume: Expect increased support tickets during initial rollout
3. Audit Trail Considerations: Device activation events appear in login history, which may affect compliance reporting
4. Remote Work Complications: Users on personal devices or traveling may face additional friction

How to Avoid Device Activation Prompts

Users will NOT receive device activation prompts if any of these conditions are met:

Option 1: Configure Your IdP to Assert Secure Authentication

Your identity provider must send an Authentication Method Reference (AMR) or AuthnContext that Salesforce recognizes as secure:

For OIDC:

AMR values: face, fpt, hwk, iris, mfa, retina, sc, pop, swk

For SAML:

AuthnContext: MobileTwoFactorContract, PublicKey, PGP, 
              Smartcard, TimeSyncToken, PKI, Mfa, Fido, multipleauthn

Option 2: Use Narrow Trusted IP Ranges

Configure org-level and profile-level login IP ranges that cover your corporate network and VPN. The combined ranges must be within IPv4: 2^24 (16,777,216) addresses total.

Option 3: Previously Activated Devices

Devices with the sfdc_lv2_platform cookie (valid for one year) skip activation. Users who have previously activated will continue accessing without prompts until their cookie expires.

Configuration Steps for Common Identity Providers

Okta Configuration:

1. Navigate to Applications → Your Salesforce App → Sign On
2. Under SAML settings, add the MFA claim or configure authentication policy to send AMR
3. Ensure your authentication policy requires MFA
4. Test with a user in your sandbox

Azure AD (Entra ID) Configuration:

1. Go to Enterprise Applications → Salesforce → Single Sign-On
2. Edit the SAML configuration
3. Add a claim for AuthenticationMethodsReferences mapping to the appropriate value
4. Apply Conditional Access policies requiring MFA

Ping Identity Configuration:

1. Access your Salesforce connection settings
2. Configure the AuthnContext or AMR attribute mapping
3. Ensure your authentication flow enforces MFA before asserting to Salesforce

Critical Update #3: Visualforce XSS Escaping Enforced

What's Changing

Starting in Spring '26, Salesforce automatically escapes the label attribute of <apex:inputField> elements to prevent cross-site scripting (XSS) attacks. This security enhancement, first introduced in Spring '23, is now enforced.

Why This Matters

If your Visualforce pages rely on custom labels containing HTML markup or special characters, those characters will now be escaped and display literally rather than rendering as HTML.

Remediation Steps

1. Review Pages in Sandbox: The update is already active in sandboxes—test your Visualforce pages now
2. Update Label Formatting: Move HTML formatting to CSS classes instead of inline HTML in labels
3. Test User Experience: Verify that forms display correctly and validation messages appear as expected

Additional Spring '26 Updates for Regulated Organizations

Connected App Creation Disabled by Default

What Changed: The ability to create new connected apps is now disabled by default in all Salesforce orgs.

Impact: Developers and integration teams must have explicit admin approval to create connected apps, or use the newer External Client Apps feature instead.

For Compliance Teams: This actually improves security posture by preventing unauthorized OAuth integrations. Document this change in your security policies.

Session ID in Outbound Messages Removed

What Changed: As of February 16, 2026, you can no longer send session IDs in outbound messages.

Impact: Any workflow rules or processes that send session IDs to external systems will need to migrate to OAuth-based authentication.

Pre-Go-Live Checklist for Regulated Organizations

Use this checklist to ensure your organization is ready for Spring '26:

Legacy Hostname Remediation

• ☐ Run My Domain hostname impact report
• ☐ Search codebase for legacy URL patterns
• ☐ Update SSO configuration URLs in your IdP
• ☐ Update integration endpoint URLs in middleware
• ☐ Update OAuth callback URLs in connected apps
• ☐ Communicate URL changes to users
• ☐ Update compliance documentation

SSO Device Activation Preparation

• ☐ Verify IdP sends MFA/secure authentication assertion
• ☐ Test SSO login flow in sandbox
• ☐ Configure Trusted IP Ranges (if applicable)
• ☐ Prepare help desk for device activation inquiries
• ☐ Update user training materials
• ☐ Communicate changes to field staff

Visualforce Security Updates

• ☐ Audit Visualforce pages with <apex:inputField> elements
• ☐ Test page rendering in sandbox
• ☐ Update label formatting as needed
• ☐ Verify form validation still works

Best Practices for Regulated Industries

Financial Services Organizations

1. Coordinate with Compliance: Ensure your compliance team is aware of audit trail changes related to device activation
2. Test Client Portals: Verify all client-facing Experience Cloud sites work with enhanced domains
3. Update Advisor Tools: Field-deployed applications and mobile tools may need URL updates
4. Document Everything: Maintain change records for regulatory examinations

Healthcare Organizations

1. HIPAA Considerations: Device activation adds a security layer—document this enhancement in your security assessment
2. Test Patient Portals: Health Cloud patient portals must work with enhanced domains
3. Coordinate with IT Security: Ensure your IdP configuration meets the new SSO requirements
4. Provider Access: Test clinician access workflows from various devices and locations

Insurance Organizations

1. Agent Portal Testing: Verify independent agent portals function correctly
2. Claims Integration: Test claims processing integrations with enhanced domain URLs
3. Policy Administration: Ensure policy admin systems integrate properly
4. Compliance Documentation: Update information security policies

Frequently Asked Questions

What happens if I don't update legacy URLs before Spring '26?

Any legacy URLs still in use will fail without redirection. Users clicking old bookmarks will see errors, integrations will break, and SSO flows using legacy URLs will fail. There's no grace period after enforcement—the redirections simply stop.

Will all my users have to activate their devices again?

Not necessarily. Users who previously activated their devices (within the past year) and whose identity provider sends the appropriate MFA assertion will continue accessing Salesforce without additional prompts. Only users on truly unrecognized devices without IdP MFA assertion will see activation requests.

How do I know if my identity provider is configured correctly?

Test in your sandbox environment. Attempt an SSO login from a private/incognito browser window (which won't have the device cookie). If you're not prompted for device activation, your IdP is correctly asserting secure authentication.

Does device activation affect API integrations?

No, device activation applies only to interactive user logins. API integrations using OAuth or session tokens are not affected by this change.

What if we use multiple identity providers?

Each identity provider must be configured to send the appropriate security assertion. Test SSO flows from each IdP in your sandbox before production rollout.

Are sandbox environments affected by the same timeline?

Sandbox environments received these updates in January 2026 for preview. Use your sandbox to test all enforced changes before your production instance upgrades.

How do I find my production instance's upgrade date?

Visit status.salesforce.com, search for your instance name (found in Setup → Company Information), and check the maintenance calendar for your Spring '26 upgrade date.

Conclusion

The Salesforce Spring '26 release brings significant enforced changes that require proactive preparation, especially for organizations in regulated industries. The end of legacy hostname redirections, new SSO device activation requirements, and Visualforce security enhancements will affect your org—the only question is whether you're ready.

Your action plan:

1. Test immediately in your sandbox environment
2. Remediate legacy URLs and SSO configurations
3. Communicate changes to users and stakeholders
4. Document updates for compliance requirements

Don't wait until production rollout to discover issues. The time to prepare is now.

Need Help Preparing for Spring '26?

Vantage Point specializes in helping regulated organizations manage Salesforce releases with confidence. Our team has deep expertise in financial services, healthcare, and insurance compliance requirements.

Whether you need help auditing your legacy URLs, configuring your identity provider for the new SSO requirements, or ensuring your integrations are ready for Spring '26, we're here to help.

Contact us today to schedule a Spring '26 readiness assessment: vantagepoint.io

About Vantage Point

Vantage Point is a boutique Salesforce consultancy specializing in regulated industries including financial services, healthcare, and insurance. We combine deep platform expertise with industry-specific compliance knowledge to deliver solutions that meet both business and regulatory requirements. Our services include Salesforce implementation, Health Cloud and Financial Services Cloud optimization, MuleSoft integration, and Data Cloud activation.

Visit us at vantagepoint.io