Newer Version Available
SecuritySettings
In the package manifest, all organization settings metadata types are accessed using the Settings name. See Settings for more details.
File Suffix and Directory Location
SecuritySettings values are stored in a single file named Security.settings in the settings directory. The .settings files are different from other named components because there’s only one settings file for each settings component.
Version
Security settings are available in API version 27.0 and later. API versions 26 and earlier are no longer available.
Fields
| Field Name | Field Type | Description |
|---|---|---|
| canUsersGrantLoginAccess | boolean | If true, users can grant login access to Support. If false, only an admin can grant login access. |
| enableAdminLoginAsAnyUser | boolean | If true, the Administrators Can Log in as Any User field is enabled. The default isn’t enabled (false). |
| enableAuditFieldsInactiveOwner | boolean | If true, this setting enables audit fields and updating the owner for records that are owned by inactive users. The default value is false. This field is available in API version 47.0 and later. |
| enableAuraSecureEvalPref | boolean | If true, this setting prevents the creation of function expressions in dynamically created Aura components. The default is false. This field is available in API version 47.0 and later. |
| enableRequireHttpsConnection | boolean | Deprecated in API version 47.0 and later. |
| isTLSv12Required | boolean | Indicates whether connections to or from your Salesforce org must use TLS 1.2 or higher (true) or not (false). This field has a default value of false. Removed in API version 51.0 and later. |
| isTLSv12RequiredCommunities | boolean | Indicates whether connections with your Salesforce sites and portals or Experience Cloud sites must use TLS 1.2 or higher (true) or not (false). This field has a default value of false. Removed in API version 51.0 and later. |
| networkAccess | NetworkAccess | The trusted IP address ranges from which users can always log in without requiring computer activation. |
| passwordPolicies | PasswordPolicies | The requirements for passwords and logins, and assistance with retrieving forgotten passwords. |
| sessionSettings | SessionSettings | The settings for session expiration and security. |
| singleSignOnSettings | SingleSignOnSettings | The settings for single sign-on (SSO). |
NetworkAccess
Represents your org’s trusted IP address ranges for network access.
| Field | Field Type | Description |
|---|---|---|
| ipRanges | IpRange[] | The trusted IP address ranges from which users can always log in without requiring computer activation. |
IpRange
Defines a range of trusted IP addresses for network access.
PasswordPolicies
Represents your org’s password and login policies, which show up under .
SessionSettings
Represents your org’s session expiration and security settings.
SingleSignOnSettings
Represents your org’s single sign-on (SSO) settings. These settings are available API version 47.0 and later.
| Field Name | Field Type | Description |
|---|---|---|
| enableCaseInsensitiveFederationID | boolean | If you enable Make Federation ID case-insensitive (true), the Federation ID field on a user object isn’t case-sensitive. If disabled (false), the Federation ID field remains case-sensitive. The default is false. |
| enableForceDelegatedCallout | boolean | If you enable Force Delegated Authentication Callout (true), a callout to the SSO endpoint occurs regardless of login restriction failures. If disabled (false), the default, and if a user’s first login attempt fails due to login restrictions within the Salesforce org, a call isn’t made to the SSO endpoint. |
| enableMultipleSamlConfigs | boolean | If true (default), you can configure multiple SAML providers. After enabling the setting, it can’t be disabled. |
| enableSamlJitProvisn’tioning | boolean | If you enable User Provisioning Enabled (true), you can provision users through a SAML assertion (called just-in-time provisioning). Requires EnableSamlLogin to be true and enableMultipleSamlConfigs to be false. The default is enabled (false). |
| enableSamlLogin | boolean | If you enable SAML Enabled (true), users can SSO into Salesforce from providers via SAML. The default isn’t enabled (false). |
| isLoginWithSalesforceCredentialsDisabled | boolean | If Disable login with Salesforce credentials is true, users are redirected to third-party identity providers for authentication. The default is enabled (false). |
Declarative Metadata Sample Definition
The following is a sample security.settings metadata file.
1<?xml version="1.0" encoding="UTF-8"?>
2<SecuritySettings xmlns="http://soap.sforce.com/2006/04/metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
3 <enableAdminLoginAsAnyUser xsi:nil="true"/>
4 <enableAuraSecureEvalPref xsi:nil="true"/>
5 <enableAuditFieldsInactiveOwner xsi:nil="true"/>
6 <enableSetRequiredHttpsConnection xsi:nil="true"/>
7 <networkAccess/>
8 <passwordPolicies>
9 <complexity>NoRestriction</complexity>
10 <expiration>Never</expiration>
11 <historyRestriction>0</historyRestriction>
12 <lockoutInterval>FifteenMinutes</lockoutInterval>
13 <maxLoginAttempts>TenAttempts</maxLoginAttempts>
14 <minimumPasswordLength>5</minimumPasswordLength>
15 <minimumPasswordLifetime>false</minimumPasswordLifetime>
16 <obscureSecretAnswer>false</obscureSecretAnswer>
17 <questionRestriction>DoesNotContainPassword</questionRestriction>
18 </passwordPolicies>
19 <sessionSettings>
20 <allowUserAuthenticationByCertificate>false</allowUserAuthenticationByCertificate>
21 <disableTimeoutWarning>false</disableTimeoutWarning>
22 <enableCSPOnEmail>true</enableCSPOnEmail>
23 <enableCSRFOnGet>true</enableCSRFOnGet>
24 <enableCSRFOnPost>true</enableCSRFOnPost>
25 <enableCacheAndAutocomplete>true</enableCacheAndAutocomplete>
26 <enableClickjackNonsetupSFDC>true</enableClickjackNonsetupSFDC>
27 <enableClickjackNonsetupUser>false</enableClickjackNonsetupUser>
28 <enableClickjackNonsetupUserHeaderless>false</enableClickjackNonsetupUserHeaderless>
29 <enableClickjackSetup>true</enableClickjackSetup>
30 <enableContentSniffingProtection>true</enableContentSniffingProtection>
31 <enableLightningLogin>true</enableLightningLogin>
32 <enableLightningLoginOnlyWithUserPerm>false</enableLightningLoginOnlyWithUserPerm>
33 <useLocalStorageForLogoutUrl>false</useLocalStorageForLogoutUrl>
34 <enablePostForSessions>false</enablePostForSessions>
35 <enableSMSIdentity>true</enableSMSIdentity>
36 <enableU2F>false</enableU2F>
37 <enableUpgradeInsecureRequests>true</enableUpgradeInsecureRequests>
38 <enableXssProtection>true</enableXssProtection>
39 <enforceIpRangesEveryRequest>false</enforceIpRangesEveryRequest>
40 <forceLogoutOnSessionTimeout>true</forceLogoutOnSessionTimeout>
41 <forceRelogin>true</forceRelogin>
42 <hasRetainedLoginHints>false</hasRetainedLoginHints>
43 <hasUserSwitching>true</hasUserSwitching>
44 <hstsOnForcecomSites>false</hstsOnForcecomSites>
45 <identityConfirmationOnEmailChange>true</identityConfirmationOnEmailChange>
46 <identityConfirmationOnTwoFactorRegistrationEnabled>true</identityConfirmationOnTwoFactorRegistrationEnabled>
47 <lockSessionsToDomain>true</lockSessionsToDomain>
48 <lockSessionsToIp>false</lockSessionsToIp>
49 <lockerServiceCSP>true</lockerServiceCSP>
50 <redirectionWarning>true</redirectionWarning>
51 <referrerPolicy>true</referrerPolicy>
52 <requireHttpOnly>false</requireHttpOnly>
53 <requireHttps>false</requireHttps>
54 <sessionTimeout>TwoHours</sessionTimeout>
55 </sessionSettings>
56 <singleSignOnSettings>
57
58 <enableCaseInsensitiveFederationID>false</enableCaseInsensitiveFederationID>
59 <enableForceDelegatedCallout>false</enableForceDelegatedCallout>
60 <enableMultipleSamlConfigs>true</enableMultipleSamlConfigs>
61 <enableSamlJitProvisioning>false</enableSamlJitProvisioning>
62 <enableSamlLogin>false</enableSamlLogin>
63 <isLoginWithSalesforceCredentialsDisabled>true</isLoginWithSalesforceCredentialsDisabled>
64
65 </singleSignOnSettings>
66</SecuritySettings>The following is an example package.xml manifest that references the previous definition.
1?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3 <types>
4 <members>Security</members>
5 <name>Settings</name>
6 </types>
7 <version>47.0</version>
8</Package>Wildcard Support in the Manifest File
The wildcard character * (asterisk) in the package.xml manifest file doesn’t apply to metadata types for feature settings. The wildcard applies only when retrieving all settings, not for an individual setting. For details, see Settings. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.