CaseCloud Help

[1380] Update Focus Matters Secured Login External Client App for Salesforce Security Compliance (MM)

Updated on

Article #000001380

Summary

Salesforce has issued mandatory security requirements for all Connected Apps and External Client Apps (ECAs), effective May 11, 2026. The required controls include PKCE, Refresh Token Rotation, Idle Refresh Token TTL, and Refresh Token IP Allowlist.

Organizations that have previously set up a Secured Login session for Focus Matters must update their External Client App to enable these security controls. Organizations still using a Connected App for Focus Matters should migrate to an External Client App, as new Connected Apps can no longer be created as of the Salesforce Spring '26 release.

For more details, refer to the following Salesforce resources:

Question

Why should I update my Focus Matters Secured Login configuration, and what changes are needed?

Resolution

There are two paths depending on your current configuration:

  • If you already have an External Client App for Focus Matters Secured Logins, follow Path A below to update the security settings.
  • If you are still using a Connected App (or do not have Secured Logins configured), follow Path B below to set up a new External Client App.
Expand or collapse content Path A: Update an Existing External Client App

If your organization previously completed the Set Up Secured Login Sessions for Focus Matters (using External Client Apps) guide, follow these steps to update your existing configuration.

After completing all steps below, each user who accesses Focus Matters will need to re-authorize their session once. This is expected behavior.

Expand or collapse content Step 1: Update Security Settings on the External Client App
  1. Go to Setup.
  2. In Quick Find, enter External Client Apps, and then select External Client App Manager.
  3. Locate your existing External Client App (e.g., CaseCloud Focus Matters Secured Logins) in the list.
  4. Select the External Client App Name to open the detail view.
  5. Select the Settings tab, and then select Edit.
  6. Expand the OAuth Settings section.
  7. Scroll down to the Security section and enable the following checkboxes:
    • Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows: Select this checkbox.
    • Enable Refresh Token Rotation: Select this checkbox.
    • Limit Idle Refresh Token Time-to-Live (TTL) to 30 Days: Select this checkbox.
  8. Leave all other settings in the Security section unchanged.
  9. Select Save.
Expand or collapse content Step 2: Enable PKCE on the Auth. Provider
  1. Go to Setup.
  2. In Quick Find, enter Identity, and then select Identity > Auth. Providers.
  3. Locate your existing Auth. Provider (e.g., CaseCloud Secured Login Provider) and select Edit.
  4. Select the Use Proof Key for Code Exchange (PKCE) Extension checkbox.
  5. Leave all other fields unchanged.
  6. Select Save.
Expand or collapse content Step 3: Re-Authenticate the Named Credential
  1. Go to Setup.
  2. In Quick Find, enter Security, and then select Security > Named Credentials.
  3. Locate your Named Credential (e.g., CaseCloud Secured Login Named Credential) and select Edit.
  4. Verify the following settings are still correct:
    • Identity Type: Named Principal
    • Authentication Protocol: OAuth 2.0
    • Authentication Provider: Your Auth. Provider from Step 2
    • Scope: refresh_token full
    • Generate Authorization Header: Selected
    • Allow Merge Fields in HTTP Header: Selected
  5. Select the Start Authentication Flow on Save checkbox.
  6. Select Save.

Salesforce will redirect you to the login page. Log in with your credentials to complete the re-authorization.

  1. After logging in, verify the Named Credential shows Authentication Status as Authenticated.

If authentication fails: Wait 10 minutes and try again. Salesforce may need time to propagate the updated security settings from the External Client App to the OAuth flow.

Expand or collapse content Step 4: Verify the Configuration
  1. Navigate to a Lightning page that contains the Focus Matters component.
  2. Confirm that Focus Matters loads successfully and displays matter records with list view filtering.
  3. If you see an authorization prompt, complete it once - this is the expected one-time re-authorization after the security update.
Expand or collapse content Path B: Migrate from Connected App to External Client App

If your organization is still using a Connected App for Focus Matters Secured Logins, or if you have not yet configured Secured Logins, you should set up a new External Client App. As of the Salesforce Spring '26 release, new Connected Apps can no longer be created.

Follow the steps in the Set Up Secured Login Sessions for Focus Matters (using External Client Apps) guide. This guide has been updated to include the latest security settings (PKCE, Refresh Token Rotation, Idle Refresh Token TTL) enabled by default during the initial setup.

After completing the setup guide, you may deactivate or remove the old Connected App from your organization if it is no longer needed.

Previous Article [1378] Using an Object Other Than a Matter to Log Time Against (MM)

Release Notes & Knowledge Articles (MM)

Matter Management Release Notes (MM) 66
Matter Management Knowledge Articles (MM) 50
Still need help? Click here!
AdvoLogix® is a registered trademark of AdvoLogix.com LLC a Texas Limited Liability Company. All references to other trademarks belonging to third parties that appear on this website, documentation, or other materials shall be understood to refer to those registered trademarks owned by others, and not to any trademark belonging to AdvoLogix. Otherwise, all material herein is the copyright of AdvoLogix.com LLC. All Rights Reserved.