+ Start a Discussion
Markey1Markey1 

Sites Secure URL

Sites Explanation:

We have a sites project which is public. The public access settings allow our end-users to login via a guest license and enter their information (no authentication).

 

Sites URL Setup:

Default URL: http://something.force.com/xyzenrollment

Secure URL: https://something.secure.force.com/xyzenrollment

Custom Web Address: http://enroll.something.com

 

The Issue:

The Site is not secure. All information entered via the Site by our end-users needs to be secure (i.e. currently http, needs to be https).

 

Question:

How do I point the users to the Secure URL vs. the Default URL while still keeping the Custom Web Address masking? I changed the Administration Setup > Security Controls > Session Settings > Require secure connections (HTTPS) to checked, but this does not seem to do the trick.

Best Answer chosen by Admin (Salesforce Developers) 
paul-lmipaul-lmi
SSL is incompatible with CNAMES because an SSL certificate is directly tied to a specific domain name. Until Salesforce supports the ability for you to upload your own certificate for Sites, or to buy one from them, your only option is to redirect to SSL when needed, and stay on HTTP when not. If your requirements are full SSL, all the time, then you will either need to live with the *.secure.force.com domain, or program and host your website off-platform (we're doing this ourselves this year for this and many other reasons).

All Answers

paul-lmipaul-lmi
Sites doesn't support custom domains with SSL. I think there's an idea for this on the IdeaExchange, but basically, what you want isn't yet possible.
Markey1Markey1

Thanks for your reply Paul!

 

Are there any alternative solutions such as redirects, masking, or maybe something outside of SFDC through the registrar directly (i.e. CNAME)? Is the only solution to dump the Custom Web Address and just use the Secure Web Address (and loose our custom domain name)?

 

With all the major companies using SFDC, I can't imagine we are the only ones who want a secure connection with our own custom address.

paul-lmipaul-lmi
SSL is incompatible with CNAMES because an SSL certificate is directly tied to a specific domain name. Until Salesforce supports the ability for you to upload your own certificate for Sites, or to buy one from them, your only option is to redirect to SSL when needed, and stay on HTTP when not. If your requirements are full SSL, all the time, then you will either need to live with the *.secure.force.com domain, or program and host your website off-platform (we're doing this ourselves this year for this and many other reasons).
This was selected as the best answer
Markey1Markey1

Thanks again Paul. Sorry to hear you were forced off platform by lack of SFDC capabilities.

 

Our Sites experience has been riddled with caveats and I will definitely be more cautious with the next Sites project... if there is one (will develop off platform). If SFDC is focussed on being an industry leader long term, they need to realize they now have enterprise organizations who demand more functionality and features than a mom & pop shop.

 

 

paul-lmipaul-lmi
you had basically the same experience we did. things like proper white-label SSL support, proper session handling, authentication without named user licenses, and prohibitively costly high-volume traffic are forcing us to redevelop a very complicated force.com site off-platform (on .NET, hosted by our company) and use Salesforce as a data layer only. even then, i'm sure we're going to hit some limits, like API limits, etc. Sites needs another 2 years or so of active improvements to be ready for the enterprise, and even then, the costs around add-ons (page views past 1Mil per month for example, but also authenticated users) still make it prohibitive for any serious B2C company.
paul-lmipaul-lmi
oh, and the downtime for instance system maintenance doesn't help either, and that's not going away any time soon.
Markey1Markey1

Couldn't agree more. The WYSIWYG interface and shoe-string functionality has a few years to catch up with what I would expect SFDC to deliver. Hopefully others will read this thread and realize some pros/cons when getting involved with Sites. My two cents... don't assume anything and be very careful if you are looking to do anything "outside of the box".

Danny IncompanyDanny Incompany

Hi Paul, I think this isn't ready yet. What you guys think about putting the custom domain in an external hosting service, add the SSL and then create a single page with an iframe that will contain the address of the secure address (i.e mysite.secure.force.com). Any implications on this?

 

We have a customer that has made a huge investment on a development we made and now that we are ready this problema came up, customer needs their https://mydomain.com however seems that this is not possible.

 

Any ideas will be greatly appreciated.