function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
sfdcdev.ax551sfdcdev.ax551 

Authentication mechanism using HTTPS post

Hi,

 

I have a basic question around security when it comes to integration using web-links. Take a very typical web-link integration example wherein a visualforce page in SFDC has a link/button that has a URL to another internal/external application. When user clicks on the link/button, the visualforce page will make an HTTPS POST to the other application passsing certain hidden parameters like username,email,sessionid,orgid,etc. The other application will use this information to authenticate the user in their system and respond with the appropriate page.

 

Since this was not very secure, an added functionality that we used here in order to make it a more robust and secure is a web service call back to SFDC. For e.g. the other application upon receiving the HTTPS request from SFDC will make a web service call to SFDC (custom apex web service) and pass the same values that was sent over by SFDC to the other app.SFDC web service will then authenticate the request based on username and email address and orgid and then return a true or false.

 

The question is: How secure is this kind of "authentication" mechanism. This is not a true SSO, but appears to be like one. How can we make this kind of authentication more robust without having to enable SAML or SSO? What are the best preactices for an integration using HTTPS post?

 

Thanks

Ambili

robertflyrobertfly

Hi Ambili,

 

Does this link help?

 

http://wiki.developerforce.com/index.php/Secure_Coding_Single_Sign_On

 

-Robert