+ Start a Discussion
Vidya BhandaryVidya Bhandary 

No login via web

Hi,

I have created a set of community users and I have them login only via the app I have created.

They should not be able to access the salesforce web link and log in with their credentials.

How can this be done ? Any ideas ?


ShashForceShashForce
Hi Vijay,

Please see if this helps: https://developer.salesforce.com/page/Using_OAuth_to_Authorize_External_Applications

Thanks,
Shashank
PrasanntaPrasannta (Salesforce Developers) 
Hi,

Please refer to the link below to not allow salesforce community users login via credentials-

https://appirio.com/category/tech-blog/2013/11/salesforce-communities-theres-no-place-like-homehomeor-is-there/

http://salesforce.stackexchange.com/questions/19145/how-to-roll-your-own-authentication-for-an-external-salesforce-app

Hope this helps.
Vidya BhandaryVidya Bhandary
Thank you for your responses but I don't think it answers my question. 
I have already created an app that uses OAuth and it works fine.

I want the users to be able to log on ONLY using my app. Currently with a valid user ID and password- browser login to salesforce is possible. I want to stop that.
ShashForceShashForce
Hi Vidya,

You can try if one of these approaches works for you:

1.) IP login restrictions: You can block users' IP address from logging into the org, by not whitelisting the IPs in your org's IP login list. Then, you can whitelist these IPs under the connected app you must have created in your org for your OAuth integration, so that these logins will be possible only through the Connected App. Help on how to do this: https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_manage_edit.htm&language=en_US

2.) API-only user: There is a permission named "API Only" which can be assigned to a user through a profile or permission set. You can probably create a permission set with this permission enabled and assign it to your users, so that they can login only through the API. I have not personally tried it though.

If this answers your question, please mark this as the Best Answer for this post, so that others can benefit from this post.

Thanks,
Shashank
Vidya BhandaryVidya Bhandary
Hi Shashank,

Thank you for your reply.

1. I cannot use the IP login restrictions approach for my business scenario.


2. API-only User - I see only API-Enabled in the permission set ( no API-only ) and I have already enabled this. It does not restrict the user from trying the direct salesforce link.

Thanks
Vidya
ShashForceShashForce
The exact name of the permission is "Api Only User". Also, please check if you have a permission set by the name "API Only Users" available by default. I can see both the permission and permission set in my developer edition org.
Vidya BhandaryVidya Bhandary
I think I will have to check this with SF then. We have corporate orgs but as we have found out some features are not enabled unless specifically asked for. Like the ability to login as another user for one. I see neither of the items you have mentioned.
Vidya BhandaryVidya Bhandary
Hi Shashank,

I created a developer edition org today and I did not find a default API-only access anywhere. Not sure what is happening here. Seems strange that a developer edition is different.
ShashForceShashForce
Hi Vidya,

Apologies, I saw the permission in a trial Enterprise Edition org that I have access to, and not a developer edition org.

"API Only User" permission is available only in Enterprise and Unlimited Editions, in custom profiles and permission sets. It is not available in Developer or Professional Editions, even if API is enabled.

Thanks,
Shashank
Vidya BhandaryVidya Bhandary
Hi Shashank,

Thanks for the clarification ! I was wondering why I could not see it. We have asked SF on this - so hoping to get an answer in a few days. We do have Enterprise editions but did not see this permission set.

Thank you
Vidya