function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
osf_teamosf_team 

Outbound Messages - Security

I am using the outbound messaging scenario, wherin an outbound message is triggered on accomplishment of a 'workflow rule'. 
It is working fine and the opportunity records are sent to my web service and the acknowledgement is sent back to Salesforce.
My question is that wont there be any security concerns since no login parameters/ credentials were used while logging into the server that hosts my webservice. Moreover, while the acknowledgement was sent back to Salesforce, there too there is no such security application.
Please guide me on the following:
How does salesforce manages secutiry in outbound messaging?
Do I need to opt for some other way of communication which is more secure?
Am I missing something and there is an option to apply security parameters in outbound messaging as well?
NehalNehal (Salesforce Developers) 
Hi,

Workflow and approval actions that send the information you specify to an endpoint you designate, such as an external service. An outbound message sends the data in the specified fields in the form of a SOAP message to the endpoint.
When you associate an outbound message with a workflow rule or approval process, the outbound message sends the selected information to the associated endpoint URL whenever the workflow rule or approval process is triggered. Once the endpoint URL receives the message, it can take the information from the message and process it, assuming that the Web service has been configured appropriately.
For security reasons, Salesforce restricts the outbound ports you may specify to one of the following:
• 80: This port only accepts HTTP connections.
• 443: This port only accepts HTTPS connections.
• 7000-10000 (inclusive): These ports accept HTTP or HTTPS connections.

To define outbound messages:
*Click Setup | Create | Workflow & Approvals | Outbound Messages.
*Click New Outbound Message.
*Choose the object that has the information you want included in the outbound message, and click Next.
* Configure the outbound message.
a. Enter a name for this outbound message.
b. Enter a unique name, which will be used to refer to this component in the Force.com API. In managed packages, this unique name prevents naming conflicts on package installations. The requirement for uniqueness is only within the selected object type. You can have actions of the same type (for example, two email alerts) with the same unique name, provided they are defined for different objects, such as one for Campaigns and one for Opportunities. The Unique Name field can contain only underscores and alphanumeric characters. It must be unique within the selected object type, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
c. Enter a description for this outbound message.
d. Enter an endpoint URL for the recipient of the message. Salesforce sends a SOAP message to this endpoint.
e. Select the Salesforce user to use when sending the message. The chosen user controls data visibility for the message that is sent to the endpoint.
f. Check the Protected Component check box to mark the outbound message as protected. For more information, see Protected Components.
g. Select Send Session ID if you want the Salesforce session ID included in the outbound message. Include the session ID in your message if you intend to make API calls and you do not want to include a username and password. Sending a username and password is less secure than sending a session ID.
h. Select Add failures to failed outbound message related list if you want this message to move to the failed outbound messages related list after all retries have been attempted. If you do not see this option, failed outbound messages notifications have not been enabled for your organization. Contact your salesforce.com representative.
i. Select the fields you want included in the outbound message and click Add.
* Click Save.
* On the outbound message detail page, click the Click for WSDL link to view the WSDL associated with this message.
The WSDL is bound to the outbound message and contains the instructions about how to reach the endpoint service and what data is sent to it.
* If your endpoint uses a client certificate, right-click the Download Client Certificate link on the outbound message detail page, and save the certificate to the appropriate location. Then you can import the downloaded certificate into your application server, and configure your application server to request the client certificate.
* To set outbound messages into action, associate them with a workflow rule or approval process.

Also refer links below for your reference that will clear most of the things for you:

1.http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_om_outboundmessaging_security.htm

2.https://help.salesforce.com/apex/HTViewSolution?urlname=What-SSL-certificates-does-Salesforce-support-for-Delegated-Authentication-SSO-Apex-callouts-Outbound-Messaging-and-other-callouts-1327366399006&language=en_US

3.https://developer.salesforce.com/forums?id=906F00000008zQWIAY

4.http://www.dataintegrationblog.com/product-news/salesforce-outbound-messaging-service-2/

5.http://yoafzal.wordpress.com/tag/outbound-message/

I hope this helps.

Please mark this as a "Best Answer" if this has resolved your issue.
osf_teamosf_team
Hi Nehal,

Thanks a lot for providing detailed information. That was definately helpful. However, I still am not clear with one thing. 
My outbound message is hitting a service/endpoint hosted on a public IP. How can I ensure that the endpoint is only hit by Salesforce and not by any other application/customer. This will make my server vulnerable. 
The sending session id option you suggested was to avaoid sending credentials from Salesforce. But what if I want to protect this endpoint(my service endpoint) with security credentials?

Regards,
Monika
osf_teamosf_team
Hi...I was posting this message from Shalindra's behalf.

Regards,
Monika
osf_teamosf_team
Hi,

My web service is authentication enabled in the sense that the SOAP request it receives should also contain SOAP authentication headers along with the SOAP body.
Using outbound messaging option on Salesforce.com is there any provision wherein I can send these authentication headers to an external web service.

Regards,
Shalindra
osf_teamosf_team
Hi Experts,
do you have any suggestion here?

Thanks
Shalindra Singh
Felix LeinertFelix Leinert
Hello Shalindra,
I am also trying to send out information from Salesforce to another platform (Zapier) by outbound messages.
I am also concerned about security issues and third party accessing my salesforce org via that endpoint url.
Have you received any feedback about security issues when using outbound messages?

Thanks and best wishes,
Felix


 
anonymousXYZanonymousXYZ
Hello Guys,
You found solution for this ?
Guillaume CribierGuillaume Cribier
Hello, since outbound message doesn't support any kind of auth, the only one solution is to do IP whitelisting .