I'm having issues with the SAML SSO's Just In Time setup.

The SAML login works fine until I enable JIT. After I enable JIT, I receive the error "Unable to map an unique profile id for the given profile name" (Error Code: 16).

The documentation does not seem to have any information about this error... Also, what should I be passing in for profile id? I hardcoded my user's profile id on salesforce, but I won't have this in a real world scenario with dynamic users. (Hence the JIT setup)... Ideas?

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx766d4df1-1929-1d78-9b19-71d1b84296fe" Version="2.0" IssueInstant="2012-04-11T21:26:57Z" Destination="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ">
  <saml:Issuer>ONEsite</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx766d4df1-1929-1d78-9b19-71d1b84296fe"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fGizXC/YYdUxw6buGR+CgZ49tn8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1AQREJhC81C2Za2ph7uX6W438fs6R+UUCARN3eedJmwXwtn8HdyPKsIh+0gjZ+JsaQJ++anbrvZQ041dA+IdRxrdcDVwwDbzKoD01tDUyWiBQMptC7jn6yN8eLgEi6Cm++P0Yki2SFeylLHz8H2ZXUq9B1t04SapNDbSSfMYZhw=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca" Version="2.0" IssueInstant="2012-04-11T21:26:57Z">
    <saml:Issuer>ONEsite</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>877uX4K4I6Q/wJoeFkDTYHer+6w=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>zlzoLhtOPdgHSkDNfj2NjedDB1Pp2hgzSe4rgXj8vSqBHptTM1VcI3AhjlRyGOHWh8qBIGBNxMOBteVJcWyP7HC8yA5t3a0f4aGr6BLHaXSuy9cUg7zhbA7b0GMFi2RBffAY2Fruj7MhDzxeOn6vx/V0uKLlec4FXd/Ky3Kczm0=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">squared3</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2012-04-11T21:31:57Z" Recipient="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2012-04-11T21:26:27Z" NotOnOrAfter="2012-04-11T21:31:57Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2012-04-11T21:26:57Z" SessionNotOnOrAfter="2012-04-12T05:26:57Z" SessionIndex="_b6c9e3c74e52b2a7ab0745fe54c039e52658cf57aa">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="ProvisionVersion">
        <saml:AttributeValue xsi:type="xs:string">1.0</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Username">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Phone">
        <saml:AttributeValue xsi:type="xs:string"/>
      </saml:Attribute>
      <saml:Attribute Name="User.FirstName">
        <saml:AttributeValue xsi:type="xs:string">FirstName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LanguageLocaleKey">
        <saml:AttributeValue xsi:type="xs:string">en_US</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Alias">
        <saml:AttributeValue xsi:type="xs:string">Alias</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LastName">
        <saml:AttributeValue xsi:type="xs:string">LastName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Email">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.FederationIdentifier">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.ProfileId">
        <saml:AttributeValue xsi:type="xs:string">005d00000019aXk</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.IsActive">
        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.EmailEncodingKey">
        <saml:AttributeValue xsi:type="xs:string">UTF-8</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="federationId">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Hi there,

I'm publishing Custom Object to public site. Site can display standard field like 'name'. However, it does not display anything when it comes to custom fields.

As a first step I checked profile "Standard Guest". And here comes the mystery: I can not see this profile in profile list in salesforce.com, it could be accessible only from IDE. Next, I can not change any of Custom Object Permissions (can not mark anything checked there) . I was able to set Custom Field-Level Security properly though.

Is there anything I'm doing wrong?

How's your experience? What steps have you had to take to get Custom fields from your custom objects visible for Guests?

Is there a way for me to modify CRUD settings on a custom object for all profiles simultaneously?  

Thanks!

Tyler

I apoligize in advance if this question has been previously answered.

We have an issue with users running reports on peer's productivity.

Is there a way to set up security so that users can see cases regardless of who owns them, but not run reports on cases that they don't own?

Thanks,

Shannon B

hi,

If I have a field on my custom object which is hidden from particular user profile.

Even though , can user of that profile read or write this field through Apex code or web service API

Thanks,

dsk

Hi, I am wondering if there is a way to hide opportunities or accounts or other objects for a user with a specific profile or role based on field values on the particular object?

Thanks / Niklas

First of all, good work on adding XSRF (cross-site request forgery) to the security scanner.

Secondly, I'd like to ask for some tips on a more secure way of doing things.

Currently I have a button for a ticketing system that most compeditors have, one that takes ownership of the current record. Currently I have this implemnted as a visualforce page something like this:

<apex:page standardController="ticket__c" extensions="sObjectUtils" action="{!takeOwnership}">
<apex:outputPanel rendered="false">
<!-- here to let the standardController.getRecord() method rather than SOQL -->
	{!ticket__c.ownerId}
</apex:outputPanel>

Ownership taken.
</apex:page>

The problem is I can't see a way to put a button on a detail page that doesn't open me up to XSRF without requiring an exta step. I'd love it if I could call an action with a button directly, which would mitigate the XSRF issues, but that's currently not supported by the platfrom.

So mighty security gurus, what's the "proper" way of implementing this button?

Hi,

Quick question - I'm setting Read/Create/Edit/Delete custom object permissions on profiles - I'm not sure how this affects field level permissions (also set on profile).  If I set a custom object on a profile to have no R/C/E/D permissions do I also need to set the field level security to invisible for each field?

My assumption is that Object level security trumps field level security..is that correct?

Cheers.

Hello,

we are implementing salesforce but the thing is that we want to know what is the bandwidth minimum that salesforce require to work and what bandwidth requires salesforce to work optimal?.

Thanks.

Hi,

The Salesforce Source Code tool shows Serious Access Control security problems everywhere there is no With sharing keyword. 

I understand what with sharing does.

Now I want to do an object search on a public Site page. Obviously the user needs to find all the records and not only the one he created or owns. 

What is the best practice then? Should we remoce with sharing (easy one) or put it and give access to all records. 

If so, how do we do that securely? 

Cheers,

Laurent

How can I determine if  the current page is running in HTTP or HTTPS mode

it seems: ApexPages.currentPage().getHeaders();  does not contain this information

I have a portal in my production org, and every time a user tries to load the page, a pop up appears saying, this page contains both secure and nonsecure items. Do you want to display non-secure items? It doesnt matter if i click yes or no as there is no change in the display of the page. Users have started complaining on this as they keep getting this popup everytime they try to load the page.

I had the same isssue in sandbox and thought once we move to prod it should be fine. But still the prob persists. Does anyone has an idea why this is occuring and how to resolve this?

Thanks.

I'm having issues with the SAML SSO's Just In Time setup.

The SAML login works fine until I enable JIT. After I enable JIT, I receive the error "Unable to map an unique profile id for the given profile name" (Error Code: 16).

The documentation does not seem to have any information about this error... Also, what should I be passing in for profile id? I hardcoded my user's profile id on salesforce, but I won't have this in a real world scenario with dynamic users. (Hence the JIT setup)... Ideas?

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx766d4df1-1929-1d78-9b19-71d1b84296fe" Version="2.0" IssueInstant="2012-04-11T21:26:57Z" Destination="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ">
  <saml:Issuer>ONEsite</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx766d4df1-1929-1d78-9b19-71d1b84296fe"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fGizXC/YYdUxw6buGR+CgZ49tn8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1AQREJhC81C2Za2ph7uX6W438fs6R+UUCARN3eedJmwXwtn8HdyPKsIh+0gjZ+JsaQJ++anbrvZQ041dA+IdRxrdcDVwwDbzKoD01tDUyWiBQMptC7jn6yN8eLgEi6Cm++P0Yki2SFeylLHz8H2ZXUq9B1t04SapNDbSSfMYZhw=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca" Version="2.0" IssueInstant="2012-04-11T21:26:57Z">
    <saml:Issuer>ONEsite</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>877uX4K4I6Q/wJoeFkDTYHer+6w=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>zlzoLhtOPdgHSkDNfj2NjedDB1Pp2hgzSe4rgXj8vSqBHptTM1VcI3AhjlRyGOHWh8qBIGBNxMOBteVJcWyP7HC8yA5t3a0f4aGr6BLHaXSuy9cUg7zhbA7b0GMFi2RBffAY2Fruj7MhDzxeOn6vx/V0uKLlec4FXd/Ky3Kczm0=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">squared3</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2012-04-11T21:31:57Z" Recipient="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2012-04-11T21:26:27Z" NotOnOrAfter="2012-04-11T21:31:57Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2012-04-11T21:26:57Z" SessionNotOnOrAfter="2012-04-12T05:26:57Z" SessionIndex="_b6c9e3c74e52b2a7ab0745fe54c039e52658cf57aa">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="ProvisionVersion">
        <saml:AttributeValue xsi:type="xs:string">1.0</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Username">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Phone">
        <saml:AttributeValue xsi:type="xs:string"/>
      </saml:Attribute>
      <saml:Attribute Name="User.FirstName">
        <saml:AttributeValue xsi:type="xs:string">FirstName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LanguageLocaleKey">
        <saml:AttributeValue xsi:type="xs:string">en_US</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Alias">
        <saml:AttributeValue xsi:type="xs:string">Alias</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LastName">
        <saml:AttributeValue xsi:type="xs:string">LastName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Email">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.FederationIdentifier">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.ProfileId">
        <saml:AttributeValue xsi:type="xs:string">005d00000019aXk</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.IsActive">
        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.EmailEncodingKey">
        <saml:AttributeValue xsi:type="xs:string">UTF-8</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="federationId">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

One of the ways that we enforce security policy is that we perform ssl interception on all ssl traffic headed out of the network via our proxy servers.  SalesForce is really the first place we've hit a big snag in this operation - specifcally Chatter.com.  Other salesforce tools we use function fine.  You can log in to chatter, but when you try to use the people or groups functionality, you get an error that says you've done something invalid for your session.  When we disable ssl-interception, it works again.  We've tried modifying the policy to ignore key things like invalid issuer, hostname mismatches, and expired certs - but no luck.  You have to complete disable ssl interception.  SalesForce won't provide support for this and directed me here.  Anyone else do SSL interception with salesforce, specifically Chatter?  Have you run into a similar issue?

Thanks!

With SAML, do I still need to use an LDAP server, locally?

I was thinking the big difference between federated and delegated is that delegated requires something

like an LDAP server.

I was thinking that SAML allows me to keep my users in salesforce??

Am I wrong?

Record owner has the same profile as the person trying to delete the record.

Under profile premissions user is allowed to modify, delete etc on Oppertunity, Contacts, Lead and Accounts Objects.

Sharing Settings has been set to READ/WRITE between Group who has the same profile.

I do not wish to set Modify All on either specific objects or orgonization wide, is there a diffrent solution to this?

Thank you.

Hello,

Planning on setting the 401 exam soon. Would anyone happen to know where I might find examples to test my record security knowledge ? (picking the best OWD and sharing rule) I have gone over the documentation but would love to find more scenarios to make sure I have all the angles covered ! 

Thanks in advance,

G.

Hi All,

I'm creating a custom object that will contain some sensitive employee data.  I've got it pretty well locked down except that I have found that my admin users can query the _History object through the API to see audited field value changes.  This has been tested through to Force.com Explorer (both of them).  On the other hand, admin users (or users with View All Data/Modify All Data) do not see the Audit history for fields they do not have access to when viewing the data through a page layout in Salesforce.

So my questions are:

1) is this intended behavior

2) is there any way to lock this down

3) or should I just build a custom object to replicate the audit trail?

Thanks for your input.

-Brandon

Hi,

I understand that depending on "View Encrypted Data" Profile permission, users can view masked/unmasked Encrypted field data.

However, what is stored in the database? Is it encrypted version/decrypted version of data? What result will come once you query for the field?

Please advise.

Thanks,

Vimal

Is it possible to authenticate Customer Portal, Partner Portal, and Standard users via a single form?

I have tried a few different approaches, and each errors on me.  Can anyone give me some feedback on whether this is possible, and what (if anything) I am doing wrong in the three approaches below.

1.  I tried setting up a SalesForce Site with authentication enabled using the SiteLogin page provided.  However, this does not work, as each Site must be tied to one, and only one, portal site, and does not work with Standard users.

2.  I tried using a SalesForce Site with public access enabled, and then tried using the AJAX Toolkit Javascript API.  The VisualForce page works fine if I am inside SalesForce for all three user types.  However, if I access the Site to run the page, I cannot authenticate.  Attempting to do so causes an error to occur on the login method.  This error is 'UNKNOWN_EXCEPTION: Site under construction'. 

However, if I enable the header and side bar, it works for standard and Partner Portal users, but not for Customer Portal users.  Attempting to login as a Customer Portal user fails with the following error message: 'INVALID_LOGIN: Invalid username, password, security token; or user locked out'

<apex:page showHeader="false" sidebar="false" >
<head>
<style>
page {width:100%;height=100%;border=1;background-color=red;}
</style>
</head>
<script src="../../soap/ajax/22.0/connection.js" type="text/javascript"></script>
<script type="text/javascript">
function validateUser()
{
alert("Username: "+document.getElementById("tbUsername").value);
try
{
var result = sforce.connection.login(document.getElementById("tbUsername").value, document.getElementById("tbPassword").value);
}
catch (e)
{
alert(e);
showStuff('lbLoginFailed');
return;
}
alert("result: "+result);
if (result != undefined)
{
showStuff('rnFrame');
hideStuff('theForm');
hideStuff('lbLoginFailed');
}
else
{
showStuff('lbLoginFailed');
}
}

function hideStuff(id) {
        document.getElementById(id).style.display = 'none';
    }
function showStuff(id) {
        document.getElementById(id).style.display = 'block';
        document.getElementById(id).style.width = '100%';
        document.getElementById(id).style.height = '1000px';
    }
</script>
<form id="theForm" width="100%" height="100%">

<table border="0">
<th><td colspan="2">Please login using your Customer Portal or <br/>Partner Portal credentials to access the article.</td></th>
<tr><td>Username:</td><td><input id="tbUsername" type="text"/></td></tr>
<tr><td>Password:</td><td><input id="tbPassword" type="password"/></td></tr>
<tr><td colspan="2" align="right"><input id="btnSubmit" type="button" value="Login" onclick="validateUser();"/></td></tr>
</table>
</form>
<div id="lbLoginFailed" style="display:none" >Login failed.  Please try again.</div>
</apex:page>

3. The last method I tried was using the SOAP API to create an ASP.Net page to try logging the user in.

This works for standard and Partner Portal users, but not for Customer Portal users.  Attempting to login as a Customer Portal user fails with the following error message: 'INVALID_LOGIN: Invalid username, password, security token; or user locked out'

Hello,

I have created a VF page that will go on a public site that is meant for user to enter data into the system.  This is working fine but I noticed that URL hacking is possible (read only due to FLS on the public user profile for the site) if a user appends the id to the url (for example, VFPage?id=00AB0000001abcD).

Ideally, I would like to simply set FLS to edit with no view.  Since create FLS requires view FLS, how can one prevent url hacking in this manner?   How can we prevent the controller extension from processing data from the url?

Thanks,

Tony

Hello Everyone,

Our company has several seperate instances of salesforce.com. Is it possible to use a single sign on to gain access to each instance instead of having to create a login for each instance?

Any information would be much appreciated.

Thanks,

V

Hi Simon,

I'd like to get Salesforce Report data with access token. I used HttpClient to setup connection to Salesforce and send request to get report data. In request header, I used cookies and add 'sid' to it. It works well. However, when I switch to OAuth it doesn't work since then. I tried assigning access token to 'sid' as well as removing 'sid' from header and adding 'Authorization: OAuth #access token#' to header of the request without success. The response code is 200 though. The response is a page with redirect to 'https://login.salesforce.com/?ec=302&startURL=/00O50000002HVb2?isExcel=1&xf=csv&export=1&enc=UTF-8'. Following are the codes for sending the request.

                GetMethod get = new GetMethod(url);
		get.setFollowRedirects(true);
		
		get.setRequestHeader("Cookie", "com.salesforce.LocaleInfo=us; inst=APP7");
		get.setRequestHeader("Authorization: OAuth ", accessToken);
		
		int iCode = client.executeMethod(get);

 Please help take a look, and help to point out what could be wrong.

Thanks,

Michael

I am going to implement Delegated Authentication Single Sign-On in my Org. I learned basic idea from salesforce.com online help and some pdf files. But I have some queries regarding it. As below :

1. Where those user name and password will be store after login?

I followed the below steps to implement Delegated Authentication Single Sign-On :

1. Sent request to salesforce to turn on SSO feature.

2.downloaded AuthenticationService.wsdl from org and created server stub in .NET

3. I got sample code for .NET from the link http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com

4. Now I am going to publish this code and put it on some test server. Copy the server IP (where I putted publish code with web service) and pasted under delegated authentication SSO in my org into delegated URL textbox.

6. I downloaded ,NET code from above link, Should I publish this code and host on any server?

7.What will be delegated gateway URL?

8. there is any other settings or changes in the downloaded .NET code (from above link)?

I am following thiese steps. I have doubt to get my objective. Is this correct? Tell me where I am wrong?

What will be my IP settings and what will be settings for other things like user id and password?

Your help and response will be appreciated :)

Thanks

Hi

below is my code :

SoapClient m_sfdcSrv = new SoapClient();
            
             
            loginResult = m_sfdcSrv.login(loginScopeHeader, "synthesis_rajesh@hotmail.com", "admin@1234lM9Jzm7SgNdqDnh8O3Y92jAbz");

When i run this code i m getting this error

Could not establish trust relationship for the SSL/TLS secure channel with authority 'login.salesforce.com'

Please help me, thanks in advance

Our client is looking to roll out 1100 iPad devices that will communicate with both internal web services and salesforce.com web services outside the corporate firewall with these additional specifications:

1. The salesforce service must be able to identify the end user to achieve data security requirements
2. It is desired to only require the user to enter/manage one set of credentials (EnterpriseWindows Active Directory)
3. It is desired to not require the user to go through the activation email process to confirm their identity
4. Current security requirements dictate that access to salesforce be restricted from any unknown/outside IP.

Delivering all of these requirements does not seem plausible given my understanding of the Salesforce API constraints. Any other folks out there have similar authentication challenges for enterprise customers?