I am, having a situation for which I cannot find a clear answer. 

​I have portal user the can login to their portal experience using SAML from an OpenSSO provider.
We would like to be able to call REST services via connected apps as those users.   
I know we can get a bearer token from the SAML key so that is not a problem. 
So here are the questions.

Is this correct, I cannot use the REST calls unless I “Enable API Access”?

Leading to the next questions.

If I “Enable API Access”, what access do they have to the SOAP interfaces?

Do they then have access the metadata or SOAP api?  If so, can I block it?

 
There is a concern that someone could gain their token and then use the soap api to look at apex code or object data.  I know sharing rules can fix most of the problems, but we do have some special situations that could still be a problem.  
 

Hello All,

 

Observed mentioned any website URL in iframe parameters is not displayed in chrome browser. But, this works well in IE browser prompting with 'View all content' message.

 

Help me out in understanding.

 

Thanks in Advance.

Hi.

 

I using iframe in the below example

The iframe works fantastic in Internet Explorer ,but it doesn't work in Firefox.

 

<div id="contents">
<iframe src="/{!$CurrentPage.parameters.id}?isdtp=mn" width="100%" frameborder="0" height="600"></iframe>
 </div>

 

Even tried with  <apex:iframe> but negative.

 

 

Any answers are greatly appreciated.

Thanks

suresh