+ Start a Discussion

Security in delegated authentication



I am integrating salesforce.com site with my AD using delegated authentication. I have created the web service and deployed in DMZ. I have configured salesforce.com to use my web service for authentication. Everything works fine now. My concern is about the security for the web service itself. How can I restrict the web service to be accessed only by salesforce.com. What are the best practice to implement security for this web service?




There are a couple of steps you can take.  First, configure your firewall to only accept inbound connections from Salesforce.com IP addresses.

link: https://ws.arin.net/whois/?queryinput=


link: https://ws.arin.net/whois/?queryinput=


These IP blocs shouldn't change, but they might sometime in the future.  If you find that you're unable to log in, you should check the firewall logs and make sure that delegated auth calls aren't coming from a different Salesforce IP.


Additionally, I would recommend configuring SSL mutual authentication as an additional layer of security.  I found this community post for configuring mutual auth in Tomcat: http://community.salesforce.com/t5/Java-Development/Salesforce-Client-Certificate/m-p/40027


If you're using IIS or another web server, check the vendor's support page for a How-To guide.


Hope that helps!