function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
ChamingaD23ChamingaD23 

Sending Session Id to Third Party

I need to develop SSO solution to work with Google App application. So I thought of calling Salesforce Webservice and get Currently logged user. For that i have to send Session Id.

 

But Requirment Checklist says we shouldn't

 

Implement controls to protect the Salesforce Session Id. Specifically:

  • Session ID should always be encrypted in transmission
  • Session ID should not be sent to third parties (Example: Google Analytics)

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

Is there anyway of doing this without sending Session Id?

Best Answer chosen by Admin (Salesforce Developers) 
JdolphJdolph

It sounds like you are trying to do something like what is described in the following articles:

 

http://wiki.developerforce.com/index.php/Single_Sign_On_for_Composite_Apps_

http://wiki.developerforce.com/index.php/Secure_Coding_Single_Sign_On_ (Security considerations for SSO this)

 

The requirement is to prevent the session Identifiers from being sent to a third party.  So for example if you are integrating Salesforce and Amazon, you should not allow the session Identifier to leak to another site (a 3rd party) that is not involved in the integration like Google analytics etc. An example of how the session would be leaked would be in a referrer or inadvertent transmission to a third party in your application code.

 

So there is nothing wrong with sending a session ID to another service if it’s intentional and you are using best practices to protect the session while its in transit and at rest. (and it does not get leaked to 3rd parties.)

 

I hope that this helps.

All Answers

JdolphJdolph

It sounds like you are trying to do something like what is described in the following articles:

 

http://wiki.developerforce.com/index.php/Single_Sign_On_for_Composite_Apps_

http://wiki.developerforce.com/index.php/Secure_Coding_Single_Sign_On_ (Security considerations for SSO this)

 

The requirement is to prevent the session Identifiers from being sent to a third party.  So for example if you are integrating Salesforce and Amazon, you should not allow the session Identifier to leak to another site (a 3rd party) that is not involved in the integration like Google analytics etc. An example of how the session would be leaked would be in a referrer or inadvertent transmission to a third party in your application code.

 

So there is nothing wrong with sending a session ID to another service if it’s intentional and you are using best practices to protect the session while its in transit and at rest. (and it does not get leaked to 3rd parties.)

 

I hope that this helps.

This was selected as the best answer
ChamingaD23ChamingaD23

What I wanna do is Implement SSO between Google App Engine and Salesforce.

 

So Passing Session Id to Google App in Query String (GET method) won't cause issue when Security Review ?

JdolphJdolph

As long as you use SSL and handle it properly in the app (see the security article), it should not be a problem.  Let me know if you need anything else.