Security is Everyone’s Job

In today’s environment of hackers and security incidents, as a Salesforce Administrator, we need to ensure that security of our Salesforce org is tight and access to our orgs aren’t wide open. This is extremely important especially where our orgs have PII (personally identifiable information) or PHI (protected health information) data, we don’t want our company to show up in the news as the next company that has leaked customer data.

This is the first in 3-part series covering the security options available for configuring Salesforce access. Based on your industry, the level of data stored in Salesforce, the type of users accessing Salesforce, etc., gauge the level of security best suited for your Salesforce org and implement accordingly.

Article 1:

Use Case: Users Can Only Login During Specified Hours
Use Case: I Trust These IP Addresses
Use Case: These Users Can Only Login From These IP Ranges
Use Case: I Want a Branded URL

Article 2:

Article 3:

What is the Salesforce Authentication Process?

Before we talk about how to configure the various security settings, let’s get a basic understanding of Salesforce’s login authentication process.

Use Case: Users Can Only Login During Specified Hours

By default, users can log into Salesforce at any time.

You may have a use case which requires that users be restricted as to specific days/hours in which the user can access Salesforce. Such a use case may be that of a customer service rep who would only need to access Salesforce during normal business hours, 9-5. In this case, you would configure login hours in the user’s profile.

Another use case for using login hours is to create a maintenance window for your Salesforce users while you perform a major deployment and want to prevent users from logging into the system and experiencing unexpected behavior and reporting red herrings.

Note: by making this change to the Profile, this login hour restriction will apply to everyone assigned to the Profile.

Under Setup, go to Manage Users | Profiles

Step 1. Go to the Login Hours section and click on the “Edit” button.

Step 2. Specify the start and end times by day of the week in which the users can log into Salesforce (Pay attention to the time zone noted)

Step 3. Click the “Save” button.

Use Case: I Trust These IP Addresses

One of the steps in Salesforce’s login authentication process is to validate against your org’s authorized IP addresses. Any users accessing Salesforce outside of these IP addresses will receive a login challenge (i.e. verification code will be sent to the email address on their user record). Once Salesforce successfully validates the verification code, the user is logged in.

Once you’ve obtained your company’s IP address ranges, you can configure them in Salesforce.

Under Setup, go to Security Controls | Network Access

Step 1. Click on the “New” button.

Step 2. Enter the starting and ending IP Address. While the description of the IP range is not required, it is useful to describe the IP range so you know whether it is a company IP address or one that belongs to a 3rd party integrator.

Note: If you are given one IP address, rather than a range, enter the same IP address in the end IP address field.

Step 3. Click on the “Save” button.

Repeat Steps 1-3 for each IP address range.

Use Case: These Users Can Only Login From These IP Ranges

Let’s say you have a use case where you have to limit login for users, requiring them to access from within your company’s network to access or a third party implementation vendor login access from their specific IP addresses, you need to specify the login IP address ranges for those user profiles.

If the user belonging to the user profile accesses Salesforce from any IP addresses listed in the Login IP Ranges, and all other login steps successfully pass, then the user will be allowed access.

If the user accesses Salesforce with an IP address not listed in the Login IP Ranges for the profile, access will be denied and “Restricted IP” is shown as the status in the user’s login history.

Under Setup, go to Manage Users | Profiles

Step 1. Go to the Login IP Ranges section

Step 2. Click on the “New” button.

Step 3. Enter the starting and ending IP Address. While the description of the IP range is not required, it is useful to describe the IP range so you know whether it is a company IP address or one that belongs to a 3rd party integrator.

Note: If you are given one IP address, rather than a range, enter the same IP address in the end IP address field.

Step 4. Click on the “Save” button.

Step 5. Repeats steps 2-4 for each login IP range.

Note: I’d suggest that you not implement login IP ranges on the system administrator profile especially if you have third party implementation partner or others outside your network who will need access to Salesforce for which you cannot obtain the IP addresses for to include in the login IP ranges.

If your users use tools with Salesforce, such as Apex Data Loader, Eclipse, etc., and there are IP range values defined in the Network Access screen, then the “Reset My Security Token” option will not be available to users. To work around this, you can change the user temporarily to the system admin profile so they can reset their security token and then change their profile back.

Use Case: I Want a Branded URL

Rather than direct your users to the boring, generic login.salesforce.com, you can specify a unique domain URL which will allow you to brand the login screen (where I have the cloud image) with a customized logo and the content in the right frame (where I have the ‘Company News’ image).

Additionally, you may have use cases to block or redirect page requests not using the custom domain name, specify how users are authenticated or allow users to select alternate identity providers from the login page. This, too, is handled by configuring a My Domain for your Salesforce org.

A few important things to note about a custom domain:

A custom domain name is defined only once. Once set, it cannot be reversed or changed.
Your domain name can be up to 40 characters.

Under Setup, go to Domain Management | My Domain

Step 1. Provide a domain name of your choosing where you see “jenwlee” highlighted above and click on the “Check Availability” button.

Step 2. Once Salesforce confirms that the custom domain is available, check the box next to “I agree to Terms and Conditions” and click on the “Register Domain” button.

Step 3. Click on the “Click Here to login” button to test the domain.

Important Note: If you have customized the user interface, before you deploy the custom domain to your users, you should test out custom buttons or Visualforce pages, etc. to ensure you test your custom elements thoroughly before deploying your domain name. Your customizations should not use instance-based URLs or else those will break when you deploy the domain name.

Step 4.Click on the “Edit” button in the Authentication Configuration section to customize your login screen.

Step 5. Specify the header logo, background color, right frame URL.

Header Logo: Images can be .jpg, .gif, or .png file, up to 100 KB. Maximum image size is 250px by 125px.
Background Color: To customize your login page background, click the or enter a valid hexadecimal color code.
Right Frame URL: Provide an URL of the file to be included in the right-side iframe on the login page. This URL must use SSL encryption with a https:// prefix. Maximum content size is 478px by 397px.
Authentication Service: Salesforce is defaulted as the identity provider when a custom domain is created. After the domain is deployed, you can add/change the identity provider to further increase security by customizing your login policy. (We will come back to this step in the use case to allow for single sign-on authentication.)