The second in a series of integration study groups led by Niki Vankerk

1. INTEGRATION PEER-LED STUDY
GROUP
MEETING 3: APRIL 30, 2018
FACILITATOR: NIKI VANKERK

2. AGENDA
• Quick round of intros – name/where you are/planned exam date
• Certificates and 2-way SSL (Niki)
• Security/Oauth (Edith)
• State Management Considerations (Susannah)
• Mashups & Canvas (Nadina)
• Choose next topics

3. INTROS

4. SSL / CERTIFICATES - Niki

5. CERTIFICATES AND 2-WAY SSL
• SSL (Secure Socket Layers) and TLS (Transport Layer Security) are protocols that provide
data encryption and authentication between applications and servers in scenarios where that
data is being sent across an insecure network
• SSL and TLS simply refer to the handshake that takes place between a client and a server.
The handshake doesn’t actually do any encryption itself, it just agrees on a shared secret
and type of encryption that is going to be used.
• TLS is the newer version of SSL but often used interchangeably
• Helps avoid Middleman attack or passively listening to communications

6. 1-WAY vs 2-WAY SSL
Mutual Authentication: Read more

7. CERTIFICATES
• CA-Signed: Certificate Authority signed cert, available for cost from certain authorities that Salesforce recognizes
• Required for any external system coming into Salesforce (target host for outbound messages, delegated
authentication, apex callouts); Salesforce won’t accept self signed certs
• Self-signed: certificate is created in Salesforce and can be used for SSO with SAML (where Salesforce is the
Service Provider instead of the Identity provider) or applications within your network/firewall, or Apex callouts
depending on target
Master Encryption Keys:
- classic Encrypted data
types
- auto assigned when you
create them
- can archive/create new
keys here
- data starts using the new
key once you update/save
data record
API Client Certificate
- Used for outbound
messages, delegated auth,
SAML Assertions
- Apex callouts can select
the certificate to use
- Enforce SSL/TLS Mutual
Auth perm in profile
Expiring Certificate Notices: Help Article

8. CERTIFICATES - WHAT CREATES THEM
• My Domain: when enabled, Self Signed cert is created by SF to enable as Identity Provider
• Valid for 1 or 2 years (dev org 1yr)
• if not using Idp then no need to renew certificate
• Single Sign On: when configuring this, use Certificate in ‘Request Signing Certificate’ and also can upload the Identity
Provider Certificate with the certificate they issued to you
• Environment Hub: can be enabled for multi org or consulting or ISV partners to manage multiple orgs
• Master/Hub org needs My Domain
enabled
• It becomes the identity provider
for member orgs, allows SSO into
each member org as long as cert
is valid
• Adding a member org creates a new
Self signed certificate in that member
org, named after master org
• Creates a Service Provider listing in the
master org’s Identity Provider page
where Identity Provider is using the
valid certificate

9. SECURITY - Edith

10. SECURITY - Inbound connections
• Client applications are treated as users
• Standard Salesforce security mechanisms apply
• Authentication
• Restrict network and session security
• Data security
• Transport layer security (TLS protocol, https)

11. User authentication
• Username / password: login page, OAuth (username-password flow), API
• Single sign-on
• Additional criterion: security token, two-factor authentication
• Access to resources
• Profiles
• Permissions needed: API Enabled, API Only user, password never expires

12. Oauth (1)
• Open protocol, authorization
• Allows a user to authorize one site to access another site on behalf of the user
• APIs can use Oauth 2.0 to authorize access to Salesforce resources
• Advantages
• HTTP based
• Interfaces already exist
• Works great for mobile
• Reduces security and management issues

13. Oauth (2)
• Tokens: Authorization code, access
token (session ID), refresh token, ID
token
• Authentication flows: Web server
(code grant type), user-agent (implicit
grant type), JWT Bearer token,
Device authentication, Asset toke,
SAML Bearer Assertion, SAML
Assertion, Username and password

14. Setup OAuth
• Connected App
• Consumer key and consumer secret
• Security controls
• OAuth scope controls
• Policies user reconnects
• SAML service provider settings

15. STATE MANAGEMENT - Susannah

16. STATE MANAGEMENT:
Request and Reply
When integrating systems using request and reply, keys are important for ongoing state
tracking.
There are two options:
● Salesforce stores the remote system’s primary or unique surrogate key for the remote
record.
● The remote system stores the Salesforce unique record ID or some other unique surrogate
key.
How you handle the integration keys depends on which system contains the master record
A program is described as stateful if it is
designed to remember preceding events or
user interactions; the remembered information
is called the state of the system.

17. STATE MANAGEMENT:
Fire and Forget
The following table lists considerations for state management in the fire and forget pattern.
A program is described as stateful if it is
designed to remember preceding events or
user interactions; the remembered information
is called the state of the system.

18. STATE MANAGEMENT:
Remote Call-In
Similar to request/reply, keys are important for ongoing state tracking in the remote call-in
pattern.
For example, if a record gets created in the remote system, in order to support ongoing updates
to that record. There are two options:
● Salesforce stores the remote system’s primary or unique surrogate key for the remote
record.
● The remote system stores the Salesforce unique record ID or some other unique
surrogate key.
There are specific considerations for handling integration keys in this synchronous
pattern.
A program is described as stateful if it is
designed to remember preceding events or
user interactions; the remembered information
is called the state of the system.

19. STATE MANAGEMENT:
Batch Data Synchronization
You can implement state management by using surrogate keys between the two systems. If you need any type of
transaction management across Salesforce entities, we recommend that you use the Remote Call-In pattern using Apex.
Standard optimistic record locking occurs on the platform, and any updates made using the API require the user, who is
editing the record, to refresh the record and initiate their transaction. In the context of the Salesforce API, optimistic locking
refers to a process where:
● Salesforce doesn’t maintain the state of a record being edited by a specific user.
● Upon read, it records the time when the data was extracted.
● If the user updates the record and saves it, Salesforce checks to see if another user has updated the record in the
interim.
● If the record has been updated, the system notifies the user that an update was made and the user should retrieve
the latest version of the record before proceeding with their updates.
A program is described as stateful if it is
designed to remember preceding events or
user interactions; the remembered information
is called the state of the system.

20. MASHUPS / CANVAS - Nadina

21. Mashups
● Definition
○ A web page or application that seamlessly combines data or functionality from two or more different
sources(systems) on a User Interface Level to create a new service.
● Two Forms: Links and iFrame
● Benefits
○ Low Cost
○ Reusability
● Caveats
○ External Mashups may impose api call limitations
○ Terms of use may limit from a data security standpoint
○ Stability in the API being utilized.

22. Mashups: Link Summary
• Used to take users to external Systems
• Implemented in Salesforce via
• Buttons (standard or Custom)
• Custom Links
• Formula fields using Hyperlink/Image
• Visualforce tag
• Asynchronous Solutions

23. Mashups: iFrame Summary
• Markup of external systems brought into Salesforce
• Implemented in Salesforce via
• Web tab
• Visualforce iFrame tag
• Synchronous Solutions- user has to wait until the content is loaded

24. Canvas/Canvas App
● Definition
○ A framework for making external Web Applications accessible to selected users from within Salesforce.
● Uses
○ Within the Chatter tab
○ On a visualforce page
○ As a publisher action
○ In a Salesforce Console
○ In a page layout for a standard or custom object
○ As a feed item
○ Within Salesforce 1 as a navigation item
● Application access is controlled by Administrator
■ Signed request or OAuth policy
■ Permission sets
■ Session Level Security

25. Canvas- Same Origin policy
Definition:
● A Web standard practiced
to protect end user’s data
● Allows applications from
the same domain to
interact and exchange
data

26. Canvas Signed Request or OAuth

27. Canvas & Security

28. Resources
● Expiring Certificate Notices: Help Article
● Mutual Authentication: Read more
● Mashups:The What and Why
● Mashups and Visualforce
● Force.com Canvas

29. BRAINSTORM
TOPICS

30. MORE RESOURCES
• Integration Exam Resource Guide
• Integration Patterns Guide
• Trailmix for Integration Exam here

31. THANK YOU FOR COMING!
• Join our Trailblazer Community group – don’t forget to fill out your personal profile!
• Post your exam successes into the group
• If you tweet, use #LadiesBeArchitects
• Get Involved –
• Run a study group for us
• Speak at one of our Inspire meet-ups
• Blog / talk about us