0 Replies Latest reply: Oct 14, 2015 4:27 AM by Alex Nimmo RSS

    Salesforce Connector & Salesforce Winter 16 security updates

      Hi,

       

      I have received a notification email from Salesforce entitled "Additional Protection Against Forced Login Attempts with Winter ‘16 Release".

       

      Are there any measures I need to take in respect of the Qlikview salesforce connector, bearing in mind the body of the email:

       

      "As an admin of a Salesforce org, we want to notify you that we are adding measures to prevent scripts, sites and other sources from automatically logging in users without the user’s explicit authorization. This type of automatic logging in of users is commonly known as “forced login”, and while it’s not necessarily nefarious - some system administrators intentionally use this technique for the convenience of their users - we believe it will provide a more trusted login experience if users give their explicit authorization. We have detected that this change may impact your organization as you may be using forced login with a program or script.

      What is the change?
      With the Winter ‘16 release*, users will be warned when a website, application, or other source uses a link or script to force a user to login to Salesforce. When Salesforce detects this activity, we will prompt the user to verify the account and login attempt.

      *Currently scheduled for October 2015; date subject to change

      Users can select or deselect ‘Don't ask again’ on their device. When this option is selected, Salesforce remembers the preference for the account and browser combination by storing the information in cookies. Salesforce will not prompt users when logging in through a web form and using a standard login page, such as https://login.salesforce.com, or a login page for custom Salesforce domains, portals, or communities. Single sign-on, two factor authentication, and non-browser logins will also not receive this message.

      How may this impact my Salesforce implementation?
      Programs and scripts developed to send requests that look like they come from a browser will likely prompt the warning message page. These programs or scripts may need to be modified by changing their HTTP request behavior, or updated to handle the new message appearing in the login flow. Please see login() from the API Developer’s Guide.

      Why are we making this change?
      We are committed to providing customers with the best experience and control over their implementations. This security improvement warns users of being forcefully logged in to Salesforce orgs without explicit authorization. It provides a more trusted login experience.

      What action do I need to take?
      If your organization requires the ability to use forced logins without this additional security, please contact Customer Support via the Help & Training portal to have this permission disabled.

      Where can I find more information?
      For more information on the improved security for unwanted login attempts, please see the Winter ‘16 Release Notes.

      For additional questions, you can open a case with Customer Support via the Help & Training portal.
      "