Salesforce.com Certified Administrator

Identity Confirmation (setting login restrictions)
Describe the Identity Confirmation feature
By default, Salesforce.com's Identity Confirmation feature automatically recognizes whether a user is logging in from an IP address or device that has been previously used. Unrecognized IP addresses or devices prompt identity re-verification.

The identity confirmation feature is what requires you to activate your computer to log in.
The identity confirmation feature is what requires you to activate your computer to log in.

From Salesforce solution "What is the Identity Confirmation feature and how does it work?"

Criteria for Activation Process:

1. Is the org using IP Login Restrictions on Profiles?
2. Is the User logging in from an IP on the Trusted Network list?
3. Have we seen this Activated User from this IP address before?

----If Activated once before, we add the IP to their personal list and never challenge them from that IP again.
Each user has a list of IPs from which they’ve activated. (This list is not currently visible in the applciation.)

4. Does the User have a cookie placed from Salesforce in this browser?

----We set a cookie on any browser that doesn’t have a cookie once a User has logged in.
If they log in from a Trusted Network IP a cookie will be set in the browser.

*Yes on any one of these = Pass on activation process
*No on all of these = Initiate activation process

The activation process requires you to click "Send activation link" when you attempt to log in. Salesforce will then send you an email with a link that you must click to complete the activation process. You must click this link on the same computer that you intend to log in on- a blackberry or remote computer will not work.
Describe the differences between logging in through the API versus the UI
The user interface (UI) is logging into Salesforce using a web browser. If you are not a)connecting through a web browser and b)connected to https://xxx.salesforce.com then you are almost undoubtedly connecting through the API.

API access comes in many forms: Connect for Outlook, Salesforce Offline- basically any external application/website that references data in Salesforce uses API calls.

Salesforce.com checks whether the user's profile has login hour restrictions. If login hour restrictions are specified for the user's profile, any login outside the specified hours is denied.

Salesforce.com then checks whether the user's profile has IP address restrictions. If IP address restrictions are defined for the user's profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed.

If profile-based IP address restrictions are not set, Salesforce.com checks whether the user is logging in from an IP address they have not used to access Salesforce.com before:

- If the user's login is from a browser that includes a Salesforce.com cookie, the login is allowed. The browser will have the Salesforce.com cookie if the user has previously used that browser to log in to Salesforce.com, and has not cleared the browser cookies.

- If the user's login is from an IP address in your organization's trusted IP address list, the login is allowed.

- If the user's login is from neither a trusted IP address nor a browser with a Salesforce.com cookie, the login is blocked.

Whenever a login is blocked or returns an API login fault, Salesforce.com must verify the user's identity:

- For access via the user interface, the user is prompted to click a Send Activation Link button to send an activation email to the address specified on the user's Salesforce.com record. The email instructs the user to copy and paste an activation link into their browser to activate their computer for logging in to Salesforce.com. The activation link included in the email is valid for up to 24 hours from the time the user clicked the Send Activation Link button. After 24 hours, the activation link expires, and users must repeat the activation process to log in. Note
The first time a user logs into Salesforce.com, they do not have to activate their computer. However, the next time a user logs in, they must activate their computer using the Send Activation Link button.

- For access via the API or a client, the user must add their security token to the end of their password in order to log in. A security token is an automatically-generated key from Salesforce.com. For example, if a user's password is mypassword, and their security token is XXXXXXXXXX, then the user must enter mypasswordXXXXXXXXXX to log in.

Users can obtain their security token by changing their password or resetting their security token via the Salesforce.com user interface. When a user changes their password or resets their security token, Salesforce.com sends a new security token to the email address on the user's Salesforce.com record. The security token is valid until a user resets their security token, changes their password, or has their password reset.

Tip -
It is recommended that you obtain your security token via the Salesforce.com user interface from a trusted network prior to attempting to access Salesforce.com from a new IP address.
The user interface (UI) is logging into Salesforce using a web browser. If you are not a)connecting through a web browser and b)connected to https://xxx.salesforce.com then you are almost undoubtedly connecting through the API.

API access comes in many forms: Connect for Outlook, Salesforce Offline- basically any external application/website that references data in Salesforce uses API calls.
Example of API is Dataloader.
Salesforce desktop client examples are
1) Connect for Outlook
2) Salesforce for Outlook
3) Connect Offline
4) Connect for Office
5) Connect for Lotus Notes

Other Ways of Accessing Salesforce is Via the API, Data Loader or User Interfaces

Explain the concept of Login Hours and Login IP ranges
Profile-Based Login Hours and IP Addresses
- For each profile, you can set the hours when users can log in and the IP addresses from which they can log in.

Organization-Wide Trusted IP Address List
- For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge.

Login hours are configured on a per-profile basis, Enterprise and up only.

Setup –> Manage Users –> Profiles

Login IP Ranges

By default, any user can connect from any IP address. When you add an IP range, then users can only connect from allowed networks. Login IP Ranges are configured depending on version:

Enterprise and up: Profile-based

Setup –> Manager Users –> Profiles

Professional and lower: Company-wide

Setup –> Security Controls –> Session Settings

Trusted Networks

If you are connecting from a trusted network, then you will not have to activate your computer or use a security token for API calls (a password alone will suffice). Add networks to the trusted list:

Setup –> Security Controls –> Network Access


Criteria for Security Token:

Is this User / API call / client app logging in from an IP on the Trusted IP Range list?

Does this User have IP Login Restrictions on their profile?

*Yes on either of these will mean a pass on Security Token requirement
Login hours refers to when a users login in time has been restricted between a certain time. for IP range, a user can be restricted to log in within certain IP ranges, if they attempt to log in with an IP outside of the range they are not allowed to log in
Add and delete an IP range
Administration Setup > Security Controls > Network Access
New to create a new range
Delete from action column
IP ranges are used for Login IP Ranges and Trusted Networks. Use a start IP and an end IP, and it will register all IP addresses between.
Describe the methods to allow access to the application
There are several methods to access the program:

Web browers (UI)

API access (3rd party programs, websites, etc.). The API is only available to Enterprise Edition and up.

Mobile application (Blackberry)

Access is granted by creating a user with a set profile. This profile restricts access hours and API access. Mobile access is licensed per user and assigned as such.

There are several methods to access the program:

Web browers (UI)

API access (3rd party programs, websites, etc.). The API is only available to Enterprise Edition and up.

Mobile application (Blackberry)

Access is granted by creating a user with a set profile. This profile restricts access hours and API access. Mobile access is licensed per user and assigned as such.
Mobile Application(SalesForce1 Mobile Application)
 

© Copyright Bulkified.com Contact | Site Map