Find your content:

Search form

You are here

Securing composite app single sign on with salesforce session Id


We currently have an integration with our external platform inside salesforce by using IFrames. For authentication we pass the Salesforce session as a query string parameter inside the IFrame address and do callback authentication from our external platform. But our client now feels this mode is insecure as we pass salesforce session id in plaintext.

Can we improve this by anyway? I also feel this is a old way of doing integration. Are there any better methods available now?

Attribution to: tamizhgeek

Possible Suggestion/Solution #1

If the iframe address is https, then the session id is secure on the wire. You could encrypt it as well, with a shared secret, but I'm not sure how much practical advantage that would give, since the browser can see the session id in the cookie anyway.

There is a new approach to this kind of integration - Canvas - but it is (as of Winter '13) still in pilot.

Attribution to: metadaddy
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content