Identity Confirmation (setting login restrictions)

Posted September 12th, 2008 in Certified Administrator and tagged , , by John Coppedge

Describe the Identity Confirmation Feature

The identity confirmation feature is what requires you to activate your computer to log in.

From Salesforce solution "What is the Identity Confirmation feature and how does it work?"

Criteria for Activation Process:

  1. Is the org using IP Login Restrictions on Profiles?
  2. Is the User logging in from an IP on the Trusted Network list?
  3. Have we seen this Activated User from this IP address before?
    • If Activated once before, we add the IP to their personal list and never challenge them from that IP again.
    • Each user has a list of IPs from which they’ve activated. (This list is not currently visible in the applciation.)
  4. Does the User have a cookie placed from Salesforce in this browser?
    • We set a cookie on any browser that doesn’t have a cookie once a User has logged in.
    • If they log in from a Trusted Network IP a cookie will be set in the browser.

Yes on any one of these = Pass on activation process

No on all of these = Initiate activation process

The activation process requires you to click "Send activation link" when you attempt to log in.  Salesforce will then send you an email with a link that you must click to complete the activation process.  You must click this link on the same computer that you intend to log in on- a blackberry or remote computer will not work.


Describe the differences between logging in through the API versus the UI

The user interface (UI) is logging into Salesforce using a web browser.  If you are not a)connecting through a web browser and b)connected to https://xxx.salesforce.com then you are almost undoubtedly connecting through the API.

API access comes in many forms: Connect for Outlook, Salesforce Offline- basically any external application/website that references data in Salesforce uses API calls.


Explain the concept of Login Hours and Login IP ranges

Login hours are configured on a per-profile basis, Enterprise and up only.

Setup –> Manage Users –> Profiles

Login IP Ranges

By default, any user can connect from any IP address.  When you add an IP range, then users can only connect from allowed networks.  Login IP Ranges are configured depending on version:

Enterprise and up: Profile-based

Setup –> Manager Users –> Profiles

Professional and lower: Company-wide

Setup –> Security Controls –> Session Settings

Trusted Networks

If you are connecting from a trusted network, then you will not have to activate your computer or use a security token for API calls (a password alone will suffice).  Add networks to the trusted list:

Setup –> Security Controls –> Network Access

From Salesforce solution "What is a Security Token and how does it work?"

Criteria for Security Token:

  1. Is this User / API call / client app logging in from an IP on the Trusted IP Range list?
  2. Does this User have IP Login Restrictions on their profile?

Yes on either of these will mean a pass on Security Token requirement


Add and delete an IP range

IP ranges are used for Login IP Ranges and Trusted Networks.  Use a start IP and an end IP, and it will register all IP addresses between.


Describe the different methods to allow access to the application

There are several methods to access the program:

Web browers (UI)

API access (3rd party programs, websites, etc.).  The API is only available to Enterprise Edition and up.

Mobile application (Blackberry)

Access is granted by creating a user with a set profile.  This profile restricts access hours and API access.  Mobile access is licensed per user and assigned as such.