The following describes how to work with Salesforce under Skyhigh CASB Secure scenarios. The scenarios are described in a general manner and reference a knowledge base article for step-by-step instructions.
Working with SAML
Security Assertion Markup Language (SAML) is an XML-based standard that allows you to communicate authentication decisions between one service and another. It underlies many web single sign-on solutions. Salesforce supports SAML for single sign-on into Salesforce from a corporate portal or identity provider.
When working with Salesforce through Skyhigh CASB Secure, the system administrator needs to verify that the platform is already configured to work with SAML and with the Identity Provider (IDP). In addition, the user needs to verify a valid domain name for the IDP is set up. This domain name is a Skyhigh CASB-specific name for proxying the IDP to specifically get Salesforce.com SAML working through Skyhigh CASB Secure. This is needed in addition to the existing domain name used for the IDP before implementing Skyhigh CASB.
The system administrator configures Skyhigh CASB first, and then Salesforce.
Skyhigh CASB Configuration
Contact Skyhigh CASB support and provide the Skyhigh CASB Secure IDP domain. In turn, a custom Skyhigh CASB policy template is provided and is uploaded to Skyhigh CASB and activated.
The Salesforce platform configuration entails editing the Single Sign-On settings page and in the Identity Provider Login URL field, replacing the existing URL with the Skyhigh CASB Secure IDP domain name. If needed, the Identity Provider Logout URL should be replaced as well.
NOTE: To work in https format the Identity Provider Login URL must start with https://.
- Only Federated SAML 2.0 is supported.
- Users who log in to salesforce.com with the Skyhigh CASB Secure and SAML setup described here are not authenticated to other applications that the IDP would normally provide authentication for, since the users are only authenticated to the Skyhigh CASB Secure-proxied IDP, not the IDP itself.
Skyhigh CASB servers are deployed in your environment and act as a reverse proxy with built-in encryption capabilities to encrypt or tokenize sensitive data. The Encryption Proxy is a front-end server that handles communication between clients and Salesforce cloud services, via several web protocols (for example, HTTP and HTTPS), mail transfer protocol (SMTP) and formats (for example, HTML, XML, and JSON). As such, during configuration, you specify a proxy domain.
While a Skyhigh CASB Secure Gateway is based on a reverse proxy for controlling HTTP and HTTPS traffic, the Skyhigh CASB environment also provides encryption capabilities for SMTP traffic. Emails are used in the Salesforce platform for managing notifications, tasks, events, and general correspondence. You might consider encrypting emails traffic for a few reasons:
- Email correspondence is documented in your Salesforce org and might contain information that requires encryption.
- Emails, based on email templates, might contain encrypted data that should be decrypted before being sent to users, so they can read it in cleartext.
- Emails contain embedded links to Salesforce which should be replaced with links that invoke first the Skyhigh CASB Secure environment
Each Skyhigh CASB Secure Gateway contains a Mail Transfer Agent (Qmail) for handling SMTP communication, for inbound and outbound messages. Qmail setup and configuration is built into the Skyhigh CASB Secure installation and is ready for use. Similar to the preparation of any mail transport agent, there are a few network preparations needed to enable this traffic:
- Define MX record. Define a unique mail exchange record, pointing to the Skyhigh CASB environment, or to your organizational mail entry point. Once this MX record is defined, it should also be declared in the Skyhigh CASB Secure environment, so email addresses are encrypted using this suffix.
- Port 25. Should be opened for inbound traffic for each encryption reverse proxy server.
- Skyhigh CASB Secure Mail Transfer Agent. Define, on each Skyhigh CASB Secure Gateway, where emails are sent by Skyhigh CASB.
- Domains. Define, on each Skyhigh CASB Secure Gateway, the domains from which emails accepted by Qmail.
Data Residency Policy Rules
Once the Skyhigh CASB Secure environment is prepared for receiving and sending emails, users’ email addresses and contacts’ email addresses (and any custom email address fields that might be sent outbound messages from Salesforce) should be encrypted using the Email Encryption method. Email Encryption tokenizes an email address, but also concatenates the predefined mx suffix to the tokenized value, keeping the mail address convention, but also making sure that emails are sent first to the Skyhigh CASB secure environment for decryption.
The Salesforce.com platform configuration entails editing the User Details page, setting the Email encoding for each user, and the encoding for each email template that is being used for email notifications to Unicode (UTF-8).
Inbound Messaging to Salesforce
Salesforce provides inbound messaging capabilities, responding to scenarios such as Email-to-Case, Email-to-Salesforce, Chatter replies an additional scenarios. These scenarios require specific policy rules definition. In such scenarios, emails should first be sent to Skyhigh CASB, go through a process of encrypting the subject, body, attachments and from an email address, and then transported to the predefined email address in Salesforce, as it was provided originally.
Transport Layer Security
The Salesforce platform provides secure email communication for SMTP sessions using TLS, which can also be applied while Skyhigh CASB Secure is implemented with your org. For further information, see the Configuring Deliverability Settings documentation in Salesforce.
Skyhigh CASB Secure supports the On-Demand Email-to-Case feature in Salesforce.com. To encrypt or tokenize the Email-To-Case content, Email-To-Case submissions should be routed to Skyhigh CASB before they are sent to the Email Services Address provided to you by Salesforce.
For On-Demand Email-to-Case via Skyhigh CASB Secure:
- Define email addresses on your email system for case submissions.
- Create email routing addresses that include the addresses defined for cases.
- Configure your email system to forward case submissions to Skyhigh CASB Email-To-Case address.
- Configure Email-To-Case on Skyhigh CASB
- Enable On-Demand Email-to-Case.
Email Settings Configuration
Follow the Email-To-Case settings instructions on how to define email addresses and routings on your email system for case summations. You need to configure your email system to forward case submissions to the Skyhigh CASB Email-To-Case address instead of to the Email Services Address provided to you by Salesforce. The following is an example of email forwarding rule configuration required on your email system:
Skyhigh CASB Secure Policy Configuration
Skyhigh CASB configuration entails using the Policy Editor to configure the Policy template for email message objects and fields. During the configuration, the system administrator needs to return to Salesforce and perform verification and editing tasks, and follow the confirmation instructions on the email account.
On-Demand Email-to-Case configuration in Salesforce should be performed as directed by Salesforce. The system administrator configures the Salesforce.com platform, Skyhigh CASB Secure, and provides an example of system email case submission and forwarding definition. For more detailed instruction, contact Salesforce support.
Salesforce Reports and Views
For the Salesforce application to support Reports and Views for custom fields when working through Skyhigh CASB Secure, the user’s SFDC credentials must be entered into the Admin Console. The credentials need to be entered in the Salesforce Credentials tab under Setup.
NOTE: You must perform a Deploy Now after setting up the credentials for the support to become active.
Salesforce for Outlook
Salesforce for Outlook, a Microsoft Outlook integration application that you install, automatically syncs contacts, events, and tasks between Outlook and Salesforce. You can also manually add Outlook emails to these Salesforce records:
When working with Salesforce through Skyhigh CASB Secure, the ability to encrypt email, contacts, events, and tasks is added. The system administrator configures Salesforce and the user configures Salesforce for Outlook.
To work through Skyhigh CASB Secure, the system administrator configures Outlook in Salesforce and the policy template in Skyhigh CASB. Step-by-step instruction can be found in the knowledgebase.
Outlook configuration in Salesforce should be performed as directed by Salesforce. The only consideration that should be taken is that under Email Setting, only Add Email should be selected.
The Skyhigh CASB Secure configuration is performed in the Policy Editor. The system administrator configures the objects Email Messages and Attachments with the proper encryption type according to the company policy. The only consideration that should be taken is that when encrypting the From: Email Address object, the user needs to confirm the My Email to Salesforce page in Salesforce and click Save, making sure emails go through Skyhigh CASB Secure first for encryption.
Once the system administrator configures Salesforce and Skyhigh CASB Secure, the user can install (if not yet done) and configure the Salesforce for Outlook application. The considerations that should be taken are:
- The application should be configured with the Skyhigh CASB Secure domain login URL.
- The Email to Salesforce address in the My Email to Salesforce page should not be used to send emails as it sends clear text and not encrypted.
- When working with Salesforce Chatter (browser) through Skyhigh CASB Secure, the following functionality is supported:
- Encryption of chatter feeds, posts, and comments
- Search and Favorite
- @mention, #topic and links into content
- Email reply and links-in-email
- File attachments
- Post links
Omni Channel (Live Agent) App in Salesforce is supported via Reverse Proxy.
- The basic functionality of Omni Channel with Live Agent (SFDC Agent person chat window) works fine via proxy.
- Identify and add all custom domains related to Omni Channel as service properties (for example, custom.domain.xxx = c.la1-c2cs-dfw.salesforceliveagent.com).
- You can identify all possible custom domains associated with Omni Channel in a Salesforce instance by accessing the app and capturing the network traffic.
The assumption is that no encrypted content will pass through the Omni Channel app. Content may not be decrypted in this case and it's not supported via proxy.
Skyhigh CASB does not support DLP Policies over the content traversing via Omni Channel app.