This following describes how to work with Salesforce under MVISION Cloud Secure scenarios. The scenarios are described in a general manner and reference a knowledge base article for step-by-step instructions.
Working with SAML
Security Assertion Markup Language (SAML) is an XML-based standard that allows you to communicate authentication decisions between one service and another. It underlies many web single sign-on solutions. Salesforce supports SAML for single sign-on into Salesforce from a corporate portal or identity provider.
When working with Salesforce through MVISION Cloud Secure, the system administrator needs to verify that the platform is already configured to work with SAML and with the Identity Provider (IDP). In addition, the user needs to verify a valid domain name for the IDP is set up. This domain name is a MVISION Cloud-specific name for proxying the IDP to specifically get Salesforce.com SAML working through MVISION Cloud Secure. This is needed in addition to the existing domain name used for the IDP before implementing MVISION Cloud.
The system administrator configures MVISION Cloud first, and then Salesforce.
MVISION Cloud Configuration
Contact MVISION Cloud support and provide the MVISION Cloud Secure IDP domain. In turn, a custom MVISION Cloud policy template is provided and is uploaded to MVISION Cloud and activated.
The Salesforce platform configuration entails editing the Single Sign-On settings page and in the Identity Provider Login URL field, replacing the existing URL with the MVISION Cloud Secure IDP domain name. If needed, the Identity Provider Logout URL should be replaced as well.
NOTE: To work in https format the Identity Provider Login URL must start with https://.
- Only Federated SAML 2.0 is supported.
- Users who log in to salesforce.com with the MVISION Cloud Secure and SAML setup described here are not authenticated to other applications that the IDP would normally provide authentication for, since the users are only authenticated to the MVISION Cloud Secure-proxied IDP, not the IDP itself.
MVISION Cloud servers are deployed in your environment and act as a reverse proxy with built-in encryption capabilities to encrypt or tokenize sensitive data. The Encryption Proxy is a front-end server that handles communication between clients and Salesforce cloud services, via several web protocols (for example, HTTP and HTTPS), mail transfer protocol (SMTP) and formats (for example, HTML, XML, and JSON). As such, during configuration you specify a proxy domain.
While a MVISION Cloud Secure Gateway is based on a reverse proxy for controlling HTTP and HTTPS traffic, the MVISION Cloud environment also provides encryption capabilities for SMTP traffic. Emails are used in the Salesforce platform for managing notifications, tasks, events, and general correspondence. You might consider encrypting emails traffic for a few reasons:
- Email correspondence is documented in your Salesforce org and might contain information that requires encryption.
- Emails, based on email templates, might contain encrypted data that should be decrypted before being sent to users, so they can read it in cleartext.
- Emails contain embedded links to Salesforce which should be replaced with links that invoke first the MVISION Cloud Secure environment
Each MVISION Cloud Secure Gateway contains a Mail Transfer Agent (Qmail) for handling SMTP communication, for inbound and outbound messages. Qmail setup and configuration is built into the MVISION Cloud Secure installation and is ready for use. Similar to the preparation of any mail transport agent, there are a few network preparations needed to enable this traffic:
- Define MX record. Define a unique mail exchange record, pointing to the MVISION Cloud environment, or to your organizational mail entry point. Once this MX record is defined, it should also be declared in the MVISION Cloud Secure environment, so email addresses are encrypted using this suffix.
- Port 25. Should be opened for inbound traffic for each encryption reverse proxy server.
- MVISION Cloud Secure Mail Transfer Agent. Define, on each MVISION Cloud Secure Gateway, where emails are sent by MVISION Cloud.
- Domains. Define, on each MVISION Cloud Secure Gateway, the domains from which emails accepted by Qmail.
Data Residency Policy Rules
Once the MVISION Cloud Secure environment is prepared for receiving and sending emails, users’ email addresses and contacts’ email addresses (and any custom email address fields that might be sent outbound messages from Salesforce) should be encrypted using the Email Encryption method. Email Encryption tokenizes an email address, but also concatenates the predefined mx suffix to the tokenized value, keeping the mail address convention, but also making sure that emails are sent first to the MVISION Cloud secure environment for decryption.
The Salesforce.com platform configuration entails editing the User Details page, setting the Email encoding for each user, and the encoding for each email template that is being used for email notifications to Unicode (UTF-8).
Inbound Messaging to Salesforce
Salesforce provides inbound messaging capabilities, responding to scenarios such as Email-to-Case, Email-to-Salesforce, Chatter replies an additional scenarios. These scenarios require specific policy rules definition. In such scenarios, emails should first be sent to MVISION Cloud, go through a process of encrypting the subject, body, attachments and from an email address, and then transported to the predefined email address in Salesforce, as it was provided originally.
Transport Layer Security
The Salesforce platform provides secure email communication for SMTP sessions using TLS, which can also be applied while MVISION Cloud Secure is implemented with your org. For further information, see the Configuring Deliverability Settings documentation in Salesforce.
MVISION Cloud Secure supports the On-Demand Email-to-Case feature in Salesforce.com. To encrypt or tokenize the Email-To-Case content, Email-To-Case submissions should be routed to MVISION Cloud before they are sent to the Email Services Address provided to you by Salesforce.
For On-Demand Email-to-Case via MVISION Cloud Secure:
- Define email addresses on your email system for case submissions.
- Create email routing addresses that include the addresses defined for cases.
- Configure your email system to forward case submissions to MVISION Cloud Email-To-Case address.
- Configure Email-To-Case on MVISION Cloud
- Enable On-Demand Email-to-Case.
Email Settings Configuration
Follow the Email-To-Case settings instructions on how to define email addresses and routings on your email system for case summations. You need to configure your email system to forward case submissions to the MVISION Cloud Email-To-Case address instead of to the Email Services Address provided to you by Salesforce. The following is an example of email forwarding rule configuration required on your email system:
MVISION Cloud Secure Policy Configuration
MVISION Cloud configuration entails using the Policy Editor to configure the Policy template for email message objects and fields. During the configuration, the system administrator needs to return to Salesforce and perform verification and editing tasks, and follow the confirmation instructions on the email account.
On-Demand Email-to-Case configuration in Salesforce should be performed as directed by Salesforce. The system administrator configures the Salesforce.com platform, MVISION Cloud Secure, and provides an example of system email case submission and forwarding definition. For more detailed instruction, contact Salesforce support.
Salesforce Reports and Views
For the Salesforce application to support Reports and Views for custom fields when working through MVISION Cloud Secure, the user’s SFDC credentials must be entered into the Admin Console. The credentials need to be entered in the Salesforce Credentials tab under Setup.
NOTE: You must perform a Deploy Now after setting up the credentials for the support to become active.
Salesforce for Outlook
Salesforce for Outlook, a Microsoft Outlook integration application that you install, automatically syncs contacts, events, and tasks between Outlook and Salesforce. You can also manually add Outlook emails to these Salesforce records:
When working with Salesforce through MVISION Cloud Secure, the ability to encrypt email, contacts, events, and tasks is added. The system administrator configures Salesforce and the user configures Salesforce for Outlook.
To work through MVISION Cloud Secure, the system administrator configures Outlook in Salesforce and the policy template in MVISION Cloud. Step-by-step instruction can be found in the knowledgebase.
Outlook configuration in Salesforce should be performed as directed by Salesforce. The only consideration that should be taken is that under Email Setting, only Add Email should be selected.
The MVISION Cloud Secure configuration is performed in the Policy Editor. The system administrator configures the objects Email Messages and Attachments with the proper encryption type according to the company policy. The only consideration that should be taken is that when encrypting the From: Email Address object, the user needs to confirm the My Email to Salesforce page in Salesforce and click Save, making sure emails go through MVISION Cloud Secure first for encryption.
Once the system administrator configures Salesforce and MVISION Cloud Secure, the user can install (if not yet done) and configure the Salesforce for Outlook application. The considerations that should be taken are:
- The application should be configured with the MVISION Cloud Secure domain login URL.
- The Email to Salesforce address in the My Email to Salesforce page should not be used to send emails as it sends clear text and not encrypted.
- When working with Salesforce Chatter (browser) through MVISION Cloud Secure, the following functionality is supported:
- Encryption of chatter feeds, posts, and comments
- Search and Favorite
- @mention, #topic and links into content
- Email reply and links-in-email
- File attachments
- Post links
Omni Channel (Live Agent) App in Salesforce is supported via Reverse Proxy.
- The basic functionality of Omni Channel with Live Agent (SFDC Agent person chat window) works fine via proxy.
- Identify and add all custom domains related to Omni Channel as service properties (for example, custom.domain.xxx = c.la1-c2cs-dfw.salesforceliveagent.com).
- You can identify all possible custom domains associated with Omni Channel in a Salesforce instance by accessing the app and capturing the network traffic.
The assumption is that no encrypted content will pass through the Omni Channel app. Content may not be decrypted in this case and it's not supported via proxy.
MVISION Cloud does not support DLP Policies over the content traversing via Omni Channel app.