0

I have some concerns on the way our current integration exists between salesforce and a system called WebMethods. Currently we do not use oauth or SSO for security. We pass the username and password from salesforce in apex callout to WebMethods. What I know is this connection is over a secure https and thus it does not have any security threats.

Does it means that the username and password and the request is sent over securely with encryption. How does it is secure with oauth or SSO since I read we need them to pass auth token instead of username and password. Does sending request through https keeps username password secure?

Improve this question
1
  • HTTPS provide some security but does not prevent anything. The nice thing about SSO is that the user can revoke access at anytime fairly easy. So if the secure information is ever compromised it is trivial to revoke access and create new tokens. Commented Dec 16, 2016 at 16:41

1 Answer 1

Reset to default
2

What you are currently doing is not secure, and in fact you have compromised any credentials shared this way. Passing the username and password to an external system is a bad practice, as is passing a session id. HTTPS does not make this safe. In the Appexchange security review, we no longer allow this form of authentication.

Never share credentials for any reason, as the purpose of credentials is to uniquely authenticate a given user or service, and this job -- it's only job -- is possible because credentials are kept secret from every other user or service.

Credentials shared with third parties are considered compromised, whether they are sent over HTTPS or not. Please use OAuth if you want to authorize a third party to access certain functionality in your account. They will then authenticate with their own credentials.

Improve this answer
2
  • Thanks. I am passing the username and password using SOAP header when I make an Apex callout to external webservice. Does that mean it will be secure? Commented Dec 17, 2016 at 5:51
  • 1
    Use OAuth to authenticate webservices and don't use the username/password flow. That is deprecated. See developer.salesforce.com/page/… Commented Dec 17, 2016 at 6:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.