Customers requiring hardened security e.g. in the finance, government, and healthcare sectors, can add a pass-through proxy layer to inbound requests for local API resources. This adds "in-house" control over external system requests, provides protection against malicious bot attacks, and enables the inbound calls to be translated to alternate protocols should the local APIs change.
S4S makes outbound calls from Salesforce to Sitecore if customers use the "Update Sitecore Analytics" button, or have the Sitecore Personalization module installed in Salesforce. These calls need to reach the S4S web service hosted in Sitecore via a pinhole in the customer's firewall. The pinhole is limited to a small range of Salesforce IP addresses. The service is further secured by encryption (HTTPS), digital certificates, and a unique key in Sitecore that must match the value in Salesforce. Additional security can be provided by using Apigee or comparable software.
Changes were required to the S4S Salesforce Analytics package to pass the additional headers required by Apigee (or alternate API management software). A new field called "Custom Headers" was added to facilitate this. Any proxy service that requires additional HTTP headers can use this feature, for example, running a reverse proxy web server in addition to, or instead of, a firewall restriction.
S4S customers need to populate this field only if they use Apigee (or similar), the "Update Sitecore Analytics" button or personalize Sitecore from Salesforce. The data in the Custom Headers field can include both the header name and value separated by a colon, e.g. "ApiKey:ABC123". If multiple headers are required enter one per line.
For further protection, Named Credentials are supported by the S4S Salesforce packages which enable the Site URL/IP config to be set to “callout:<callout_api_name>” instead of the direct URL. This allows complex authentication, using OAuth in the case of Apigee. The added benefit for security is that the authentication details are secured by Salesforce directly and the S4S package never has access to them.
The Salesforce package for S4S Analytics that includes these updates is available here. The Salesforce package for Sitecore personalization that includes these updates is available here. Note: If you are installing it into a Salesforce sandbox, replace "login" with "test" in the URL.
If you need more information about S4S security please contact us.
* Friday in the US is
Saturday in New Zealand.