[SalesForce] Salesforce certificate authentication for users

Is it possible to use client SSL certificate to authenticate Salesforce user (not the webservice client)? Does it work the same way as for webservice client?

Best Answer

It's possible using the Mutual authentication feature which allows you to setup certificates for users so they are authenticated via a certificate instead of a username/password. Please note that this is not enabled by default in your org and you need to raise a case to get it.

The steps involved are

Contact salesforce.com to have mutual authentication turned on for your organization.

Generate the Certificate Signing Request (CSR) for the client certificate the API client will present when attempting to establish the mutually authenticated TLS connection to Salesforce. It’s important that the client certificate be signed by one of the salesforce.com trusted root certificate authorities. The list is maintained here: Outbound Messaging SSL CA Certificates.

Once the certificate is signed, upload the certificate to the organization at Security Controls | Certificate and Key Management. Upload the signed client certificate to the Mutual Authentication Certificates table in order for Salesforce to properly validate the client certificates presented by the client when initiating an inbound mutually authenticated TLS connection.

Enable the Enforce SSL/TLS Mutual Authentication user permission for the API client user. This permission forces the use of port 8443 for secure connections.

This permission can be added to a profile or assigned to an individual user with a permission set.

You may also want to look at this thread which has a similar context.

Related Topic