User login and authorization
Organizations have several methods of accessing the Salesforce CRM application. Access can be gained from either the user interface (using a web browser), the API (for example, using an integrated client application or the Apex Data Loader), a desktop client (for example, Salesforce for Outlook), or from a mobile client application.
Whenever a login attempt is made to Salesforce using any of these preceding methods, the user's login request is authorized by the system using the following sequence of checks:
- Does the user's profile have any login restrictions?
- Does the user's IP address appear within the organization's trusted IP address list?
- Has the user been activated from this IP address before?
- Does the user's web browser have a valid browser cookie stored from Salesforce?
If the user's login is from neither a trusted IP address nor a browser with a valid Salesforce cookie, the login is denied. To gain access to Salesforce, the user's identity must be confirmed by successfully completing the computer activation process.
Does the user's profile have any login restrictions?
Login hour and IP address restrictions can be set for the user's profile. If these are set and there are login attempts from a user outside the specified hours or from an unknown IP address, access is denied.
Login hour restrictions
If login hour restrictions are set for the user's profile, any login attempt outside the specified hours is denied.
To navigate to the Profile menu, go to Your Name | Setup | Administration Setup | Manage Users | Profiles. Now select a profile and click on Edit in the Login Hours related list.
Set the days and hours when users with this profile can login to Salesforce.com.
The login hours that are set are based on the default time zone of the organization, as described later in this chapter. Navigate to Your Name | Setup | Administration Setup | Company Profile | Company Information and select the required time zone from the Default Time Zone picklist.
The login hours that are set apply strictly to that exact time, even if a user has a different personal time zone or if the organization's default time zone is changed.
To allow users to login at any time, click on clear times as shown in the following screenshot:
Note
To prevent users from accessing the system on a specific day, set the start time and end time to the same value, for example, Start Time to 8:00 AM and End Time to 8:00 AM (as in the Saturday and Sunday example setting in the previous screenshot).
IP address restrictions
If IP address restrictions are defined for the user's profile, any login attempt from an unknown IP address is denied.
To restrict the range of valid IP addresses through the Profile menu, navigate to Your Name | Setup | Administration Setup | Manage Users | Profiles. Now select a profile and click on the New in the Login IP Ranges related list.
Enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.
The start and end addresses specify the range of IP addresses from which users can login. To allow a login from a single IP address, enter the same address in both fields.
For example, to allow a login from only 88.110.54.113, enter 88.110.54.113 as both the start and end IP addresses as follows:
Does the user's IP address appear within your organization's trusted IP address list?
This check is performed if profile-based IP address restrictions are not set.
If the user's login is from an IP address listed in your organization's trusted IP address list, the login is allowed.
Trusted IP range
To navigate to the Trusted IP range settings, go to Your Name | Setup | Administration Setup | Security Controls | Network Access.
Click on New and enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.
The start and end addresses specify the range of IP addresses from which users can login. To allow a login from a single IP address, enter the same address in both fields.
For example, to allow a login from only 88.110.54.113, enter 88.110.54.113 as both the start and end addresses as follows:
Has the user been activated from this IP address before?
Each user has a list of IP addresses from which they've been activated. If the user has previously been activated from this IP address, then this IP address is added to the user's personal list and is never challenged again.
Note
This list is not currently visible within the Salesforce application.
Does the user's web browser have a valid cookie stored from Salesforce?
The browser will have the Salesforce cookie if the user has previously used that browser to login to Salesforce and has not cleared the browser cookies.
So, if the user's login is from a browser that includes a Salesforce.com cookie, the login is allowed.
A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. Whenever you visit the website again, the cookie allows that site to recognize your web browser.
Computer activation process
If the user's login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is denied and becomes blocked, and Salesforce must verify the user's identity.
A trusted, genuine user can access the Salesforce CRM application using the following means:
- User interface (using a web browser)
- API (for example, using an integrated client application or the Apex Data Loader)
- Desktop client (for example, Salesforce for Outlook)
User Interface
For access through the user interface, the user is prompted to click on the Email me a verification code button to send an activation e-mail to the address specified in the user's Salesforce user record as follows:
On clicking the Email me a verification code button, a new screen is presented to allow the entering of a verification code as shown in the following screenshot:
Salesforce sends the verification code e-mail to the e-mail address associated with the user's record in Salesforce. Here, the following screenshot shows an e-mail example:
The e-mail instructs the user to enter the verification code into browser to activate laptop for login to Salesforce.
The activation code within the e-mail is valid for up to 24 hours from the time the Email me a verification code button was clicked. After 24 hours, the activation link will expire and the user must repeat the activation process.
Confusion can occur if your company has remote users that connect to Salesforce away from the company network such as from home or from public Internet connections. The remote users are likely to have dynamically assigned IP addresses set as their computer identity. Hence, whenever they attempt to login, Salesforce will identify it as an unknown IP address, prompt for verification, and the remote user will have to click on the verification button.
The remote user will then have to access the e-mail associated to their Salesforce user record to retrieve the activation e-mail, and it is here where confusion can occur. If the remote user has to access corporate web e-mail using a VPN (Virtual Private Network) connection, the clicking of the activation link may not work because the IP address that is being validated may now no longer be the same IP address used by the browser. This is because the VPN connection may likely be using a web proxy.
Note
It is recommended that you establish a policy to ensure the user clicks on the verification button while connected to the VPN, or can access non-VPN-based web mail (if this is permitted in your company) to ensure the validated IP addresses are the same.
API or a desktop client
For access using the API or a desktop client (for example, using the Apex Data Loader), the user must add his/her security token at the end of the password in order to log in. A security token is an automatically generated key from Salesforce. For example, if a user's password is pa$$word
, and their security token is XXXXXX
, then the user must enter pa$$wordXXXXXX
.
Users can obtain their security token by changing their password or resetting their security token via the Salesforce.com user interface by navigating to Your Name | Setup | Personal Setup | My Personal Information | Reset My Security Token and then clicking on the Reset Security Token button.
When a user changes their password or resets their security token, Salesforce sends a new security token to the e-mail address associated to their Salesforce user record. The security token is valid until a user resets their security token, changes their password, or has their password reset by a system administrator.
Note
Do not enter a security token within your password when accessing Salesforce from a web browser.
It is recommended that you obtain your security token via the Salesforce user interface from a trusted network prior to attempting access from a new IP address.
When a user's password is changed, the user's security token is automatically reset. The user will experience a blocked login until they add the security token to the end of their password or enter the new password after you have added their IP address to the organization's trusted IP range.