Friday, January 4, 2008

Salesforce.com has Single SignOn issues

On receiving a promotional email from developer @ salesforce.com, I decided to check them out. I had an user id, but had forgotten my password. Thereafter started my ordeal, they have diverse sites like wiki.salesforce.com, na5.salesforce.com, login.salesforce.com and many more...

Nothing wrong in having micro sites, in-fact it allows load balancing; But whats missing is single signon & co-ordination between the sites. Also wiki site login did not have forgot password link.

Its password retrieval process is also cumbersome. Amazon and Google have got it right and they Salesforce should learn from them.

Also I noticed a few JSP files, thus I presume they are using JavaEE infrastructure, so the question is why they haven't gone in for SSO?

The Salesforce concept is excellent and forward looking and gives Amazon and Google a good run for their money, but they need to catchup on OpenId and SSO. Maybe, they should look at Liberty Alliance for leapfrogging by using federated identity management.

3 comments:

Madhur said...

Hi Ashish,
Thanks for the update but it seems that you have not been regular user of the application.
I am Madhur Dhawan, and have been working on salesforce.com for the past 5 years.

Speaking from a CRM functional Perspective, Salesforce.com assists its users in their Daily activities and allows the business to define and automate various business processes in a Day to day functionality. Thus for a User in order to use the CRM effectively must log in to the application daily and complete his tasks and activities.

In regards to the password policy, Salesforce.com follows these different policies as this application is different from Google or amazon and caters to the business rather than single users. Once locked out of salesforce.com, you need to contact your administrator to reset the password and get yourself activated again. There are other security features like IP lockout, Security Tokens, Trusted IP and Websites, Session settings and Compute Activations that are bundled along with salesforce.com for security reasons. There is no need for the forgot password here as if provided this would delegate more authority to the end users with limited Administration controls.
The security feature is designed with this in mind, hence there are certain limitations that are perceived.

Reaching out to the micro sites that yo mentioned, Salesforce.com Instances are unique and use only one site for the Login. What you have mentioned here are various different sites that might be displayed on the browser, but each Salesforce.com user would be logging in to only one site every time they login.
Hence when you implement SSO, the Salesforce.com syncs the login info and the internal websites and identifies the users Instance and then take the user to the required website.

Envision the salesforce.com from a business point of view and bot from a single user point of view or a developer point of view and you will find many areas where it differs traditionally from other applications.
A little bit more insight on salesforce.com features would really help.

Thanks

Sachin Tomar said...

Oh dear,
Some how today,(fortunately or you can say deliberately I was hoping over to search for some thing and I found you profile on net)
I am Sachin Tomar, and I worked( training) under you in Osprey( year 2003).
I still remember those days of working with you and Dev Rana Sir.
good to see you here,
and finally very happy to know that Tiger is back into the Jungle( sun). :)
Cheers
Sachin

Justin said...

This page should adopt some of the policies of Google and Amazon in order to improve customer service's quality as well as increasing its sales. I will increase my sexual desire getting Viagra Online. Buy Viagra Viagra