Professional Documents
Culture Documents
Table of Contents
USE CASE PROFILE.............................................................................................................................4 OPTION 1: STATELESS WEB SERVICES ..........................................................................................5 OPTION 2: FIXED CREDENTIALS WITH CLIENT SIDE SESSION MANAGEMENT & SESSION POOLING ...............................................................................................................................................5 OPTION 3: PROMPT FOR USERNAME AND PASSWORD ................................................................6 PARTNER EXAMPLE: RELEASE IDLE SESSIONS (RESOLUTION) .................................................7 CONCLUSION........................................................................................................................................9 SOLUTION SET FAQ...........................................................................................................................10 GLOSSARY..........................................................................................................................................11
Advantages:
With the Stateless approach, there is no limit on concurrent sessions. The partner application does not need to implement session management and explicitly manage the number of concurrent sessions.
Disadvantages:
Stateless Web Services require the user's credentials to be passed with each Web Service request. While planned, there is currently no support for SSO authentication using the Stateless Web Services in CRM On Demand. The user's credentials need to be provided for each Web Service call. This can pose a security risk as the userID and password information can be exchanged as plain text via the internet in any case where the user is requested to provide credentials while navigating the partner application.
Example:
A customer requires an interactive sales application to update data in CRM On Demand that can be used concurrently by approximately 600 sales users. The Sales user will update Opportunities in CRM On Demand with data being sourced exclusively from a third-party real-time sales data analysis system. Users will login to CRM On Demand by providing username and password credentials and update Opportunity information using stateless Web Services. A Stateless Web Service client is required to access and update opportunities as data is being drawn real time from a third party sales analysis application. . This customers use case can be met using the Stateless approach where multiple users can login concurrently using Stateless Web Services. As there are no restrictions on concurrent sessions, large numbers of users can be logged in simultaneously.
Option 2: Fixed Credentials with Client Side Session Management & Session Pooling
Session pooling is an option for increasing the performance of the application and managing concurrent sessions using fixed credentials. Session pooling involves maintaining a list of active sessions in the partner application. The partner application must ensure that each session is active and valid (it must have a valid sessionID) before using it in a request. The application might determine whether the session is active based on the success of the login operation and the time that has passed since the session was used. If all active sessions are in use for pending Web Service requests a new session can be added to the pool. However the pool can only hold a certain number of concurrent sessions and the number of sessions should be less or equal to the CRM On Demand concurrent session limiter. If all sessions in the pool are currently being used, new requests for sessions will need to wait until a session becomes available.
Advantage:
Session pooling manages the number of concurrent sessions available ensuring that the number of sessions is equal to or below the limit. Session pooling can improve performance in both a single-threaded or multithreaded application. In a single-threaded application, session pooling can avoid the unnecessary overhead of SSO Token and Session Management
re-logging into the application for each request. In a multi-threaded application session, you can use session pooling to run multiple requests at the same time. This option should be considered for a batch scenario (initial data loads, recurring data loads, mass updates etc) where optimal performance can be achieved by using a pool of Web Service sessions to load large data volumes into CRM On Demand.
Disadvantages:
Session pooling is implemented by the partner application and uses single or few fixed (hardcoded) credentials to create a session pool. Each user will have the same access levels as that of the fixed users credentials used to create the session pool. This can be a disadvantage especially for interactive applications as there is no audit trail and all changes are made by a single users credentials and access levels. Session pooling is limited by the number of concurrent sessions and the pool is limited by the CRM On Demand concurrent session limiter. Session pooling has to be implemented on the client side and the client application needs to manage the sessions ensuring that the concurrent sessions do not exceed the limit. This can be somewhat complex to implement and manage by the third-party partner application.
Example:
A customer in the healthcare industry would like to synchronize provider information from various third-party systems to CRM On Demand. The provider record maps to multiple records in CRM On Demand like Accounts, Leads, Contacts and Opportunities. Data synchronization involves managing dependencies and updating the various records. The use case can be met using a single users credential (for example, Administrator) and implementing a session pool on the client side in order to obtain optimal performance.
Advantages:
This option reduces the number of open sessions as a Web Service session will be created only when Web Service access (i.e. retrieving, creating, updating or deleting records) to CRM On Demand is required.
Disadvantages:
Users may need to provide a password each time they navigate to the partner application screens to retrieve or update data. This creates a significant usability issue, as logging in repetitively will be seen as inconvenient and cumbersome to the end user. The retrieval of passwords, while more palatable to end users, could pose a security risk if passwords are cached on the end users machine.
CRM ON DEMAND UI
1
4 5
Get SSO Token Login to Web Services Get Session Edit CRM On Demand data Release session after data retrieval
CRM ON DEMAND UI
6 7 8 9
10
Diagram 1: Illustration of Partner Integration and interactions with CRM On Demand Data Retrieval/ View 1) User clicks link in CRM On Demand UI to launch Client Flash Application 2) CRM On Demand passes SSO Token to Client Flash Application 3) Client Flash Application logs into Web Services to acquire a Web Services Session 4) CRM On Demand provides a Web Services Session 5) Client Flash Application interacts with CRM On Demand using Web Services Session ID Data Update 6) Client Flash Application programmatically obtains SSO Token 7) CRM On Demand passes SSO Token to Client Flash Application 8) Client Flash Application logs into Web Services 9) CRM On Demand provides a Web Services Session 10) Data is updated/ modified or deleted in CRM On Demand
NOTE: When programmatically obtaining a new SSO Token, cross-browser restrictions may be encountered as a new session is required before the user can access Web Services (as a third partner server is involved in making the call). This will be encountered only when the SSO Token needs to be retrieved programmatically. A new SSO SSO Token and Session Management
Token can be retrieved programmatically by invoking the Web Link or Web Applet from the client Web page and parsing the contents of the SSO Token user field to obtain a new valid token. However, calling the initial CRM On Demand Web Link or Web Applet leads to cross-browser restrictions since the call is made from a third-party server to CRM On Demand. This issue is not encountered in the previous options. In the Stateless option, the users credentials need to be supplied to invoke a Stateless transaction. The users credentials can be predetermined or can be obtained by prompting the user. In the Fixed Credentials and Session Pooling option, the credentials are predetermined and leveraged programmatically to create a session. In the Prompt for Username, Password option, the users credentials are obtained by prompting for user input and a new session is created. Outlined below is detailed information regarding the workaround for cross-browser restrictions.
Client Server
HTML Page accepts the Token parameter from the Web Link and echoes it back to the browser enclosed within SSO tags
Client Application
Hidden iframe References the CRM On Demand Web Link URL
Diagram: 2 Illustration of Integration Pattern using SSO Token for Web Services Authentication
Conclusion
The partner use case was solved by designing a client integration that released sessions as soon as they were used and created a new session for each Web Service transaction. A new SSO Token was obtained prior to creating a new session. This helped to manage the number of concurrent sessions and also ensured that a valid SSO Token was available each time a new session was required. The partner integration programmatically invoked the CRM On Demand Web Link URL and a new SSO Token was obtained. Cross-browser issues were encountered and a programmatic workaround was used to counter the cross-browser restrictions.
Would it be more effective to invoke a JavaScript function to refresh the iframe each time you need a new SSO Token and pass it to the application that requires a new SSO Token? The design originally did try to refresh the iframe only when a new SSO Token was needed but this does not work due to the nature of JavaScript events, particularly in IE8. If you try to do this by combining the refresh with the content retrieval you will find that the request to refresh the iframe is not completed until after the end of the function and so you will only get the previous value of the SSO Token which could have expired. Adding a call back to a server to wait for a length of time to allow the iframe to refresh did not work either, as in IE8, the refresh will also wait and not occur until after you have read the contents. The resolution was to have the two JavaScript functions with the refresh being automatically run every x seconds. This is not an optimal solution, however due to browser restrictions this is a workaround.
Would you clarify the reasoning behind refreshing the iframe every x seconds (i.e. 100 sec)? In this specific case 100 seconds was chosen to ensure that an SSO Token is never going to be out of date, however this time interval could be increased to a value nearer to the SSO Token expiry time of 5 minutes. NOTE: The client integration uses a time interval of 100 seconds to specifically meet their use case. However, it is recommended that the time interval be set to a number closer to the 5 minute expiry time period in order to minimize the frequency of calls involved to obtain a new token.
10
Glossary
Client Integration: External application that integrates data and/or business processes between CRM On Demand and Customer
Cross-browser Restrictions: Security restrictions preventing an application from invoking an external Web Service
Concurrent session: Multiple sessions that are open at the same time by the same user
Concurrent session limiter: CRM On Demand limit on the number of open concurrent sessions by company.
Session Management: Specific to Stateful Web Services. Management of open sessions such that they are maintained below the acceptable limit and are kept active. Session Pooling: A pool of active sessions maintained by the client application. Specific to Stateful Web Services.
SSO Token: Unique identifier used for authenticating to CRM On Demand using a Single Sign On mechanism.
SSO Token Timeout: The SSO Token is valid for a set time period in order to secure the authentication process and to prevent hackers from obtaining the token. The token is valid for five (5) minutes. After this time period, once the Web Services session has expired, a new token will need to be obtained in order to access Web Services.
Stateful Web Service Session Timeout: Period of time after which a session is invalid. Set to 10 minutes in CRM On Demand.
Stateless Web Services: Web Services transactions in which the client application does not need to maintain a session identifier (a JSESSIONID value) to perform multiple requests to CRM On Demand. Each request is performed and authenticated independently.
Stateful Web Services: Web Services transactions in which the client application needs to maintain a session identifier (a JSESSIONID value) to perform multiple requests to CRM On Demand.
Web Services Session: Unique Identifier required in order to generate multiple requests to CRM On Demand using Stateful Web Services
11