Is there a Rest Api call I can make to get the Session Timeout Value under Session Settings in Salesforce ?
Org-level defaults are available in metadata API but it's SOAP based, you'd need to create "package.xml" file and retrieve https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_securitysettings.htm and search for sessionTimeout
And you might need an admin account to do it, mortals typically can't view setup and use such development APIs.
It's not terribly useful anyway because every profile can override the default (Profile -> Session Settings, Profile -> Password Policies). You want ProfileSessionSetting.
Metadata API might be the only way, I don't see anything that would suggest REST API or Tooling API expose this object. I don't see it in https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_erd_profile_permissions.htm
Consider asking on https://salesforce.stackexchange.com/ too?
Related
I need to make an Apex Callout to Marketing Cloud when a Lead is created in Salesforce that matches certain criteria. I would like to use this MC Rest API - https://www.exacttargetapis.com/messaging/v1/messageDefinitionSends/key:Autoemail/send. The issue then is that I first need to authenticate with MC to get an Access Token to pass when making the above API call. Does anyone have a good way to persist the Access Token in a Salesforce org? I'm thinking of storing it in a Custom Setting and only updating it when an Apex callout goes to use it and sees that it's nearly 60 minutes old. Is anyone doing something similar? Thanks!
If you know that access token to external service can be expired and should be updated sometimes automatically, the better approach is which you choose - custom setting (or custom object for storing it).
If this token can be hardcoded one time and it will not be changed for a long period, you can checkout Authentication Settings for External Systems functionality.
I've got AngularJS and Web.API WAAD authentication up and running. For client side I use great library ADAL.JS. For backend I use Microsoft.Owin.Security.OAuth. This part went quite smooth.
Now I want to implement authorization based on roles (which will be mapped to WAAD groups). Groups are not included in authentication token so I must ask Azure Graph API for them. I saw various ways to do it, using custom claims providers, adding web services to project, etc. Some examples already providing mapping between groups and roles to use in [Authorize] attribute.
But what is just the simplest example of how to get a list of group ids/names from WAAD providing User ID or username, when I'm already authenticated?
Also, is there any way to get this data in JS to use in Angular frontend, or should I create an API service which Angular should call for roles info?
In the non-JS case, the simplest way of getting groups in the token is by opting in. Download your application’s manifest, locate the “groupMembershipClaims” entry, change its value to “SecurityGroup” or “All”, upload back the manifest.
However note that this won't work for your scenario, because it uses the implicit grant - here the token is returned in an URI fragment, hence a big token would risk blowing past the URL length limits of the browser.
You can always request groups to the Graph and make it available to your frontend via custom action on your API, but from what you wrote you are already familiar with that. Let me discuss the matter here - if there's a simpler route to make this work in SPAs, I'll get back to this thread.
HTH
V.
Update: I verified and in the implicit grant case you will receive groups always via the overage claim. Please refer to https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - it will show you how to process the overage claim to retrieve groups. All you need to do is apply the same guidance to a web API instead, and if you need to make the info available to the client expose one or more actions doing so.
I want to have some restrictions on my endpoints API where even if a user is authenticated, they might not be allowed to perform certain actions. I'm mostly guarding against someone being malicious and writing their own client against my backend (my own client will never do what I'm guarding against).
However, I'd still like to be able to perform those actions as myself for debugging purposes.
A simple approach would be to hardcode some "admin" email addresses on the backend.
Is there a better way? Ideally, I'd want to be able to specify the list in the console, and then in code I could have some API on the google User class such as user.isAdmin().
Does such a thing exist?
Thank you.
Using endpoints, you have the opportunity to include a User object parameter in java or use from google.appengine.api import users in python and then user.get_current_user(). If the user is administrator, you can check this (python example) (javadoc for function isUserAdmin()). Do this inside your protected API functions.
You can read more about authorization in endpoints here. In general the docs are a great place to find this kind of info.
I'm using the Google Apps Provisioning API to 1) create new users in our domain and 2), immediately after creation, move them into a sub OU which has the Mail service enabled. I would also like to use the Mail Settings API to 3) set a default SendAs for the new users at the same time. However, I don't seem to be able to set the SendAs until a small amount of time has passed. I get an InvalidValue(1801) ErrorCode. If I make the same call to the Mail Settings API a little later, it works fine. So, I'm guessing the problem is when the Mail Settings API call is made, the user hasn't been registered as being in the OU with the Mail service enabled yet.
Is there a way for me to set the SendAs immediately after the user creation and move? As a workaround, I can put a short delay in my code before the setting of the SendAs, but I'd prefer not to have to do this and I'm not sure what amount of delay would consistently be sufficient.
Thanks for any help you may be able to provide.
Sam LaSala
Any reasons you are still using the provisioning APi instead of the new Directory API? (https://developers.google.com/admin-sdk/directory/v1/guides/manage-users). Provisioning API has been deprecated, and it is subjected to the deprecation policy. It is better if you start using the new API instead of developing your code in the old one.
With the new API, you can actually combine step1 and step2 together where you can directly create the user in the OU that has mail enabled. That way it will eliminate the additional call, and the user will inherit the services that have been already turned on in the OU. Hope this will resolve the issue you have.
You can also check out the functionalities of the Directory API in the API explorer:
https://developers.google.com/apis-explorer/#search/directory/admin/directory_v1/
I'm trying to figure out CakePHP cookies and meet my slightly unusual authentication requirements.
I have a CakePHP-based data collection system that is now being integrated with a reporting system built with COTS software. The reporting system needs to be access controlled and unless I want to duplicate all user accounts in both systems I need the reporting system to be able to find out if the user is authenticated in my CakePHP system.
The reporting system permits me to load a Java class and execute a function when the client's report request first arrives. So my idea was to
Inspect the incoming report request and extract the cookie used by my CakePHP site for authentication / session identification
Send a request from the Java function to a 'reportauth' action within the CakePHP site with this cookie attached
The reportauth action within CakePHP then checks if the user is logged in to the CakePHP site and returns an encrypted response to the Java function identifying the user's role
I can get the cookie, send it in a request, and separately I can share encrypted information between PHP and Java.
However, when I use a 'fresh' cookie (the cookie that my browser repeatedly sends with requests to the CakePHP site after a new login) in my Java request the response says the user is not logged-in. If I then reload the site in my browser I have been logged-out. I suspect that there may be some extra information in the cookie about user-agent (?) that causes the Java-sourced request to be thrown out and that session destroyed for safety, but I don't know the system well enough. I think I might be seeing CakePHP protecting against session hijacking (which, ordinarily, would make me happy).
Can anyone tell me if there is a way around this issue? Preferably one that doesn't involve custom auth components in CakePHP as the data collection site is already live and my reporting deadline is not far away.
Any help much appreciated.
One workaround:
Get CakePHP to store a random token in a separate cookie, and as a field in the user table.
Then get the Java application to grab the token, and send it to the cakephp application to get the user's details.
Alternatively, have it authenticate with the CakePHP app itself, and pass in the session id to have cake use the right session. Note, setting with that function needs to be done before session_start() is called.