SlideShare a Scribd company logo

Integrating Web Apps with Force.com Canvas

Download as PPTX, PDF
Richard Donkin
Richard Donkin

Overview of Force.com Canvas, a technology that enables you to rapidly integrate third party web applications (on-premise or cloud) into a Salesforce environment, showing their user interface within a secure iframe. Covers how Canvas works and basic operation, and also provides tips from a recent development project on browser issues, multi-tab support, and more. UPDATED 8 Mar 2014: No need to download to see builds. I have removed all the builds and made many content updates to explain things better.

Technology
1 of 30
© Cloudfind Ltd 2011-2014 Integrating Web Apps with Force.com Canvas Richard Donkin richard@cloudfindhq.com @rdonkin Cloudfind Ltd http://cloudfindhq.com
About Cloudfind Smart tagging makes it simple to find and manage files in the cloud Brings collateral into Salesforce so that teams close deals faster
Agenda • Integration challenges • Canvas overview • Tips for development 3
Ideal World
Real World
Ideal World “All our apps are on Salesforce!”
Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps
Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Canvas integration via Cloudfind app: Show auto tagged files from cloud storage in Salesforce No need to hunt through folders in cloud storage
Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Force.com Canvas “frame”
Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Force.com Canvas “frame” Any Salesforce Page Any Web Application
Canvas as a UI integrator ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage Any Web Application (full page or part) Any Salesforce Page Force.com Canvas Canvas Any Web Application Salesforce1 CRM & Service Marketing Third Party Apps
Why not use a Force.com UI for web apps? Assume you have a web app outside Salesforce Using Force.com, build a new UI for the app: • Existing skills for Salesforce developers • Easy data integration via Apex • Classic model used by ISVs But… • Must replicate UI and integrate with app • Two UIs: one for Salesforce, one for non-Salesforce • Existing app must have an API • Or source code to add an API 12
Why use Canvas to embed UI for web app? With Canvas: • Just embed the UI – no re-building, easy integration • Same app can work outside Salesforce • Use any programming language • Deployment options: • PaaS (Heroku) – easy setup • IaaS (Amazon AWS), or on-premise – full control • Multi-core, SSDs, memory caches, NoSQL, … • Deployment model is “pay for capacity”: • Good for intensive processing, e.g. file tagging • Force.com limits mostly not affected by Canvas apps • Can use Force.com CPU and API calls for data integration not UI logic 13
Where can you embed a web app? Many of the places Visualforce works, including: • Custom tab • Object detail page • Chatter page • Chatter feed (GA in Spring ‘14) • Chatter publisher (GA in Spring ‘14) And it all works in … • iOS/Android app, plus mobile web app in browser • Swipe to see related objects including Canvas app • Canvas apps can be on Salesforce1 menu 14
How to embed with Canvas Realistic Visualforce example: <apex:page> <apex:canvasApp namespacePrefix="myapp" applicationName=“myapp” height="600px" width="100%" parameters=”{{id:'{!Account.Id}', name: '{!JSENCODE(Account.Name)}'}” /> <apex:page> • Always set width to 100% to allow horizontal resizing • And use 100% when including in page layout • Take care of parameter encoding to prevent XSS vulnerablities • JSON is easily processed in most languages • Same source code for Salesforce1 mobile use
Canvas-enabling a web app (1) If you have source code access for the app: • Make the app work in iframe, and with Canvas • Quite easy – mostly standard web app techniques Can open new tab if required – e.g. Google OAuth2 Salesforce UI Canvas iframe Canvas Web App Canvas Signed Request, and AJAX User authorizes Cloudfind app Cloudfind confirmation page Outside Canvas
Canvas-enabling a web app (2) If you don’t have source code for enterprise app: • Write a small custom app on top of the main app • Call into main app’s API as required • Best for a few functions only • Or… generic proxy for the main app Salesforce UI Canvas iframe Custom Canvas App Canvas Signed Request, and AJAX Enterprise app App API
How Canvas works Salesforce provides context for the Canvas “frame” • User’s authentication is passed through: • Signed Request – no authorization step, some OAuth permissions • OAuth Web Server flow – allows background API use • Plus standard info: org, time zone, etc • Plus your own parameters – embed via Visualforce • Canvas Framework SDK for Java, or roll your own Use Canvas OAuth token for Salesforce access: • JavaScript + Canvas SDK • Browser access to REST, SOAP and Chatter APIs • Or use standard APIs from your web app backend 18
Tips: Working inside an iframe • Frame resizing • Make your app responsive – just like mobile • Horizontal is easy – not Canvas-specific • Vertical is more work – coding + OAuth token • Framebusting and friends • Anti-clickjacking and framebusting in the web app • These will stop app from working in iframe • Just turn off these features if you are entering app via Canvas 19
Tips: Browser quirks • IE fun: • Cookie setting requires a P3P header in HTTP response • Configure web server to deliver this on all pages • Safari fun (iOS and OS X): • Cookie setting requires user interaction with non-framed page. Two clicks per user device, not per session. • Try to set a cookie, and if you can’t… • Show a ‘please register device’ page • User clicks Register • Show ‘almost registered’ page in new browser tab • User clicks Finish Registration • Set cookie • Allowed by Safari due to the button click interaction in this ‘first party’ tab • JavaScript calls into main iframe to finish • Future sessions - cookie-setting in iframe will work 20 $ curl -si https://www.facebook.com/ | grep P3P P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Tips: Limits • Canvas Limits • 2 API calls per Canvas frame load • 5K calls per user per day = 2,500 frame loads • High limits given typical usage 21
Tips: Security • Canvas gives you: • No login/password management in web app • All Canvas users authenticated by Salesforce • Reduced risk: • Less risk from ‘the wild Internet’ • Main threat: privilege escalation • Standard web app security, including: • Encode inputs to prevent XSS • Using CSRF protection in forms • Preventing SQL injection • See Salesforce and OWASP guides 22
Tabs and Sessions for AJAX – The Problem • Only affects AJAX web apps • Not unique to Canvas, but you may run into this • Mostly likely to hit power users or admins who have many browser tabs open • “Two orgs” use case: • User logs into two orgs in different tabs • not using Incognito window in browser • Different URLs for Salesforce in each tab • e.g. sandbox on cs2 and production on na3 • Same Canvas web app behind both • App uses AJAX • Simpler “two tabs” use case: • Two browser tabs open in one org • Also covered by this approach 23
Tabs and Sessions for AJAX – Problem Detail • Multiple browser tabs for same Canvas web app • Single cookie-based session per user • Single domain for the web app server across all tabs • AJAX app in iframe • HTTP requests from two tabs to AJAX API, for same user session • App is getting requests from tab 1 and tab 2, each of which is in different org, so they should use different app data • How do you keep the requests from each tab separate? • Test case: • Login to org 1 in tab 1, then login to org 2 in tab 2 • Return to tab 1 and click an AJAX button • Backend of web app receives AJAX request • Should the app apply this request to org 1 or org 2 data? 24
Tabs and Sessions for AJAX – Solution • Use ‘tab session’ state to distinguish between tabs • Each tab has its own unique state • Tab state stored within the user’s session state in your web app • Tab 1, org 1  sandbox org state within web app • Tab 2, org 2  production org state • Create a unique ID per tab by hashing per-tab info • Append this ID to every URL sent to AJAX API • Result: AJAX backend can tell which tab is calling 25
Tabs and Sessions for AJAX – Solution Detail • User page load – signed request via POST: 1. Pass tab-specific params (page name, object ID, …) to identify the tab 2. Get org ID from Canvas signed request 3. Get random number + timestamp 4. Hash all these items and suffix hash to every URL in iframe • User clicks on button – AJAX request via GET: 1. Extract the hash from incoming URL 2. Use hash to access right ‘tab session’ state from cookie- based session data • If not found in session, app should treat user as logged out • Security: • Don’t trust the VF page to tell you info that is available via Canvas signed request – e.g. org ID 26
Tabs and Sessions for AJAX – Summary • Unique URL per tab … • … enables separate app state per tab • So your AJAX app supports many tabs, in many orgs at once! 27
Summary Canvas has great potential Great option for existing web apps Lets you reach non-Salesforce users Salesforce becomes the “single screen” to access your key applications
Thank You Richard Donkin richard@cloudfindhq.com @rdonkin http://cloudfindhq.com @CloudfindHQ Presentation delivered at the Salesforce Platform Developer User Group Bristol, UK on 6th March 2014
Canvas Resources http://bit.ly/ForceCanvas • Main DeveloperForce page http://www.salesforce.com/us/developer/docs/platform_connect/ • Canvas Developer Guide http://www.are4.us/best-practices/salesforce-canvas/ • Architecture overview 30

Recommended

Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Salesforce Developers
 
Force.com Canvas - a Quick Introduction
Force.com Canvas - a Quick IntroductionForce.com Canvas - a Quick Introduction
Force.com Canvas - a Quick IntroductionSteven Herod
 
Making External Web Pages Interact With Visualforce
Making External Web Pages Interact With VisualforceMaking External Web Pages Interact With Visualforce
Making External Web Pages Interact With VisualforceSalesforce Developers
 
Introduction to Force.com Canvas Apps
Introduction to Force.com Canvas AppsIntroduction to Force.com Canvas Apps
Introduction to Force.com Canvas AppsSalesforce Developers
 
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...Salesforce Developers
 
Integrating Web Apps with Canvas - Salesforce1 World Tour
Integrating Web Apps with Canvas - Salesforce1 World TourIntegrating Web Apps with Canvas - Salesforce1 World Tour
Integrating Web Apps with Canvas - Salesforce1 World TourRichard Donkin
 
Salesforce Developer Garage Seattle: Force.com Canvas
Salesforce Developer Garage Seattle: Force.com CanvasSalesforce Developer Garage Seattle: Force.com Canvas
Salesforce Developer Garage Seattle: Force.com CanvasSalesforce Developers
 
Dive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkDive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkSalesforce Developers
 

Recommended

Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Salesforce Developers
 
Force.com Canvas - a Quick Introduction
Force.com Canvas - a Quick IntroductionForce.com Canvas - a Quick Introduction
Force.com Canvas - a Quick IntroductionSteven Herod
 
Making External Web Pages Interact With Visualforce
Making External Web Pages Interact With VisualforceMaking External Web Pages Interact With Visualforce
Making External Web Pages Interact With VisualforceSalesforce Developers
 
Introduction to Force.com Canvas Apps
Introduction to Force.com Canvas AppsIntroduction to Force.com Canvas Apps
Introduction to Force.com Canvas AppsSalesforce Developers
 
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...Salesforce Developers
 
Integrating Web Apps with Canvas - Salesforce1 World Tour
Integrating Web Apps with Canvas - Salesforce1 World TourIntegrating Web Apps with Canvas - Salesforce1 World Tour
Integrating Web Apps with Canvas - Salesforce1 World TourRichard Donkin
 
Salesforce Developer Garage Seattle: Force.com Canvas
Salesforce Developer Garage Seattle: Force.com CanvasSalesforce Developer Garage Seattle: Force.com Canvas
Salesforce Developer Garage Seattle: Force.com CanvasSalesforce Developers
 
Dive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkDive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkSalesforce Developers
 
Build your API with Force.com and Heroku
Build your API with Force.com and HerokuBuild your API with Force.com and Heroku
Build your API with Force.com and HerokuJeff Douglas
 
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!Salesforce Developers
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSalesforce Developers
 
Salesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas sparkSalesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas sparkAldo Fernandez
 
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...Salesforce.org
 
Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex! Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex! Salesforce Developers
 
O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)Dmitry Zhugin
 
Trust Me, I'm An Architect
Trust Me, I'm An ArchitectTrust Me, I'm An Architect
Trust Me, I'm An ArchitectKeir Bowden
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Force.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a RoadmapForce.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a RoadmapSalesforce Developers
 
Seamless Authentication with Force.com Canvas
Seamless Authentication with Force.com CanvasSeamless Authentication with Force.com Canvas
Seamless Authentication with Force.com CanvasSalesforce Developers
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectSalesforce Developers
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comSteven Herod
 
Build Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectBuild Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectJeff Douglas
 
Becoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical ArchitectBecoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical ArchitectSteven Herod
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISalesforce Developers
 
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad..."How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...Steven Herod
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

More Related Content

Viewers also liked

Build your API with Force.com and Heroku
Build your API with Force.com and HerokuBuild your API with Force.com and Heroku
Build your API with Force.com and HerokuJeff Douglas
 
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!Salesforce Developers
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSalesforce Developers
 
Salesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas sparkSalesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas sparkAldo Fernandez
 
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...Salesforce.org
 
Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex! Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex! Salesforce Developers
 
O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)Dmitry Zhugin
 
Trust Me, I'm An Architect
Trust Me, I'm An ArchitectTrust Me, I'm An Architect
Trust Me, I'm An ArchitectKeir Bowden
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Force.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a RoadmapForce.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a RoadmapSalesforce Developers
 
Seamless Authentication with Force.com Canvas
Seamless Authentication with Force.com CanvasSeamless Authentication with Force.com Canvas
Seamless Authentication with Force.com CanvasSalesforce Developers
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectSalesforce Developers
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Richard Donkin
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comSteven Herod
 
Build Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectBuild Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectJeff Douglas
 
Becoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical ArchitectBecoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical ArchitectSteven Herod
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISalesforce Developers
 
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad..."How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...Steven Herod
 

Viewers also liked (19)

Build your API with Force.com and Heroku
Build your API with Force.com and HerokuBuild your API with Force.com and Heroku
Build your API with Force.com and Heroku
 
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
Force.com Canvas: Salesforce1, SAML, & Apex...Oh My!
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected Apps
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce Applications
 
Salesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas sparkSalesforce1 dev week UYSDUG 2014 - the force canvas spark
Salesforce1 dev week UYSDUG 2014 - the force canvas spark
 
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
force.com Canvas Overview: Leveraging Legacy Applications to Become a Custome...
 
Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex! Dive Deep into Apex: Advanced Apex!
Dive Deep into Apex: Advanced Apex!
 
O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)O auth, sso, saml, canvas app zhugin(final)
O auth, sso, saml, canvas app zhugin(final)
 
Trust Me, I'm An Architect
Trust Me, I'm An ArchitectTrust Me, I'm An Architect
Trust Me, I'm An Architect
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Force.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a RoadmapForce.com Canvas: 2 Case Studies and a Roadmap
Force.com Canvas: 2 Case Studies and a Roadmap
 
Seamless Authentication with Force.com Canvas
Seamless Authentication with Force.com CanvasSeamless Authentication with Force.com Canvas
Seamless Authentication with Force.com Canvas
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity Connect
 
Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)Go Faster with Ansible (PHP meetup)
Go Faster with Ansible (PHP meetup)
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.com
 
Build Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectBuild Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku Connect
 
Becoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical ArchitectBecoming a Salesforce.com Technical Architect
Becoming a Salesforce.com Technical Architect
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part I
 
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad..."How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
"How do I Architect?" - Quick Introduction to Architecture for Salesforce Ad...
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Integrating Web Apps with Force.com Canvas

  • 1. © Cloudfind Ltd 2011-2014 Integrating Web Apps with Force.com Canvas Richard Donkin richard@cloudfindhq.com @rdonkin Cloudfind Ltd http://cloudfindhq.com
  • 2. About Cloudfind Smart tagging makes it simple to find and manage files in the cloud Brings collateral into Salesforce so that teams close deals faster
  • 3. Agenda • Integration challenges • Canvas overview • Tips for development 3
  • 6. Ideal World “All our apps are on Salesforce!”
  • 7. Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps
  • 8. Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Canvas integration via Cloudfind app: Show auto tagged files from cloud storage in Salesforce No need to hunt through folders in cloud storage
  • 9. Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Force.com Canvas “frame”
  • 10. Real World ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage CRM & Service Marketing Third Party Apps Force.com Canvas “frame” Any Salesforce Page Any Web Application
  • 11. Canvas as a UI integrator ERP Financials Supply Chain … Field Service Project Management Industry-Specific … HR Cloud Storage Any Web Application (full page or part) Any Salesforce Page Force.com Canvas Canvas Any Web Application Salesforce1 CRM & Service Marketing Third Party Apps
  • 12. Why not use a Force.com UI for web apps? Assume you have a web app outside Salesforce Using Force.com, build a new UI for the app: • Existing skills for Salesforce developers • Easy data integration via Apex • Classic model used by ISVs But… • Must replicate UI and integrate with app • Two UIs: one for Salesforce, one for non-Salesforce • Existing app must have an API • Or source code to add an API 12
  • 13. Why use Canvas to embed UI for web app? With Canvas: • Just embed the UI – no re-building, easy integration • Same app can work outside Salesforce • Use any programming language • Deployment options: • PaaS (Heroku) – easy setup • IaaS (Amazon AWS), or on-premise – full control • Multi-core, SSDs, memory caches, NoSQL, … • Deployment model is “pay for capacity”: • Good for intensive processing, e.g. file tagging • Force.com limits mostly not affected by Canvas apps • Can use Force.com CPU and API calls for data integration not UI logic 13
  • 14. Where can you embed a web app? Many of the places Visualforce works, including: • Custom tab • Object detail page • Chatter page • Chatter feed (GA in Spring ‘14) • Chatter publisher (GA in Spring ‘14) And it all works in … • iOS/Android app, plus mobile web app in browser • Swipe to see related objects including Canvas app • Canvas apps can be on Salesforce1 menu 14
  • 15. How to embed with Canvas Realistic Visualforce example: <apex:page> <apex:canvasApp namespacePrefix="myapp" applicationName=“myapp” height="600px" width="100%" parameters=”{{id:'{!Account.Id}', name: '{!JSENCODE(Account.Name)}'}” /> <apex:page> • Always set width to 100% to allow horizontal resizing • And use 100% when including in page layout • Take care of parameter encoding to prevent XSS vulnerablities • JSON is easily processed in most languages • Same source code for Salesforce1 mobile use
  • 16. Canvas-enabling a web app (1) If you have source code access for the app: • Make the app work in iframe, and with Canvas • Quite easy – mostly standard web app techniques Can open new tab if required – e.g. Google OAuth2 Salesforce UI Canvas iframe Canvas Web App Canvas Signed Request, and AJAX User authorizes Cloudfind app Cloudfind confirmation page Outside Canvas
  • 17. Canvas-enabling a web app (2) If you don’t have source code for enterprise app: • Write a small custom app on top of the main app • Call into main app’s API as required • Best for a few functions only • Or… generic proxy for the main app Salesforce UI Canvas iframe Custom Canvas App Canvas Signed Request, and AJAX Enterprise app App API
  • 18. How Canvas works Salesforce provides context for the Canvas “frame” • User’s authentication is passed through: • Signed Request – no authorization step, some OAuth permissions • OAuth Web Server flow – allows background API use • Plus standard info: org, time zone, etc • Plus your own parameters – embed via Visualforce • Canvas Framework SDK for Java, or roll your own Use Canvas OAuth token for Salesforce access: • JavaScript + Canvas SDK • Browser access to REST, SOAP and Chatter APIs • Or use standard APIs from your web app backend 18
  • 19. Tips: Working inside an iframe • Frame resizing • Make your app responsive – just like mobile • Horizontal is easy – not Canvas-specific • Vertical is more work – coding + OAuth token • Framebusting and friends • Anti-clickjacking and framebusting in the web app • These will stop app from working in iframe • Just turn off these features if you are entering app via Canvas 19
  • 20. Tips: Browser quirks • IE fun: • Cookie setting requires a P3P header in HTTP response • Configure web server to deliver this on all pages • Safari fun (iOS and OS X): • Cookie setting requires user interaction with non-framed page. Two clicks per user device, not per session. • Try to set a cookie, and if you can’t… • Show a ‘please register device’ page • User clicks Register • Show ‘almost registered’ page in new browser tab • User clicks Finish Registration • Set cookie • Allowed by Safari due to the button click interaction in this ‘first party’ tab • JavaScript calls into main iframe to finish • Future sessions - cookie-setting in iframe will work 20 $ curl -si https://www.facebook.com/ | grep P3P P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
  • 21. Tips: Limits • Canvas Limits • 2 API calls per Canvas frame load • 5K calls per user per day = 2,500 frame loads • High limits given typical usage 21
  • 22. Tips: Security • Canvas gives you: • No login/password management in web app • All Canvas users authenticated by Salesforce • Reduced risk: • Less risk from ‘the wild Internet’ • Main threat: privilege escalation • Standard web app security, including: • Encode inputs to prevent XSS • Using CSRF protection in forms • Preventing SQL injection • See Salesforce and OWASP guides 22
  • 23. Tabs and Sessions for AJAX – The Problem • Only affects AJAX web apps • Not unique to Canvas, but you may run into this • Mostly likely to hit power users or admins who have many browser tabs open • “Two orgs” use case: • User logs into two orgs in different tabs • not using Incognito window in browser • Different URLs for Salesforce in each tab • e.g. sandbox on cs2 and production on na3 • Same Canvas web app behind both • App uses AJAX • Simpler “two tabs” use case: • Two browser tabs open in one org • Also covered by this approach 23
  • 24. Tabs and Sessions for AJAX – Problem Detail • Multiple browser tabs for same Canvas web app • Single cookie-based session per user • Single domain for the web app server across all tabs • AJAX app in iframe • HTTP requests from two tabs to AJAX API, for same user session • App is getting requests from tab 1 and tab 2, each of which is in different org, so they should use different app data • How do you keep the requests from each tab separate? • Test case: • Login to org 1 in tab 1, then login to org 2 in tab 2 • Return to tab 1 and click an AJAX button • Backend of web app receives AJAX request • Should the app apply this request to org 1 or org 2 data? 24
  • 25. Tabs and Sessions for AJAX – Solution • Use ‘tab session’ state to distinguish between tabs • Each tab has its own unique state • Tab state stored within the user’s session state in your web app • Tab 1, org 1  sandbox org state within web app • Tab 2, org 2  production org state • Create a unique ID per tab by hashing per-tab info • Append this ID to every URL sent to AJAX API • Result: AJAX backend can tell which tab is calling 25
  • 26. Tabs and Sessions for AJAX – Solution Detail • User page load – signed request via POST: 1. Pass tab-specific params (page name, object ID, …) to identify the tab 2. Get org ID from Canvas signed request 3. Get random number + timestamp 4. Hash all these items and suffix hash to every URL in iframe • User clicks on button – AJAX request via GET: 1. Extract the hash from incoming URL 2. Use hash to access right ‘tab session’ state from cookie- based session data • If not found in session, app should treat user as logged out • Security: • Don’t trust the VF page to tell you info that is available via Canvas signed request – e.g. org ID 26
  • 27. Tabs and Sessions for AJAX – Summary • Unique URL per tab … • … enables separate app state per tab • So your AJAX app supports many tabs, in many orgs at once! 27
  • 28. Summary Canvas has great potential Great option for existing web apps Lets you reach non-Salesforce users Salesforce becomes the “single screen” to access your key applications
  • 29. Thank You Richard Donkin richard@cloudfindhq.com @rdonkin http://cloudfindhq.com @CloudfindHQ Presentation delivered at the Salesforce Platform Developer User Group Bristol, UK on 6th March 2014
  • 30. Canvas Resources http://bit.ly/ForceCanvas • Main DeveloperForce page http://www.salesforce.com/us/developer/docs/platform_connect/ • Canvas Developer Guide http://www.are4.us/best-practices/salesforce-canvas/ • Architecture overview 30

Editor's Notes

  1. Reality is that almost all companies will have quite a few apps that are not on the Salesforce platform, including intranet apps, intranet websites, and cloud apps. Even companies pushing the use of Salesforce as preferred platform are likely to have some off-platform apps.
  2. Reference:P3P policies in Internet Explorer: http://stackoverflow.com/a/16737097/992887Safari third-party cookies in iframes – there are many hacks to try to bypass Apple’s policies. I don’t recommend these as they are fragile – with any Safari update, Apple can break these hacks as they regard them as bypassing their cookie policies, and in fact many such hacks have been broken – see http://stackoverflow.com/questions/9930671/safari-3rd-party-cookie-iframe-trick-no-longer-working. The recommended approach here requires only two extra clicsk per device when first using the device, and then there are no clicks for later login sessions on the same device – and most importantly, it won’t break in the future as doesn’t try to bypass Apple’s policies.