Salesforce user security. Its great. As well as being one of the things customers value highly, its a massive advantage for application developers to be building upon a trusted platform with robust and well considered security features.
Restricting logins to specific IP addresses or ranges of addresses is a valuable user security feature, although it can be slightly confusing.
Salesforce help explains:
… Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed.
If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from an IP address they have not used to access Salesforce before:
- If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce, and has not cleared the browser cookies.
- If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
- If the user’s login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is blocked.
Whenever a login is blocked or returns an API login fault, Salesforce must verify the user’s identity:
For access via the user interface, the user is prompted to enter a token (also called a verification code) to confirm the user’s identity.
I have diagrammed the flow to (hopefully) make this a little easier to follow, focussing on a user logging in via a web browser (rather than API access):
A few points that I think are worth mentioning:
There are two places where an admin can specify IP addresses, or ranges of addresses for the login process. Whilst these look very similar, they purposes are distinct.
User Profile – Login IP Ranges
We can set up IP ranges (or individual addresses) on each user profile. When no IP address ranges are specified, the user’s profile does not restrict IP addresses in any way. However as soon as we specify any IP addresses as login IP ranges, then all other IP addresses become invalid for users with the profile and will result in access being denied.
Network Access – Trusted IP Ranges
In Security Settings, we can also set up trusted IP addresses for the entire org.
When a user logs in from an IP address they haven’t used to login to Salesforce, they will need to go through a verification process. This is where they are challenged and need to ask for a token to be sent to them, which they can use to gain access.
Trusted IP Ranges simply allow users to bypass the verification process when logging in from a trusted IP address.
Each trusted IP range is limited however, so 0.0.0.0 – 188.8.131.52 is acceptable, but 0.0.0.0 - 184.108.40.206 is not. Larger groups of trusted IP addresses would need to be specified my adding several ranges.
“Login IP Range” beats “Trusted IP Range”
From my flow diagram we can see that any profile login IP ranges are enforced before trusted IPs are considered. This means that “trusting” your IP address has no effect if your profile blocks it (by specifying some ranges, but not one that includes your address).
Engage Demo Mode
IP address restrictions and the verification process are generally a good thing. However, there may be times where the feature is unnecessary and perhaps frustrating – where you are giving demonstrations form a developer edition org of work in progress, or of new Salesforce features, for example.
In order to disable the verification process, we cannot add all IP addresses to a single Trusted IP Range, as the size of the range is limited. We could add many ranges, e.g. 0.0.0.0 – 0.255.255.255, 220.127.116.11 – 18.104.22.168, 22.214.171.124 – 126.96.36.199, etc.
However, there is no limit in size for to a Login IP Range, so you could specify all IP addresses: 0.0.0.0 – 255.255.255.255. In a demo org you may have have one, or at worst a handful of profiles that you will be using, so it would be easy to add an all-IP-addresses Login IP Range to each profile.
This will prevent login challenges and verification in the middle of a demo, but is not good practice in production.