cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
scriptkat
Frequent Visitor

IP Issue with Custom Connector for Salesforce

Due to my company using SSO (Single Sign On) for Salesforce, i've had to create a Custom Connector to connect to our Salesforce org as the out of the box Salesforce Connector cannot perform SSO. When I test the connection, the initial connection succeeds, but any GET requests (Operations) I make with it to obtain data fail. I've isolated the issue to the following Salesforce Session Security Setting:

 
 

scriptkat_2-1626958225916.png

 

 

If I temporarily disable this setting, all of the GET requests succeed. If I turn it back on, they fail. I switched it on and off a few times to confirm (it is currently back to on). I believe the fundamental issue is that the Microsoft Cloud Infrastructure isn't necessarily using the same machine/IP to login that it does to perform the actual GET requests. This setting in Salesforce helps with mitigating session hijacking attempts. Here is a specific high-level summary that Salesforce provides for it:

session2.png

 

My problem is that my company is not able to disable this security setting, due to the high number of attacks that have targeted us previously. 

 

Has anyone encountered this issue before with other Connectors, and if so, how did you mitigate it? I'm curious to test if the OOTB Salesforce Connector also has this issue, but of course can't test it myself as our org only does SSO. Any and all help appreciated; thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

@scriptkat I, too, work in Gov Cloud (High, in fact). I have looked into this same topic (although from a different perspective; we were dealing with the same kind of long list of outbound IPs from Function apps) and MSFT was unable to guarantee an outbound IP address, since the multiple addresses are part of their resiliency and fault tolerance model. The answer for us was washing traffic through a VNET. We just stuck the Function in a VNET with a NAT Gateway and were able to set its IP to a reserved internal address the client provided us. That quickly solved our whitelisting problems, and for a bare minimum of additional Azure spend.

View solution in original post

9 REPLIES 9
Syndicate_Admin
Administrator
Administrator

Hi,

If IP Whitelist option is available that would be the simplest route to take. Here is a similar thread on this topic. Here is a documentation that lists the public apis: https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/limits-and-config#ip-addresses

Depending on your need some other options are available as well.

 

Please take a look at these options and let me know if you have more questions.

 

If this reply answers your question or solves your issue, please ACCEPT AS SOLUTION ☑️. If you find this reply helpful, please consider giving it a LIKE 👍.

You can also route all your traffic through a VNET to scrub the IP to whatever you want. I have used that in the past where clients wish to only whitelist a small set of IPs for connecting to {insert system name here} and do not want to allow a large range of IPs. 

Hello Syndicate Admin,

 

Thank you for the quick reply. I did try to whitelist these IP ranges, but it did not resolve my issue. I think the fundamental issue here is that the Custom Connector is establishing a connection from one IP address, but then performing Operations (GET Requests) from a different IP address while trying to use the same Session ID. The Salesforce Security Control is blocking this because it looks like session hijacking. My customer is not able to disable this setting due to the high number of attacks that our organization receives. I'm wondering if there's a way to specify to PowerApps to direct all traffic through a single IP?

CChannon,

 

Thank you for the helpful response. If I am unable to resolve this issue through the platform directly, this approach would be a viable alternative. My customer is asking me to attempt to resolve it with Microsoft directly, but if I end up not being able to do that I will definitely accept this as the solution.

Syndicate_Admin
Administrator
Administrator

Hi,

Can you please list the ip address that the connection came from and the the ones which was used for calls? Here is the list of connector ip addresses: https://docs.microsoft.com/en-us/power-automate/ip-address-configuration

Do any of these match the get call?

Syndicate_Admin
Administrator
Administrator

Which region are you located at? Can you please give me the client request id or run id?

Syndicate_Admin,

 

Thank you for the response; apology my reply was delayed, I need to tune up how my mail routing works.

 

I am in the government cloud. The initial connection request comes from: 13.72.50.37. The GET requests are not being logged as Salesforce is blocking them outright, so I am not sure what the specific IP for them is.

 

In terms of getting the client request id or run id; can you please walk through how I would be able to obtain those? I am looking through the logs from the PowerApps side, but do not see any metadata to suggest a client request id or run id.

 

Thank you again for your quick response.

@scriptkat I, too, work in Gov Cloud (High, in fact). I have looked into this same topic (although from a different perspective; we were dealing with the same kind of long list of outbound IPs from Function apps) and MSFT was unable to guarantee an outbound IP address, since the multiple addresses are part of their resiliency and fault tolerance model. The answer for us was washing traffic through a VNET. We just stuck the Function in a VNET with a NAT Gateway and were able to set its IP to a reserved internal address the client provided us. That quickly solved our whitelisting problems, and for a bare minimum of additional Azure spend.

View solution in original post

Thanks @cchannon, I was worried that this may just be a consequence of fault tolerance/redundancy model, Your solution is a sensible workaround, so I will mark it as the accepted solution.

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

R2 (Green) 768 x 460px.png

Microsoft Dynamics 365 & Power Platform User Professionals

DynamicsCon is a FREE, 4 half-day virtual learning experience for 11,000+ Microsoft Business Application users and professionals.

Top Solution Authors
Users online (2,708)