15.5 Troubleshooting Salesforce Issues

Use the information in the following sections to help you troubleshoot issues with the connector for Salesforce:

15.5.1 Salesforce Login Issues

Configuration of the connector for Salesforce may fail, even with valid credentials. One possible reason is that the Salesforce password has expired. Log in to the Salesforce site and reset your password. You receive a new password and a new security token. Use these credentials when creating the connector for Salesforce.

Even if your credentials are correct, you may occasionally be unable to log in to Salesforce, and the connector for Salesforce in CloudAccess may show an intermittent red status. Salesforce has API metering that limits the number of calls during a 24-hour period. For more information, see the following Salesforce resources:

If CloudAccess is configured with multiple nodes and the L4 switch uses load-balancing for transactions, the L4 switch must be configured to send transactions for a user’s session to the same real server. A user might be unable to access Salesforce if the single sign-on request for its appmark is sent to a different real server than the user’s login request to CloudAccess. For example, the same server might not be used if the L4 switch is set to use sticky-bit persistence and the user is logging in from a cookieless browser or mobile app. It can also happen if stickiness is not enabled on the L4 switch, or if the L4 switch does not support stickiness. If single sign-on is not working for the Salesforce appmark, you can use either of the following methods to ensure that requests for a user’s session are sent to the same real server:

  • Set the L4 switch to use IP-based persistence, which uses the user device’s IP address to maintain an affinity between the user session and the same real server in the cluster. IP-based persistence can fail if a device’s IP address changes between requests, such as if a user’s mobile device changes networks when the user moves from one area to another.

  • Use an identity-provider proxy approach that does not depend on the L4 switch configuration. This method can become chatty.

15.5.2 Behavior of Service Provider-Initiated Login To Salesforce When Kerberos Is Enabled

Issue: If you have Kerberos enabled on your CloudAccess cluster, service provider-initiated login attempts to Salesforce might result in the browser staying at the landing page after authenticating to CloudAccess instead of redirecting to Salesforce. This issue occurs only if Kerberos is enabled on the CloudAccess cluster. It occurs regardless of whether users log in with Kerberos single sign-on or with another authentication (for example, when the workstation is not a member of the Active Directory domain). (Bug 817909)

Workaround: This issue occurs on workstations running Windows 7 and Internet Explorer 9, but does not occur with Firefox on Windows 7.

You can prevent or address this issue by changing an option on the Single Sign-On Settings page at Salesforce. This page includes a radio button named Service Provider Initiated Request Binding with two options: HTTP POST (selected by default) and HTTP Redirect. If you have Kerberos enabled on your CloudAccess cluster, select HTTP Redirect instead of the default HTTP POST option. If you do not have Kerberos enabled on the CloudAccess cluster, you do not need to change this option.