Header Image

Fortune 500 Financial Services Provider - Salesforce Integration

Creating integration and single sign-on for Salesforce.com

Integration and Federation to Salesforce.com

This US-based Fortune 500 Financial Services provider offers their customers and members annuities, banking, insurance, mutual funds, IRAs as well as other investments and financial planning services.

By the Numbers

  • >2.5 million customers
  • >$65B US in managed assets
  • >$150B in life insurance
  • >2,500 financial representatives
  • >3,000 corporate employees

With more than 2.5 million customers and 2,500 financial representatives, one of the key systems that had enabled them to grow their asset base is their Customer Relationship Management (CRM) application. Initially a homegrown system, they quickly realized that while managing customers was core to their business, creating, updating and managing CRM software was not. As an alternative, they turned to Salesforce.com, which provided the right mix of functionality, cost and accessibility they required for their distributed organization.


The Business Challenge

Financial Services industry regulations are strict with regard to exposing customer data publicly. But Salesforce.com essentially builds and offers its CRM system on a shared infrastructure, meaning that multiple customers’ data and application resources are hosted on the same computing resources. Moreover, anyone with a credit card can sign up for the service and be granted access to those same resources almost immediately. While Salesforce.com does provide assurances around data privacy and security, our Financial Services provider was unwilling to let sensitive financial information leave their enterprise, raising issues around integration.

One of the key areas of contention with CRM centers on adoption. CRM rarely fails to be successfully implemented, but it can fail if salespeople continue to manage accounts in their old, familiar ways rather than taking advantage of the new system. For this reason, our Financial Services provider wanted to retain the core of their homegrown CRM system. Salespeople were already comfortable with scheduling meetings, entering their contact information and generally organizing their day around their desktop CRM calendar. Forcing them to move wholesale to Salesforce.com would likely prove counterproductive. Again, issues arise around integration.

Finally, in order to better ensure sensitive information remains confidential, the security group at the Financial Services provider has adopted a strict policy of not allowing passwords to leave the organization. This meant that user and machine ids/passwords could not be populated in an external directory, but rather that Salesforce.com would have to call back into the enterprise’s existing identity and access management infrastructure in order to perform authentication and authorization.


Enter Layer 7

The Financial Services provider had adopted Service Oriented Architecture (SOA) at an early date. Consequently, when they went looking for a solution to their problems, they began their search with the traditional SOA vendors. Layer 7 was the only vendor that could help them address all of their business and technical requirements in a cost-effective manner. The Layer 7 CloudSpan CloudConnect Gateway provided them with a way to safely consume Software as a Service (SaaS) applications like Salesforce.com, delivering not only the end-to-end security they required for their integration solution, but also the monitoring, logging and auditing capabilities they would need to ensure – and prove – compliance with industry regulations.

In addition, the ability to mediate between Salesforce.com and their existing enterprise, Identity and Access Management (IAM) infrastructure was key to solving the password security issue.


The Solution

When an employee or application attempts to log onto Salesforce.com, a delegated authentication request is sent from SFDC to the CloudSpan Gateway (CSG) deployed on premise:

  1. The CSG extracts the “user id” from the Salesforce.com request
  2. The CSG accesses the enterprise’s directory to get the password associated with the “user id”
  3. The CSG updates the message to contain both “user id” and password elements
  4. The CSG calls out to the enterprises’ IAM system to authenticate/authorize the user
  5. The CSG sends a “true” or “false” response (based on whether IAM system permitted/denied access) to Salesforce.com completing the login

In this way, the Financial Services Provider was able to bi-directionally synchronize each user's desktop CRM calendar, as well as their mainframe-based customer data with Salesforce.com, while ensuring no passwords left the enterprise.

Layer 7 Salesforce Integration Solution


The Results

By ensuring that key functionality and customer data could be retained/made accessible from the new CRM system, the Financial Services provider’s account managers were able to smoothly transition to Salesforce.com, while making sure their backend system of record is always up to date. By extending their existing IAM system to provide both Web and Web services single sign-on to Salesforce.com, users now need manage only a single login/password for all systems, improving adoption rates. Finally, administrators now have a single place to revoke all user ids/passwords, lowering maintenance and administration costs.