Salesforce Lightning Sync Security Guide
DOWNLOAD
First things first !
To download this implementation guide, click the download button below.
If you need more information about the implementation guide, you can read the Table of Contents below.
Lightning Sync Design and
Security
Salesforce Spring
salesforcedocs
Last updated November
Copyright Salesforce Inc All rights reserved Salesforce is a registered trademark of Salesforce Inc as are other
names and marks Other marks appearing herein may be trademarks of their respective owners
CONTENTS
LIGHTNING SYNC OVERVIEW
LIGHTNING SYNC DESIGN AND DATA FLOW
LIGHTNING SYNC CONNECTION SECURITY
SECURITY MEASURES SPECIFIC TO YOUR CONNECTION METHOD
Service Account Connection for Microsoft Users
OAuth Connection for Microsoft Users
Connection for Google G Suite Users
LIGHTNING SYNC TRANSACTIONS
LIGHTNING SYNC OVERVIEW
Learn about how Lightning Sync is designed to sync contacts and events between your users
Microsoft Exchange or Google G Suite account and Salesforce Plus learn how our design prioritizes
the security of your data when its transferred between systems
EDITIONS
Available to sync records
from Salesforce Classic
Lightning Experience and
the Salesforce mobile app
Available to set up from
Salesforce Classic and
Lightning Experience
Your users are more productive when their contacts and events sync between your companys
email service and Salesforce Syncing avoids duplicating work between the two systems Plus
contacts and events sync whether users are working from their desks or from the Salesforce app
Available in Professional
Enterprise Performance
Unlimited and Developer
Editions with Sales Cloud
Service Cloud and Lightning
Platform
Salesforce admins define the sync experience by selecting users sync settings in Salesforce Admins can choose
Which users sync
To sync contacts events or both
Which direction items sync
To sync all events or only the events users select using the Outlook Integration or Google Integration apps
To sync event series Exchange and Lightning Experience or Salesforce mobile app only
To sync private events
To automatically relate contacts or one lead to syncing events in Salesforce
To automatically remove deleted events from the other application
Plus because Lightning Sync is a cloudbased solution users get product improvements automatically during the major Salesforce
releases Unlike our legacy sync feature Salesforce for Outlook no manual software installation is required
SEE ALSO
Explore Email and Calendar Integration Products
LIGHTNING SYNC DESIGN AND DATA FLOW
Lightning Sync is designed to simplify the data flow between Salesforce and your email service
Lightning Sync connects the core Salesforce database with your email server directly with no email client required to maintain
synchronization This design simplifies the connection process and makes Lightning Sync a superior solution to Salesforce for Outlook
which requires a connection to individual Outlook user accounts Calls to sync are made from an automated process on the Salesforce
core stack to your email service regardless of which data store has been updated Users dont directly invoke communication between
the systems Likewise the email service doesnt initiate communication
With Lightning Sync Data is stored in two locations only users individual email services and the Salesforce core database
LIGHTNING SYNC CONNECTION SECURITY
Salesforce takes your data security seriously Lightning Sync leverages standard Salesforce security measures when establishing a
connection with your email service
Lightning Sync establishes a connection with your email service when you set up the product When establishing a connection Salesforce
verifies the authenticity of your Microsoft or Google service with a security certificate that meets our certificate standards
Microsoft Office and Google G Suite automatically provide certificates that comply
Microsoft Exchange and customers are required to configure a certificate signed by one of the SalesforceApproved
certificate authorities
After the connection is established Lightning Sync transfers contact and event data between servers Individual users arent required to
log in to sync
To avoid the possibility of interception Salesforce uses TLS technology to protect transferred data Upon authorization of each transaction
Salesforce requires the TLS configuration from the data received to meet Salesforce TLS security requirements before granting access
SEE ALSO
Security Infrastructure
SECURITY MEASURES SPECIFIC TO YOUR CONNECTION
METHOD
When you prepare your email service to connect with Salesforce you create touchpoints in which the systems connect to sync data
Lightning Sync provides several methods for connecting systems The security measures and other benefits that impact you depend on
which connection method you select when you set up the product See which connection methods are available to you based on the
email service that youre using Then learn about the security measures that impact that connection method
Service Account Connection for Microsoft Users
The service account connection method is available for Lightning Sync users working on Microsoft Exchange and
and on Microsoft Office Exchange Online For Exchange Online customers the service account connection method is no
longer available starting October
OAuth Connection for Microsoft Users
Connecting with OAuth is available for Lightning Sync users working from Microsoft Office To learn more see the Lightning
Sync system requirements
Connection for Google G Suite Users
The Google G Suite connection method is a combination of an OAuth and a service account connection This design is based
on a method recommended by Google for connecting server to server
SEE ALSO
Lightning Sync System Requirements
Service Account Connection for Microsoft Users
The service account connection method is available for Lightning Sync users working on Microsoft Exchange and and
on Microsoft Office Exchange Online For Exchange Online customers the service account connection method is no longer available
starting October
Important Where possible we changed noninclusive terms to align with our company value of Equality We maintained certain
terms to avoid any effect on customer implementations
Note Microsoft is retiring Basic Authentication for Exchange Online When Microsoft blocks Basic Authentication in your Microsoft
tenant Lightning Sync cant sync contacts and events for customers who have selected service account as their Lightning Sync
connection method See Lightning Sync Service Account Connection Method Availability for Customers on Microsoft Office
Requirement
Why its required
Benefit to you
Exchange admins must enable Exchange EWS enabled over a TLS connection
Web Services EWS over a connection using provides secure certificate authentication
TLS or higher
between Exchange and Salesforce While
EWS provides access to more objects in your
email service Lightning Sync can only read
write and update contacts and events from
users email services Lightning Sync isnt
designed to discover or access other objects
Lightning Sync was designed following the
Microsoftestablished best practices for the
application of EWS
Lightning Sync uses the Exchange servers
certificate to authenticate over a TLS
connection confirming that Exchange isnt
Security Measures Specific to Your Connection Method
Requirement
Service Account Connection for Microsoft Users
Why its required
Benefit to you
Learn More
interacting with a Salesforce impostor You
can control the scope by which Lightning
Sync has access to your email service To do
so limit which users are impersonated with
your service account
Learn More
Exchange admins must enable Auto
Discovery
Auto Discover lets Lightning Sync navigate Lightning Sync can identify all users set to
to the Exchange service endpoint and
sync from the scope of your service account
identify individual users to sync
and your sync configuration in Salesforce
Auto Discovery lets Lightning Sync identify
Learn More
even addresses that are part of a different
domain
We limit Lightning Sync access to your email
service by exploring only your primary email
domain with Auto Discovery which
minimizes opportunities for data
interception You can include more domains
to sync by adding them manually on the
Lightning Sync Setup page in Salesforce
You can also control access by limiting
which email service users are impersonated
with your service account
Learn More
Exchange admins must enable Basic
Authentication or NTLM on your email
server and on your autodiscover server
Lightning Sync identifies itself to your email
services using the authentication protocol
you chose to enable on your Exchange
server Lightning Sync authenticates on
every connection request Salesforce makes
to Exchange If Basic and NTLM are enabled
Lightning Sync gives connection preference
to Basic If you must run other
authentication methods on your server
those methods dont conflict with the
Lightning Sync connection
Authentication is encrypted over a TLS
or higher connection to provide security
between endpoints on every request to
Exchange You can control the scope by
which Lightning Sync has access to your
email service To do so limit which email
service users are impersonated with your
service account
Learn More
Exchange admins must create a service
account on your Exchange server to
impersonate all syncing users
Lightning Sync uses the service account to
query for users SalesforceSync folders and
their primary calendars The service account
also queries create update and read server
content that users already have access to
Learn More
This design lets contacts and events sync
without requiring users to log in to their
individual Microsoft accounts Such a design
avoids timeouts to users login sessions
offering a more reliable connection between
systems
You can control the scope by which
Lightning Sync has access to your email
Security Measures Specific to Your Connection Method
Requirement
OAuth Connection for Microsoft Users
Why its required
Benefit to you
service To do so limit which email service
users are impersonated with your service
account
Learn More
Service Account credentials must be
provided on the Outlook Integration and
Sync page in Salesforce Setup
Salesforce encrypts the service account
password field using bit master keys
using the Advanced Encryption Standard
AES algorithm
Only Salesforce admins with the permissions
to access the Outlook Integration and Sync
page in Setup can see or change the service
account address
As the password is typed its masked to
prevent others from seeing it The contents
cant be copied and pasted elsewhere You
cant learn what the service account
password is by revisiting the page later
SEE ALSO
See the Big Picture for Setting Up Lightning Sync for Microsoft Exchange
Lightning Sync System Requirements
OAuth Connection for Microsoft Users
Connecting with OAuth is available for Lightning Sync users working from Microsoft Office To learn more see the Lightning
Sync system requirements
Requirement
Why its required
Benefit to you
Lightning Sync automatically requests its While OAuth provides access to more
scope of access to all aspects of your users objects in your email service Microsoft sets
Exchange mailbox and its resources
the breadth of that scope Neither Salesforce
nor Microsoft admins can adjust it However
Lightning Sync can only read write and
update contacts and events from users
email services Lightning Sync isnt designed
to discover or access other objects
Minimal setup is required to connect your
applications using this method
Your companys Microsoft admin must
provide access to Microsoft Office from
an account with global administrator
permissions and accept Lightning Sync
access to Microsoft
Working handinhand with the
predetermined scope requirement this
method provides access to users Microsoft
contacts and events without individual user
authentication This benefit provides a sync
experience with fewer interruptions
After electing to connect using OAuth
youre redirected to
httpsloginmicrosoftonlinecom to log in
to your Office email service This site is
This method provides access to users
Microsoft contacts and events without
individual user authentication As a result
sync between the applications remains
consistent and data is reliably updated in
both systems without dependency on the
user
Several measures provide security for your
data during transfer and within Salesforce
Security Measures Specific to Your Connection Method
Requirement
Connection for Google G Suite Users
Why its required
Benefit to you
the Azure Active Directory portal for
By design your Azure tenant secrets are
customers on global infrastructure
never in transmission with the OAuth
databases also known as Global Services
connection method Instead
From the portal you provide your global
Salesforce handles the management of
administrator credentials and accept
both public and private keys
permission to let Lightning Sync access your Your Microsoft tenant ID is encrypted
Microsoft account This design ensures that
at rest Its visible only from the Outlook
your global administrator credentials are
Integration and Sync page so only
never stored in Salesforce
Salesforce admins or other users with
Setup access can see it Plus without
Next youre redirected to the Outlook
signed Salesforce verification
Integration and Sync page in Salesforce
interception of your tenant ID cant
Setup where your Microsoft Azure tenant
provide access to your Microsoft
ID is stored Behind the scenes Salesforce
account
obtains an access token to your Microsoft
account The access token is required to gain The access token is securely transferred
read update create or delete access to
from your Microsoft account to
Microsoft contacts or events
Salesforce over a TLS connection The
token is encrypted and expires every
Learn More
hour New tokens are always transferred
over a TLS connection
Completing this process in no way provides
impersonation rights to your global
administrator account
SEE ALSO
See the Big Picture for Setting Up Lightning Sync for Microsoft Exchange
Connection for Google G Suite Users
The Google G Suite connection method is a combination of an OAuth and a service account connection This design is based on a
method recommended by Google for connecting server to server
Requirement
Why its required
Benefit to you
Your Google admin must establish a service
account for your G Suite account To do so
Google admins generate a private key that
includes access to your Google contacts and
calendar API A Salesforce admin then
uploads the key to Salesforce
After Salesforce admins upload the private
key the key provides Salesforce with an
access token to your companys Google
account This access is required for read
update create or delete access to Google
contacts or events
After theyre uploaded Google private keys
are encrypted at rest The private key signs
the outbound sync requests sent from
Salesforce Requests can only be verified
with the matching public key possessed by
your G Suite account
See Also
The generated access token is securely
transferred from your Google account to
Salesforce over a TLS connection The token
is encrypted Every hour the access token
Prepare Your Google Account for
Lightning Sync
Security Measures Specific to Your Connection Method
Requirement
Connection for Google G Suite Users
Why its required
Benefit to you
Prepare Salesforce for Lightning Sync
expires and a new token is transferred
always over a TLS connection
SEE ALSO
See the Big Picture for Setting Up Lightning Sync for Microsoft Exchange
Lightning Sync System Requirements
LIGHTNING SYNC TRANSACTIONS
Review the transactions made by Lightning Sync in response to the work your users complete in Salesforce and the order in which they
occur
Lightning Sync initiates communication between Salesforce and your mail service asynchronously so that the sync process doesnt slow
down the users intended Salesforce transaction
Changes made from Salesforce are queued for transmission to the email service
Changes made from the email service are retrieved by a periodic polling mechanism
When contacts or events are synced to the opposite system Lightning Sync impersonates the user who created or updated the original
item This behavior preserves accurate data on the items last update
For specific transaction details review these scenarios
Sync Contacts from Salesforce to Email Service
User creates a contact
Asynchronous job is enqueued to sync the transaction Lightning Sync
a Determines which users who are configured for sync should sync the contact
b Checks whether contact meets sync filters
c Calls the email service to see whether the contact exists
i If it does exist the contact is updated in the email service
ii If the contact doesnt exist Lightning Sync calls the email service to create the contact
d Matching contacts are mapped between Salesforce and the email service for future syncing
Sync Events from Salesforce to Email Service
User creates an event
Lightning Sync checks whether the user is set up to sync events
Asynchronous job is enqueued to sync the transaction
a Lightning Sync checks whether the event meets sync filters
b Lightning Sync calls the email service to see whether the event exists
i If it does exist the event is updated in the email service
ii If the event doesnt exist Lightning Sync calls the email service to create the event
c Matching events are mapped between Salesforce and the email service for future syncing
Lightning Sync Transactions
Sync Event Deletion from Salesforce to Email Service
User deletes an event
Lightning Sync checks whether the record has been mapped to an event in the email service
Lightning Sync checks whether the user is set up to have deleted events automatically removed from the other system
If mapped to an event asynchronous job is enqueued Lightning Sync calls the mail service to delete the event
Sync Contact or Event Creation Update or Deletion from Email Service
to Salesforce
Lightning Sync runs a job for all syncing users semicontinuously The number of syncing users impacts job frequency
Lightning Sync checks whether contacts or events were created or updated or whether events were deleted from the email service
a Lightning Sync checks for matched items to update If items are discovered to have no match new records are created in
Salesforce
b For deleted events Lightning Sync checks whether users are set up to have deleted events automatically removed from the
opposite system If so the event is deleted from Salesforce
SEE ALSO
How Your Contacts Sync with Lightning Sync
How Your Events Sync with Lightning Sync