Discussions
Eloqua Product Notice: Sales Tools CRM Embed Changes [Nov 2020 - Feb 2021]
Overview
For customers who embed Eloqua Sales Tools in an iframe in your CRM, changes are coming to how you embed. Customers must make these changes ahead of the Eloqua 21A Release (Feb 2021).
With the 21A Release, Eloqua security enhancements will change the ability to display Eloqua Sales Tools in an iframe. Customers who do not make the changes will no longer be able to access Sales Tools in an iframe from your CRM.
What’s changing?
In 20D, if you embed Sales Tools pages (Profiler or Engage) in an iframe, here is a summary of the required changes:
A domain allowlist is being introduced. This allowlist must include the domains of the pages that host the Sales Tools iframe. For example, if you have Profiler embedded on the Lead or Contact record in Salesforce, you must allow several domains listed below (shown with wildcards):
*.lightning.force.com *.my.salesforce.com *.visualforce.com
A new URL must be used to embed Sales Tools pages in an iframe. For example, the current URL
https://login.eloqua.com/apps/salesTools/profiler?emailAddress={!lead.email}
must be changed to
https://login.eloqua.com/apps/embed/salesTools/profiler?emailAddress={!lead.email}
Both of these changes must be implemented prior to the arrival of the Eloqua 21A Eloqua release. Both of these changes must be made for both Engage and Profiler embedded pages.
With the 21A release, security enhancements will introduce the HTTP Content-Security-Policy response header to Sales Tools pages. The policy’s directive, frame-ancestors, will be used to specify the domains from your allowlist that can embed Sales Tools pages.
Timeline
As of the Eloqua 20D release (Nov 2020), you can create your domain allowlist and update the URLs used to embed Sales Tools. Check the Eloqua Release Center for release dates and times.
With the arrival of the 21A release (February 2021), Eloqua security enhancements will prevent accessing Sales Tools from domains that are not on your allowlist and that do not use the new URL structure.
Next Steps
When 20D is released in your Pod, begin to make the changes outlined in this notice. All changes must be complete before the 21A release.
Resources
- Engage - https://docs.oracle.com/en/cloud/saas/marketing/eloqua-user/Help/EngageIntegration/EngageIntegraion.htm
- Profiler - https://docs.oracle.com/en/cloud/saas/marketing/eloqua-user/Help/ProfilerIntegration/ProfilerIntegration.htm
FAQ
Q: Why are these changes being made?
A: The changes are being made protect against clickjacking attacks and make Eloqua Sales Tools more secure.
Q: How does this affect Profiler and Engage when embedded in a CRM system?
A: The changes outlined above must be made ahead of the 21A release (February 2021) to ensure your users can continue access to Sales Tools from the embedded iframe in your CRM. If you do not make these changes, users will receive an error when accessing the embedded Sales Tools page. They can continue to directly access Sales Tools in a browser.
Q: What will the new URL structure be?
A: Refer to the highlighted changes below:
Profiler URL definitions:
· Direct: https://login.eloqua.com/apps/embed/salesTools/profiler
· Auto-login: https://login.eloqua.com/autoLogin?LoginPrefix={prefix}&Url=/apps/embed/salesTools/profiler
· SAML: https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}&ReturnUrl=/apps/embed/salesTools/profiler
· Salesforce IDP: https://<podURL>/sso/sfdc/v1/svp.aspx?LP={prefix}&RU=/apps/embed/salesTools/profiler
Engage URL definitions:
· Direct: https://login.eloqua.com/apps/embed/salesTools/engage
· Auto-login: https://login.eloqua.com/autoLogin?LoginPrefix={prefix}&Url=/apps/embed/salesTools/engage
· SAML: https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}&ReturnUrl=/apps/embed/salesTools/engage
· Salesforce IDP: https://{podURL}/sso/sfdc/v1/svp.aspx?LP={prefix}&RU=/apps/embed/salesTools/engage
Q: How do I create a domain allowlist for my CRM?
A: In Eloqua, from the AppCloud Catalog, open the Profiler or Engage app configuration. Use the new Allowed Domains tab to create your allowlist.
Q: Does the domain allowlist support wildcards?
A: Yes, you can use wildcards (*) in your domain allowlist to allow subdomains. However, we recommend using specific URLs. For example, instead of allowing *.salesforce.com, use the specific subdomain (mycompany.my.salesforce.com) or your specific instance URL (na9.salesforce.com).
Q: What is the HTTP Content-Security-Policy response header and where can I find out more?
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP defines the Content-Security-Policy response header. This header allows us to create an allowlist of trusted content sources and instructs the browser to only execute or render resources from those trusted sources.
Find out more https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
Q: I do not embed Sales Tools in my CRM but I do have pages embedded in an iframe. Do I need to take action?
A: Yes. Any domain that is hosting Sales Tools in an iframe must be added to the allowlist and you must update the URL used to embed Sales Tools. Note that only https URLs are supported in the allow list.
Q: Does the domain allowlist support http and https domains?
A: No, the allowlist only supports https domains.
Group Product Manager, CX - Marketing: Eloqua
Comments
-
Hello,
If we're using Profiler in Oracle Engagement Cloud, would there any updates we need to you regarding the new release?
Please advise!
Thanks,
Nancy
-
Hi @NabarunPS , if your integration embeds the Sales Tools pages in an iframe, then yes, you need to perform the steps outlined in this product notice.
-
When the allow list is updated as part of the rollout, does anything need to be updated in the Allowlisting -> Frameable Page section? I have already updated the Allowlisting -> Domain section. Thank you.
-
Hi @Stephanie Safi, no. Only the allowlist in the Sales Tools app configuration needs to be updated.
For reference:
Post edited by Alexa Kalapaca-Oracle on -
There is a typo in the SAML Profiler URL definition example above. There is an extra "/".
Above it says "/embed//salesTools/" but in the actual documentation it is just "/embed/salesTools/".
-
@Alex Halvachs - Thanks! I've removed the extra "/"
Group Product Manager, CX - Marketing: Eloqua
-
Some clients might be using *.visual.force.com as well when using the app connection
-
Yes - we've added a list to the help center, but for reference:
- Salesforce: *.force.com, *.salesforce.com, *.my.salesforce.com, *.lightning.force.com, and *.visualforce.com
- Oracle CX Sales: *.oraclecloud.com
- Oracle CRM On Demand: *.crmondemand.com
- Microsoft Dynamics: *.dynamics.com
-
Hi Jody!
We have updated our allow list in Eloqua and I requested the update to the url in SFDC with our Admin.
We have updated SFDC to https://login.eloqua.com/apps/embed/salesTools/profiler?emailAddress={!lead.email}
But we are now getting an error in loading message in the iframe. embed-apps.p01.eloqua.com refused to connect.
Can you advise, or do I need support?
Thanks,
Brinette
-
Hi @BrinH , have you also created your allowlist? I would suggest that you open the SR as we will need to review issues in context to your environment.
-
Hi @Alexa Kalapaca-Oracle I did create my allow list in Eloqua:
I also added our instance catalent.my.salesforc.ecom
I will engage support. I am getting an authentication screen and login. It's not loading after logging in.
-
@Alexa Kalapaca-Oracle I have submitted a service request. 3-25333942641 Hopefully we can resolve, as access has been denied since we updated the URLs and allowlists.
-
@Alexa Kalapaca-Oracle Support was able to provide resolution to our issue with the change in Profiler embed and it is working properly now. We have added to our list *.force.com and *.salesforce.com in addition to our customer salesforce domain, *.lightning.force.com, *.my.salesforce.com, *.visualforce.com
Thanks for the quick responses!
-
That helped, thank you!
-
Hi,
I'm having an issue trying to get the profiler tab to appear when searching for contacts in Service Cloud.
The tab is in the contact workspace and appears when previewing but doesn't appear when clicking on contact.
Has anyone else experienced this issue?
Thanks.
-
Hi @User_5K4QC , feel free to reach out directly. Could you share the URLs you're using? Does the contact have any special characters in their email address?
-
Hi Alexa,
I have reached out to you directly.
Thanks.
-
@BrinH , I am having the same issue you reported. I updated the Engage App Allow list, but still Profiler doesn't connect within the Salesforce app. How did you resolve the issue?
-
@Alexa Kalapaca-Oracle the URL is https://login.eloqua.com/autoLogin?LoginPrefix=SUNC&Url=/apps/embed/salesTools/profiler?emailAddress=$contact.email.addr Unsure as to why I am able to see this tab in profiler though could be to do with the settings.
-
@Stephanie Safi If your allow list includes : *.force.com, *.salesforce.com, *.my.salesforce.com, *.lightning.force.com, and *.visualforce.com, and any custom domains, please open an SR as it will require further investigation. For reference, this page from Salesforce lists out domains that might be in use: https://help.salesforce.com/articleView?id=sf.setup_domains.htm&type=5
-
@Alexa Kalapaca-Oracle , the allow list on the Engage App was configured correctly prior to 21A pod 3 release. I have verified with our Salesforce Developer resources that the correct URL is embedded in the iframe. I have opened SR 3-25388704511.
Update as of 3/10/21. The issue is resolved. I missed updating the Allow List on the Profiler App. I had only updated the Allow List on the Engage App. Everything is working now as expected. I recommend updating the documentation to reference both the Engage App and Profiler App to reflect the Allow List domains, *.force.com, *.salesforce.com, *.my.salesforce.com, *.lightning.force.com, and *.visualforce.com, and any others relevant to the business.
Post edited by Stephanie Safi on -
@Alexa Kalapaca-Oracle Thanks for your work on this. Are there any other common resolutions that companies affected by the embed-apps.p01.eloqua.com refused to connect issue can try? We updated the URL in SFDC and added allowlist entries ahead of 21A but still saw this issue. Since then I've added all domains on this thread plus the list at https://help.salesforce.com/articleView?id=sf.setup_domains.htm&type=5 , I've worked with support, and still seeing the issue. Any help is apprecaited.
-
@Alexa Kalapaca-Oracle I am again getting no load on the iframe. We had success and now we are getting the following message on authentication: CustomerRepository not initialized
Please advise.
Thanks,
Brinette
-
Hi @Richard Gilchrist MongoDB , sorry to hear about the issues. If you want to share your SR (you can message me directly as well), I can review the details.
-
Hi @BrinH Please update your SR with the details so we can investigate.
-
Got mine figured out, I was adding domains to the Security - Allowlisting - Domain section instead of the App settings. Once I moved them to the correct section, profiler started working immediately.
-
I made the same mistake as well, instructions weren't clear.
-
@Alexa Kalapaca-Oracle it's working fine now and I am not getting the error. Strange. Thanks for responding today!
-
@Alexa Kalapaca-Oracle just got off a call with our TAM, Chase Ivany, who recommended I post in this thread and tag you about the issue we are seeing. We have a bit of a special circumstance where we actually have Engage iframed into another tool, Seismic, within SFDC. I have added all the relevant domain combinations to the app allow list, including the Seismic domain, but our users are still getting "apps.p04.eloqua.com refused to connect." when attempting to open an email to send. We have an open SR, 3-25446672991, with all the details, but would really appreciate your help. Thanks. :)
Post edited by Christine Burton on -
@Christine Burton Thanks for reaching out. This should still be supported - we just need to figure out the domains to add for Seismic. We'll review the SR details. Thanks!
