Eloqua Product Notice: Sales Tools CRM Embed Changes [Nov 2020 - Feb 2021]

JodyMooney-Oracle Group Product Manager, Oracle MarketingTorontoPosts: 321 Employee
edited Apr 29, 2022 6:28AM in Eloqua


For customers who embed Eloqua Sales Tools in an iframe in your CRM, changes are coming to how you embed. Customers must make these changes ahead of the Eloqua 21A Release (Feb 2021).

With the 21A Release, Eloqua security enhancements will change the ability to display Eloqua Sales Tools in an iframe. Customers who do not make the changes will no longer be able to access Sales Tools in an iframe from your CRM.

What’s changing?

In 20D, if you embed Sales Tools pages (Profiler or Engage) in an iframe, here is a summary of the required changes:

A domain allowlist is being introduced. This allowlist must include the domains of the pages that host the Sales Tools iframe. For example, if you have Profiler embedded on the Lead or Contact record in Salesforce, you must allow several domains listed below (shown with wildcards):


A new URL must be used to embed Sales Tools pages in an iframe. For example, the current URL


must be changed to


Both of these changes must be implemented prior to the arrival of the Eloqua 21A Eloqua release. Both of these changes must be made for both Engage and Profiler embedded pages.

With the 21A release, security enhancements will introduce the HTTP Content-Security-Policy response header to Sales Tools pages. The policy’s directive, frame-ancestors, will be used to specify the domains from your allowlist that can embed Sales Tools pages.


As of the Eloqua 20D release (Nov 2020), you can create your domain allowlist and update the URLs used to embed Sales Tools. Check the Eloqua Release Center for release dates and times.

With the arrival of the 21A release (February 2021), Eloqua security enhancements will prevent accessing Sales Tools from domains that are not on your allowlist and that do not use the new URL structure.

Next Steps

When 20D is released in your Pod, begin to make the changes outlined in this notice. All changes must be complete before the 21A release.



Q: Why are these changes being made?

A: The changes are being made protect against clickjacking attacks and make Eloqua Sales Tools more secure.

Q: How does this affect Profiler and Engage when embedded in a CRM system?

A: The changes outlined above must be made ahead of the 21A release (February 2021) to ensure your users can continue access to Sales Tools from the embedded iframe in your CRM. If you do not make these changes, users will receive an error when accessing the embedded Sales Tools page. They can continue to directly access Sales Tools in a browser.

Q: What will the new URL structure be?

A: Refer to the highlighted changes below:

Profiler URL definitions:

·      Direct: https://login.eloqua.com/apps/embed/salesTools/profiler

·      Auto-login: https://login.eloqua.com/autoLogin?LoginPrefix={prefix}&Url=/apps/embed/salesTools/profiler

·      SAML: https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}&ReturnUrl=/apps/embed/salesTools/profiler

·      Salesforce IDP: https://<podURL>/sso/sfdc/v1/svp.aspx?LP={prefix}&RU=/apps/embed/salesTools/profiler

Engage URL definitions:

·      Direct: https://login.eloqua.com/apps/embed/salesTools/engage

·      Auto-login: https://login.eloqua.com/autoLogin?LoginPrefix={prefix}&Url=/apps/embed/salesTools/engage

·      SAML: https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}&ReturnUrl=/apps/embed/salesTools/engage

·      Salesforce IDP: https://{podURL}/sso/sfdc/v1/svp.aspx?LP={prefix}&RU=/apps/embed/salesTools/engage

Q: How do I create a domain allowlist for my CRM?

A: In Eloqua, from the AppCloud Catalog, open the Profiler or Engage app configuration. Use the new Allowed Domains tab to create your allowlist.

Q: Does the domain allowlist support wildcards?

A: Yes, you can use wildcards (*) in your domain allowlist to allow subdomains. However, we recommend using specific URLs. For example, instead of allowing *.salesforce.com, use the specific subdomain (mycompany.my.salesforce.com) or your specific instance URL (na9.salesforce.com).

Q: What is the HTTP Content-Security-Policy response header and where can I find out more?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP defines the Content-Security-Policy response header. This header allows us to create an allowlist of trusted content sources and instructs the browser to only execute or render resources from those trusted sources.

Find out more https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

Q: I do not embed Sales Tools in my CRM but I do have pages embedded in an iframe. Do I need to take action?

A: Yes. Any domain that is hosting Sales Tools in an iframe must be added to the allowlist and you must update the URL used to embed Sales Tools. Note that only https URLs are supported in the allow list.

Q: Does the domain allowlist support http and https domains?

A: No, the allowlist only supports https domains.

Group Product Manager, CX - Marketing: Eloqua

Post edited by OIT Integration User on