Jan 16, 2015

Managing SFDC Credentials Using KeePass

Fun Fact:  The longer you work with the Force.com Platform the more sets of credentials you are going to have to maintain.

I should invest in a tally click counter to keep track of the number of times I log into various (and often the same) Salesforce orgs throughout the day.  At a certain point, to maintain your sanity, you need some sort of assistance to keep track of all your Salesforce org details.
  • Username
  • Password
  • Token
  • URL - login, test, etc
  • Org Type - Group, Professional, etc
  • Notes about the org's purpose - Dev Org for XYZ Project
Now, I've used the Force.com Logins Chrome extension for the last few years to help keep track of a few of those items as well as to help pop-open a new session in a new window, tab, or Incognito session.

While it's easy to search, it seemed to be growing unmanageable recently; the list was growing longer and I had a lot of old/stale entries.  

There were also a few long standing drawbacks:
  • Credentials are stored via Chrome's local storage as opposed to sync storage, meaning the credential data, an XML structure, stayed on one computer and wasn't replicated across all of my devices where Google's sync normally applies.  By day, I'm often on one computer, which frequently requires updates to these credentials.  By night, I'm on another computer and let's face it... getting up off the couch after a long day to retrieve your token from another computer's not going to happen.  Entire data dupe nightmare.
  • Force.com Logins is a Chrome extension, so while I can open Chrome tabs, windows, and Incognito tabs just fine, sometimes you want or need a Firefox or Internet Explorer window.  There's a Firefox version (don't know if it is associated with Appirio or not), but I had trouble exporting my Chrome extension credentials and importing them into the Firefox verison.
So, what to do?  There's all kinds of password managers out there.  LastPass and 1Password are two great examples.  Check out LifeHacker's Top Five Best Password Managers list to get a better feel for what they to.

In a previous life, before the cloud was "the cloud," I managed various systems credentials via an application called KeePass.  KeePass is a free, open-source program that allows you to create, organize, and store your various credentials in a local database, a .kdbx file.  You can keep this encrypted database on your hard drive or flash drive and use it to store endless hierarchies of credentials for all of your commonly visited websites, including Salesforce.  

I can quickly overcome both of those drawback bullet points above with KeePass:
  • While the .kdbx file the stores all of your passwords is saved to your computer, there's nothing preventing you from storing the file in a Dropbox folder.  Sync that folder across your devices and never be left without your credentials again.
  • Being open-source, there's various Chrome Extensions, Firefox add-on, and Internet Explorer... I don't even know what you call them... thingamabobs... that connect your browser to the KeePass program running in your system tray.  This can provide a list of credentials for the website you're currently visiting or an auto-population of creds, if you want.  
There's some additional perks too:
  • I don't have to rely on those extensions, add-ons, and thingamabobs.  I can customize KeePass to have custom buttons to open a browser of my choice, in the standard mode or Incognito/Private mode, and automatically log into Salesforce for me - replicating the functionality of the Force.com Logins Chrome Extension, but allowing me to use the browser of my choice.
  • There are global keyboard shortcuts (CTRL+ALT+K) that allow me quickly find my credentials and get logged in, without taking my hands off the keyboard.
  • There's an "AutoType" feature that allows me to assign a shortcut key to the selected credential entry that will take fields from my credential (username, password, url, custom - oh, did I mention the ability to create custom fields for additional data points...like your token?) and automatically type that string into another window for you.  Admins and Developers - how many times do you have to type in your password, go look up what your latest security token is and then copy/paste it after your password for new Data Loader sessions or IDE projects?  Imaging highlighting your credential, pressing a set of keys and letting the program do the work for you.
Ok great.  It does a lot, solves my problems, but is it going to help you?  Maybe, give it a shot.  This approach of auto-logging you into a Salesforce org is no more secure than the Force.com Logins extension and it is very possible your credentials could be seen within your browser history or URL bar upon login.  Check out the review of the Force.com Logins extension for plenty of feedback about that.

The rest of this blog post will be to demonstrate how to:

1)  Set up a new KeePass Database
2)  Add a  Group
3)  Add an Entry
4)  Include a custom Token field
5)  Set up KeePass Trigger Buttons
6)  Create/Assign KeePass Trigger Actions to open creds in the browser and mode of your choice.

Set Up a New KeePass Database

1)  The first thing you'll want to do is install the program from KeePass and open it up.
2)  Click on File --> New... to create a new database.  Give it a name and save it in a location of your choice.  This is where I save my file to my synced Dropbox folder.  Once you save it, you always have the ability to rename and move the file.

3)  Next, you'll create a master key.  Pick a strong phrase that you won't forget.  At this point, you can also create an additional key file to store separately (maybe on a USB), that you'll need to provide in addition to you database and master key for some extra security.

 4)  Within the Database Settings screen, you can provide a name and description for your credential database.  Check out the other tabs for more security and a few other storage related settings.

Add a Group

1)  Now that you're database is created, you can start structuring your credential folders to stay organize.  You can create a top-level "Salesforce" folder and then create sub-folders for clients, projects, etc.  Do this by going to Edit --> Add Group.

Add an Entry

1)  Now you can start populating your entries.  Click on Edit --> Add Entry... and provide details about your credentials.  Here I provide a quick Title (label) for the cred, usually something along the lines of "Testing:  Feature X" or "Development Org:  Feature X."  To take advantage of the browser abilities we'll be using later, be sure to provide either the login or test.salesforce.com URL in the appropriate field.  There's a few different ways to skin-this cat, but using the URL field will also allow you to auto-fill/suggest credentials if you use one of the various KeePass related browser add-ons.

 2)  Click on the "Advanced" Tab, followed by the "Add" button to add a new custom string field.

3)  Give it the name "Token" (be consistent about this) and then paste your security token in the "Value" box.

KeePass Triggers


Nope, not Apex Triggers, KeePass triggers.  KeePass triggers are a way that you can create your own custom features within KeePass, without any development.  We'll be creating two triggers, one a button, and one an action for when the button is clicked.  That functionality will be opening the browser of your choice, in standard or private mode, and logging into Salesforce with the credentials you have highlighted.

If you configure all the browsers, this is what you'll end up with these triggers:

Which will result in these custom buttons within the tool:

Creating the Buttons

1)  Go to Tools --> Triggers...
2)  Provide a name for this trigger.  I prefix mine with "Button:  " just to keep them straight in the list.

3)  Go to the "Events" tab, click on the "Add..." button

4)  Choose the "Application started and ready" option.

5)  Leave the "Conditions" Tab blank.

6)  On the "Actions" Tab, click on the "Add..." button.

7)  Within the "Action:" dropdown, choose "Add custom toolbar button.  Then provide an ID, Name, and Description for this new button.  The Id is important as this will be referenced by the next trigger you create.

Assigning an Action to a Custom Button

1)  Create another trigger, providing a name for it on the "Properties" tab.  This time, I prefix the name with "Action:  "

 2)  On the "Events" tab, click on the "Add..." button

3)  From the "Event:" dropdown, choose "Custom toolbar button clicked" and next to "ID" provide the ID of the button to be clicked (you defined this in the above step 7).

 4)  Again, leave the "Conditions" tab empty.

 5)  On the "Actions" tab, click on the "Add..." button.

 6)  From the "Action:" dropdown, click on the "Execute command line / URL" option.  Provide the following as parameters for the "File/URL" and "Arguments" options.  Here we're using the equivalent of Salesforce merge fields to populate the setting with a value from the credential.

Arguments:  {URL}?un={USERNAME}&pw={PASSWORD}

Now when you open KeePass, you'll have a few additional buttons within the programs toolbar for you to use.
1)  Highlight the credential you want to use
2)  Click on the appropriate custom toolbar button to get logged into Salesforce

Update #1 - 1/22/2015

About a week into using this over the Force.com Plugins extension and I've adapted well.  The extension is gone and my habit to click there is gone.

The process is easy:
Ctrl + Alt + K opens KeePass
Ctrl + F opens the search prompt
And I'm off!

Here are the URLs and the arguments that I used for my six buttons; two for each browser (Chrome, Firefox, and Internet Explorer).  One for normal browsing and one for that browser's private mode.

Google Chrome - Standard
Arguments:  {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/}

Google Chrome - Incognito
Arguments:  -incognito {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/}

Firefox - Standard
Arguments:  {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/}

Firefox - Private Mode
Arguments:  {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/} -private-window 

Internet Explorer - Standard
Arguments:  {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/}

Internet Explorer - Private Mode
Arguments:  {URL}?un={T-CONV:/{USERNAME}/Uri/}&pw={T-CONV:/{PASSWORD}/Uri/} -private 

Update #2 - 6/27/2015
I've modified the scripts to work a little bit better with things like special characters; previously if a username/password contained things like "+" symbols (who doesn't use the Gmail alias trick?) the buttons would not work as desired.

The work around is to modify the above snippets to take advantage of the KeePass text transformation {T-CONV}.  each argument has been updated above.

Looking to save some time setting these up?  Copy the following gist to your clipboard and then navigate to Tools --> Triggers... "Tools" button in the lower-left --> and then click on the option to "Paste Triggers from Clipboard."  Then restart KeePass.