Technology and Security

Overview
Cloud Application Integration

June 2019
ABOUT INFORMATICA
A
Digital transformation changes
B our expectations: better service, faster delivery, greater
convenience, with less cost. Businesses must transform to stay relevant. The good
news? Data holds the answers.

As the world’s leader in enterprise cloud data management, we’re prepared to help you
intelligently lead—in any sector, category or niche. To provide you with the foresight to
become more agile, realize new growth opportunities or even invent new things. With
100% focus on everything data, we offer the versatility you need to succeed.

We invite you to explore all that Informatica has to offer—and unleash the power of
data to drive your next intelligent disruption. Not just once, but again and again.

2
Table of Contents
Overview ..............................................................................................................4

The Cloud Application Integration (CAI) Service .................................................4

Functional Capabilities ................................................................................................... 4
Application Integration Services ..................................................................................... 5
Service implementation and API management .............................................................. 5
Process Automation Services ........................................................................................ 5
Components of the Service ............................................................................................ 8
Process Server ............................................................................................................... 8
Process Console ............................................................................................................. 9
Process Designer ........................................................................................................... 9
Process Developer ....................................................................................................... 10
On Premises Process Server ....................................................................................... 10
Deployment ................................................................................................................... 13
Cloud and On-Premise Inter-process Communication ................................................ 14

Message Exchange Patterns .............................................................................16

Connectivity ........................................................................................................16

Transport Level Security ....................................................................................18

Cloud and Agent-Based Key Generation and Handling....................................18

Cloud-based Crypto ...................................................................................................... 18
Agent-based Crypto ...................................................................................................... 19
Process Server Cyphers ............................................................................................... 19

Screenflow Integration with Salesforce .............................................................19

Handling of Customer Data ................................................................................21

3
Overview
The Cloud Application Integration (CAI) Service, a component of Informatica Intelligent Cloud Services
(IICS), an iPaaS, provides the means for customers to:

• Integrate applications, data and processes in real time

• Expose APIs to applications, service consumers and partners
• Automate business processes and workflows.

The Cloud Application Integration (CAI) Service

Informatica’s event-driven and service-oriented application integration capabilities encompass event
processing, service orchestration and process management. These are built on Informatica’s business
process management technology. Its use within IICS, and embedded within the Cloud Secure Agent,
makes it possible to create and consume APIs, orchestrate data services and business services,
integrate processes, and offer data and applications services within and outside of an organization.

Functional Capabilities
The CAI service carries out a number of business functions using orchestration as the primary means to
implement request/response interactions between service consumers and providers that interact with it
in a synchronous and asynchronous manner to carry out a number of functions. These functions are
summarized as: application integration services, service implementation and management services,
and process automation services.

App Integration Services Service Implementation

Process Automation Services
and API Management

• Integrate applications in real time
using orchestration, APIs and
messaging to propagate data
from one data source to another
• Supplement bulk data set
processing with interactive API-
based data propagation
• Create business, composite and data
services
• Expose these services as REST, SOAP
or OData APIs to applications, lines of
businesses and partners
• Make APIs discoverable
• Monitor API execution
• Manage and control API usage
• Implement and run business process
applications
• Externalize process logic and business
rules outside of application code
• Support business processes that span
applications
• Provide users with automated guided
workflows with contextual and
interactive access to data

4
Application Integration Services
Application integration services are used to perform two primary functions

• Data Propagation – the propagation of data in real time that arrives via API or as data feeds of
events over messaging topic or queues
• Event Processing – the processing of event data from sources such as file arrivals

Examples of use include front/back office application Integration such as

• Order Processing, Financial and Inventory Management: Propagation of Salesforce order,

financial, product and customer data to SAP integration in real time
• Real time sync of Account, Quote and Program data between Siebel and Salesforce, and
Oracle and Salesforce

Service implementation and API management

Service implementation and API management functions let you address your need to expose data to
applications, business systems and partners. It provides you with the ability to create, expose and
manage your services and data. Example of use include:

• Integrate partners - Expose APIs to partners and internal lines of business share data
• Support applications - Expose backend APIs to support a Web portal service for membership
management and payment processing
• Data services - Expose data as a service via OData allowing 3rd party system access without
having to replicate it

Process Automation Services

The primary function of process automation is to implement and run business process applications.
These can automate application and business processes, either by externalizing the process and
business rules outside of the application code, or implementing business processes that span
applications, a phenomenon brought by use of best of breed SaaS applications. Provide users with
automated guided workflows while offering contextual interactive access to data via API-enabled
services and data sources.

Use cases are varied such as:

• Education Sector: Student onboarding, activation and provisioning across 11 different

• Health insurance policy selection automation. Using a caller ID on inbound call, pull household
information from a legacy platform. Based on the selection from the user create a customer
record in the policy system
• Health care services: Moved implementation of core business processes from Salesforce
custom code to CAI to perform business rules management and integration. This resulted in
better transparency and robustness of order management processes, lower total cost of

5
 ownership within IT and for business users, made faster changes to business logic,
accelerated development and lowered the cost of the introduction of new products.

Success stories are available on the CAI community site at this location.

Informatica’s cloud application integration capabilities are ideally suited for service-oriented integration
when you need:

• Long-running transactions that maintain state

• Short-running or transactional system integration processes requiring integration sequences,
different execution paths or composite transactions
• Rich semantics for parallel execution
• Timers and event triggers
• Rich event, fault and error handling systems control how and what to compensate through
automated compensation to roll back a transaction if all required steps are not completed
successfully
• The ability to orchestrate transactions that spawn across different companies, business units,
different products or services to realize horizontal business/integration processes, such as for
example, an order-to-cash process
• To have visibility into what is going on during execution such as:
o Knowing what is happening and what is not happening
o Reporting on processes that are in progress, not just individual requests
o Managing escalations, timeouts and schedules

Other capabilities include:

• Screenflow for user task automation, workflow and interactive access to data
• The ability to perform content-based routing, transformations to or from XML and non-XML
types, and decryption/encryption, signature validation and authorization amongst other
capabilities

6
The platform’s architecture makes it ideally suited for hybrid, event-driven integration such as depicted
here. This depicts the deployment of services

SOAP, REST,
JSON, XML,
OData Cloud Process
API Gateway Service
Cloud
Applications

API and Application

Integration

SOAP, REST,
JSON, XML,
OData Agent Process
Server

Applications Data Services

Once deployed to the Cloud, on premises or both, requests flow via one or more processes based on
the business process application’s design and deployment definitions of the processes and
connections.

Business Composite and Application Services /

Services Tier Integration Services Tier Microservices Tier
Cloud and On Premises Application,
Cloud API Proxy Cloud API and Application Integration
Messaging and Data Services
and Management Cloud and On Premises
Services

SOAP APIs Application

Services and APIs

Data Services

REST APIs
Queues / Topics
API
Gateway
Data and OData Business Processes
APIs
Data
Gateway, REST, SOAP, Processes can
Manager, OData APIs be composed Data Hub
Portal,
Registry
3rd-party and
customer-facing APIs
Provide: Synchronous and Async Services
Consumes: Synchronous and Async Services
Processes consume and are consumable

The business process application, defined by a set of orchestrated business services, composite
services (themselves processes or of other implementation types), or application services carry out as a
whole the means of performing order processing as depicted here.

7
Components of the Service
IICS’s Cloud Application Integration (CAI) services lets customers expose business services at Cloud or
on-premises service endpoints that are accessible via REST (XML/JSON – the server receives either
formats, and the content-type HTTP header is used to control what the server responds with or sends),
JSON/RPC and SOAP, and as message-oriented services and consumers. This section describes the
components of CAI’s service-oriented architecture, including the Cloud Process Server, the Cloud
Secure Agent’s embedded Process Server, and the technologies and capabilities of this platform.

Process Server
Process Server is a runtime and process management engine that scales to meet the needs of the
cloud and enterprises of any size. Execution is carried out by Process Server. Process Server provides
several sophisticated features to ensure business continuity and can be deployed as a cluster in failover
mode to ensure high availability.

When deployed within the Cloud Application Integration Service, Process Server is used to securely
partition users into discrete tenants, or IICS Organizations. With this multi-tenant architecture, each
IICS Organization (or tenant) shares hardware and software resources but has its own private and
secure access to CAI’s Process Server.

Process Server has been built to support non-stop operation of composite business applications. You
can:

• Configure and enforce runtime behavior of an orchestration using standard policies

• Perform server-based runtime message correlation
• Automatically perform service invocation retry if a service is temporarily unavailable
• Offer endpoint management capabilities that make it easy to deploy an orchestration in one
environment or another, or deal with a change in topology
8
 • Suspend a running process to handle bad data that would otherwise have unnecessarily failed
a transaction and correct the problem.

Process Console is used carry out these functions and configure Process Server.

Process Console
The Process Console provides a central location from which to manage and configure Process Server
instances and its deployed resources whether in the Cloud or embedded within the Secure Agent.
Process Console provides means to schedule processes and deploy new or updated processes.

Process Console provides tenants the means to perform root cause analysis if a process exception
occurs and take corrective actions. Process rewind – a process exception management feature -- offers
the ability to visually rewind a process to a specific activity and redo the work without having to invoke
any of the built-in compensation logic, giving organizations unprecedented flexibility in managing and
running in-flight processes.

Process Designer
Cloud users demand an easy to use web interface for creating their integrations and automating
processes. Process Designer provides unparalleled ease of use for citizen developers to create and
deploy processes to the Cloud’s and Secure Agent’s Process Server. Process Designer is intended to
be used by a technical power user – an automation designer - who may or may not be a developer but
knows the business processes and services used to accomplish them. This designer is designed to be
easy to use yet powerful and expressive to create any business process. The core design tenet: simple
things should be simple, hard things possible.

A key guiding principle behind the Process Designer is ease of use. This is exemplified by feature that
frees the user from the tedium of having to lay out process activities by hand. Instead, steps are
automatically linked together for the user. Users can select from a variety of step types such as
Decisions, Service steps, Parallel Paths and iteration constructs to accomplish their process. If a user,
for example, creates a Decision step with multiple possibilities, branches will then automatically be
created for those possibilities. The same is true of Parallel Path steps, which creates parallel branches
on the canvas that correlate with the desired parallel activities to be performed. When done, the user
simply saves and publishes the process definition, and the service is automatically created, deployed
and ready to be invoked as a REST (XML/JSON), a JSON/RPC and a SOAP service. No other vendor
has this type of capability or can claim this level of ease of use.

Creating a Service Definition to invoke from a process is as simple as using a form to specify
input/output parameters, endpoint information, test connection information, and then saving and
publishing the service connection. Once saved, the service definition is automatically incorporated as
part of the services that can be used in the process and others that want to consume this definition.
Swagger, WSDL/XML Schema and OData introspection documents are automatically created for users.

9
To satisfy data integration orchestration needs, a specialized version of Process Designer is offered
that provides the means to orchestrate Data Synchronization, Mapping Configuration Templates and
others. Customers benefits from the ability not only to serialize and handle errors in a resilient manner
but also to process for example data ingestion in parallel or conditionally.

Process Developer
Development teams must often work on multiple projects including Java, service-based development
and orchestration. They shouldn’t have to necessarily adopt a new development tool each time they
switch between projects. For this purpose, Informatica also offers Process Developer, a rich Eclipse-
based IDE intended for developers that incorporates the BPMN and BPEL standards. Its optimized and
easy-to-use features make it easy for developers to create business process applications quickly. And
because these applications are based on industry standards, enterprises' business logic is freed from
proprietary orchestration engines. Process Developer can help you in the following ways:

• Makes it easy for architects and developers to work collaboratively with business analysts. It
achieves this by offering as a notation BPMN for modeling and implementing business
processes. Process Designer makes use of BPMN notation also.
• Exposes the full power of BPMN, enabling designers to control every aspect of the diagram.
Process Developer promotes modeling best practices while being significantly easier to use.
Structured activities can be dragged and dropped from a palette onto the canvas, significantly
reducing the amount of time required to model a BPEL process.
• It allows users to perform service discovery and provides the ability to manage service
references to help users deal with changes of service definitions.
• It orchestrates services defined using WSDL interfaces. Or, it allows designers to start with
XML schema or XML fragments if this is all that is available to start with.
• It incorporates non-web service-based assets through a Web Services Definition Language
(WSDL) interface façade, enabling designers to leverage existing JMS, REST (XML/JSON),
JSON/RPC and Java-based assets. As such, these are used as if they were services, each
having a distinctive binding.
• It simulates processes locally or by using remote debugging, allowing designer to save
simulations and test data, which can then be used to generate unit tests and test suites to
perform scenario testing.
• It uses wizard-based deployment to execute new orchestrations and updates to the Cloud
Process Server or the Secure Agent’s Embedded Process Server.

On Premises Process Server

The Cloud Secure Agent is a key component of our hybrid and secure solution. The Secure Agent can
be installed on premises or in the cloud based on connectivity needs. It acts as a container for various
services such as the Channel Service that manages communication to and from the Cloud service, the
Data Integration Service that processes data sets using mapping and data synchronization tasks, and
the Process Server Service to process execution and event-processing on premises.

10
Communication between the Secure Agent and IICS is carried out through a Secure Channel that the
agent initiates. This is depicted here as an example of how the Secure Agent facilitates data integration
between a local database and Salesforce CRM and Force.com.

The Secure Agent that is used for data integration is the same as the one used for service and
application integration. When licensed, Process Server is automatically installed on the Secure Agent.
The Process Server deployed to the Secure Agent is built on the same technology that runs in the cloud
service in multi-tenant mode. This provides customers the ability to deploy process contributions to the
cloud or Secure Agents.

Communication between the Secure Agent and IICS is carried out through the Secure Channel that the
agent initiates. This is depicted here as an example of how the SA facilitates data integration between a
local database and Salesforce CRM and/or Force.com.

11
Customer that license the Cloud Application Integration Service are provided with the ability to deploy
processes to CAI in the Cloud and on Premise to a Secure Agent’s Embedded Process Server. The
Secure Agent is the same used for data integration than that used for service integration. The only
difference is the addition of the “Process Server” package that gets downloaded automatically by the
secure agent when CAI is licensed as depicted here.

The Secure Agent can be installed in different configurations. For data integration payloads, a Cloud
Runtime Environment is offered to process data integration payloads by infrastructure managed by
Informatica. When hosted by customers, agents can be grouped as Agent Groups to process in round-
robin manner data and application integration workloads across agents of a group. Customers can also

12
cluster Process Server instances of an Agent Group to provide a high-availability and fault-tolerant
configuration. Clustering should be considered when processing long-running processes. This typically
calls for automatically failing over process instance to another node in the event of a failure of a node.

Deployment
Process and connections definitions are deployed to Process Server on Cloud and on premises on the
Secure Agent. When deployed to an agent, they are deployed to all agents that are members of an
“Agent Group” or these definitions are deployed to specific agents. Certain definitions intended to be
global get deployed to Cloud and Secure Agent instances.

The following screenshots depicts the selection of where definitions are deployed and run on, thus the
use of the term “Run On”.

13
“Run On” simply implies where something is deployed and will execute. The CAI service uses this
deployment information to communicate to the agent.

Calls from the CAI service to the Process Server on the Secure Agent can only be carried out via the
Cloud Process Server through a mutually authenticated session to ensure fully-secured access to on
premise systems. A mutual authenticated session is established using mutual TLS for securing the
channel. This provides a means of ensuring that subprocess/process/service calls are initiated within
Informatica’s trusted domain of services.

When a process or a connection on the agent needs to be accessed by a Cloud Process Server
process instance the communication is carried out on behalf of a Cloud process via a mutually
authenticated server-to-server session. The caller is impersonated such that it can be authenticated on
the services being called.

Cloud and On-Premise Inter-process Communication

Incoming service (i.e. API) requests to a Cloud-deployed process (depicted below) can originate from a
cloud or on premises consumer over JSON RPC and SOAP, and REST (XML/JSON). These either
initiate a new process or represent a callback or some event that the process is waiting to receive. An
API Gateway is offered to secure and apply various access policies to provider APIs.

14
 Cloud Process Server Connectivity:
• Web Services: REST, SOAP, OData

SOAP (XML)
REST (JSON, XML)
OData Cloud Process
API
Gateway Service
Cloud
Multi-tenant Applications
Service
Cloud-based Design,
Deployment and
Management
API and Application
Integration
Single-tenant
Service Applications
SOAP (XML) Agent Process Server Connectivity:
REST (JSON, XML) • Web Services: REST, SOAP, OData
OData Agent Process
• Database: JDBC and the Data Access Service
Server • Messaging: AMQP, JMS, Kafka, RabbitMQ, AWS
Data SNS/ SQS, Azure Service Bus / Event Hub,
Salesforce Platform Events
• Content Listeners: File, FTP, AWS S3
• Java Pojo Invocation
• Shell Service
• SAP BAPI and other connectors

Services and
Microservices

Invoking Cloud-based SaaS services (for example, Salesforce or NetSuite) employs the security
mechanism offered by that service such as a HTTP Basic Authentication, JWT (JSON Web Token)-
based authentication, OAuth v2, or SOAP endpoint’s WS-Security username token (among others). The
Service Connector framework is open and can be used to authenticate to proprietary schemes (e.g.
AWS authentication). Invoking services on premises is performed via a secure channel between a
process instance running in IICS’s CAI Process Server and an agent-based Process Server. Calls from
IICS to the Secure Agent can only be carried out via the Cloud Process Server through a mutually
authenticated session to ensure fully-secured access to on premise systems.

REST (XML/JSON) or JSON/RPC services exposed by customers are secured using HTTPS Basic-
Auth or handled by third party OAuth providers. As is the case for Cloud-based deployments, the
Service Connector framework is open and can be used to authenticate to proprietary schemes (e.g.
AWS authentication). SOAP services exposed by customers are secured using Basic-Auth at the
HTTPS layer. Additional forms of authentication are available via WS-Security in the form of WS-
Security tokens. The Username, X.509, and SAML token formats are supported.

Based on its process definition, the Cloud Process Server receives and invokes service consumers and
providers deployed to the Cloud. It also processes requests destined to on-premises service providers
and responds synchronously to these using the HTTPS over TLS connection established by the service
consumer.

Cloud to Secure Agent communication is performed using a Secure Channel created by the Secure
Agent’s Channel Service. Calls from IICS to the Secure Agent can only be carried out by IICS through a
mutually authenticated session.

Customers deploy process definitions and manage process instances from the Cloud Application
Integration Process Console. Process administrators log in as a tenant and are granted access to
tenant-specific data and configuration information. The same console used to access process
definitions running in the cloud is used to access process definitions running on Secure Agents.

15
Access to the Process Console provides customers access to transient data flowing through IICS. This
provides customers access to variable data (for example, inputs and outputs to the process and
services calls) of running process instances and completed or faulted process instances.

Process Console access to deploy process definitions or access to process instances are secured by
an Informatica Intelligent Cloud Services (IICS) username and password that customers manage in the
IICS user and group store. SAML support is also offered.

Message Exchange Patterns

A variety of message exchange patterns are available with the Cloud Application Integration (CAI)
Service, which makes it possible to implement any cloud or hybrid solution. These include:

• Synchronous request/reply
• One-way fire and forget
• Asynchronous request/reply
• Publish and subscribe
• Reliable SOAP message delivery with WS-Reliable Messaging

Connectivity
Customers making use of Process Designer benefit from rich connectivity options ranging from:

Service Connectors

• Allowing customers to build REST (XML/JSON, JSON/RPC or SOAP service integration using
a simple form. If the service offers a WSDL or Swagger interface document, the Service
Connector can be created by importing the interface document.
• Allowing customers to import and configure a pre-built business and data service definitions as
reusable assets.
• We make available over 250 samples on GitHub for customers to get started with

Data Service Connectors

• Provides customers with JDBC, OData, SAP BAPI, Workday and NetSuite capable of a variety
of CRUD operations. Most customers employ Service Connectors for use with Workday and
NetSuite for added flexibility.

Messaging Services

• Built-in JMS, AMQP, AWS SNS/SQS messaging services for queue and topic processing,
Salesforce Outbound Messaging/Platform Events/Push Topic, Azure Service Bus, Azure Event
Hub, Kafka

File Content Listeners / Writers

16
 • File listeners that contain data sets or discrete events that arrive on the file system, AWS S3,
FTP/s, and the ability to generate and transfer file content to these targets.

Service Steps - BPEL Definitions

• Built with Process Developer by developers, Service Steps (also known as Automated Steps)
create reusable services directly consumable by Process Designer. These make it possible to
expose native Java integration amongst others uses.

Built-in Services

• A Data Access Service for direct SQL or Stored Procedure execution

• Email Services
• Shell Services to execute shell scripts and utilities

OData Provider

• A built-in OData Provider depicted here that enables OData access to internal data sources
such as those available via JDBC and Salesforce. This makes it possible for OData clients
such as Salesforce Lightning Connect and OData clients to access OData streams over the
Web and on premises.

17
Transport Level Security
The following ciphers are currently enabled exclusively for TLS usage. SSL is not allowed.

Cipher Suites (sorted by strength; the

server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128

TLS_RSA_WITH_RC4_128_SHA (0x5) 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256

Cloud and Agent-Based Key Generation and Handling

When connection information is stored in the design repository of the CAI service, the information is
sent (from the browser) via TLS 1.2 to the repository process. Connection properties or any field
marked as “encrypted” by a customer is encrypted.

Within the repository, a BPEL process encrypts the field values subject to encryption using a Tenant
key before the field is persisted to the DB.

When publishing artifacts to agents, the connection information is sent down to the agent. To do this,
the publish process first reads connection information (stored as XML) from the DB. For any field
marked as encrypted, the publish process decrypts the field using a Tenant key and sends the
decrypted xml information to the Agent over TLS 1.2. When received by the Agent, the field is re-
encrypted (applying same procedure) before it is persisted to local storage. The ICS (Agent) crypto
components are used for this purpose.

When exporting connections, any encrypted data is removed from the exported documents. After
importing the connection artifact, the customer will need to provide credentials.

Cloud-based Crypto
Symmetric encryption / decryption is employed in using a configurable server-side secret as the key.
There is a primary server key for use by the server for server-based encryption, and tenant-specific
keys for use with tenant data. Both utilized the same algorithm and ciphers, but the secret used to
create the key is different.

Server Secret: At the server level, the secret is based on a system property or originates from a
database-resident value.

Tenant Secrets: For each tenant the secret is generated when the tenant is created. It is a random
UUID. This tenant’s secret is then encrypted using the server key and stored in the database within the
tenant’s context (i.e. this is tenant data). On startup, this value is read by the server from the DB, it is

18
decrypted, and kept in memory to be used tenant data encryption/decryption. Tenant keys are managed
by the IICS KMS microservice.

Agent-based Crypto
For Process Server on the agent, data such as connection passwords are stored in the same manner
as it performed within the Cloud – it is the same implementation with the exception that tenant based
keys are provided by IICS.

Process Server Cyphers

Process Server uses Java javax.crypto.* package and DESede algorithm (alias for TripleDes) for key
generation. This is used both for the tenant key and server key generation.

Screenflow Integration with Salesforce

Screenflow embedded within Salesforce is a feature of CAI. Screenflow provides users with interactive
access to data within Salesforce or mobile devices as well as help users carry out their tasks in
Salesforce.

Authentication of users is carried out by Salesforce and an SSO session is established and maintained
using Salesforce session tokens. CAI does not offer the means for a customer to authenticate to it,
rather authentication and authorization is performed by Salesforce. The session tokens obtained from
Salesforce are used in SOAP API calls. SSO and SOAP API calls depicted below are secured via
certificate-based mutual authentication (client & server) over an HTTPS session using TLS between
Salesforce and the Cloud Application Integration Service. This is a form of multi-factor authentication.

CAI integrates with Salesforce via Salesforce’s Enterprise WSDL-based service as depicted here.

19
CAI is comprised of Salesforce objects, pages and corresponding supporting classes and components.
Salesforce sections within Salesforce objects (created by end user admins) are used to contain pages
served up by CAI’s Process Server via iFrame integration with Salesforce. Screenflows managed by
Process Server are shown to the user. Web service calls that result from user interaction create and
update Salesforce record using the identity of the user running the screenflow. This is achieved via
impersonation.

CAI uses a combination of the Salesforce Session ID and a SSO token that is submitted from a
Salesforce page component. The security token is generated in Salesforce using an Apex class. The
class implements the generation of a security token that can be used to sign in to Process Server
shown above.

This class:

1. Generates an encrypted security token using the OrganizationId, UserId and current date. The
encrypted token is submitted by a Sales Guide section component. SSO is handled by posting
to the Process Server Custom SSO Provider URL with the security token appended as a URL
parameter.
2. The Custom SSO Provider service will use the token and make a call back in to SFDC and
decrypt the token using the AeVerifySalesforceUser class. If the token is valid the isValid field
is set to true and the userName and displayName fields are set.

20
Handling of Customer Data
The Cloud Application Integration service retains and destroys customer data and metadata for a
period. The CAI service holds transient data that has been provided by the customer in memory and on
disk (where it is encrypted) for process instances that are in Running or are in Completed or Faulted
state (and has not yet been purged). The CAI service purges completed instances on an hourly basis.
The retention for Completed (processes that have completed successfully) and Faulted (processes that
have completed either with an uncaught fault) processes are 24 and 72 hours respectively for Cloud-
hosted processes. Customers have the ability to control retention periods on the agent-based Process
Server.

The Cloud service’s file systems that hold transient data in databases are encrypted. These encrypted
file systems reside on management, databases servers, and the file system volumes used to host
backups.

Running instances are maintained running until they reach Completed state or are terminated by a
customer. The customer is responsible for terminating Running or Suspended processes instances as a
means of removing transient data. He/she can then delete all running process instances. Otherwise,
these will be purged on an hourly basis when Completed process instances at the end of the 24-hour
retention period.

Worldwide Headquarters 2100 Seaport Blvd., Redwood City, CA 94063, USA Phone: 650.385.5000, Toll-free in the US: 1.800.653.3871
IN09_1217_3407 www.informatica.com linkedin.com/company/informatica twitter.com/Informatica

© Copyright Informatica LLC 2019. Informatica and the Informatica logo and are trademarks or registered trademarks of Informatica LLC in the United
States and many jurisdictions throughout the world. A current list of Informatica trademarks is available on the web at
https://www.informatica.com/trademarks.html. Other company and product names may be trade names or trademarks of their respective owners. The
information in this documentation is subject to change without notice and provided “AS IS” without warranty of any kind, express or implied.

21