How to show external system data inside Salesforce without Lightning by embedding a .NET app in an iFrame

Display external data inside Salesforce without flipping on Lightning Experience — is there a clean, practical route? For many Integration Architects, the answer comes down to choosing a solution that keeps data fresh, minimizes rework, and feels seamless to users who expect a single, unified interface. When the goal is simply to show data from another system inside Salesforce, the approach that often wins is embedding an existing, well-built .NET application via an iframe. It’s a straightforward move that respects current investments while delivering a smooth user experience.

Let me explain what makes this option so appealing in the right situations, and where you might run into caveats that matter.

Why an iframe approach can feel surprisingly elegant

• You’re not duplicating data. The external system stays as the source of truth. Salesforce users see real-time information without the overhead of data migration, reconciliation jobs, or data models that have to mirror each other. If your external app already has business logic, rules, and security in place, you’re just rendering that view inside Salesforce.

• You minimize changes to Salesforce. No giant rework to Apex code, no custom objects to mirror external data, and no wholesale redesign to support API call rhythms inside Salesforce. If Lightning isn’t on, you can still present a functional, familiar UI that leverages what you already have.

• It leverages existing strengths of the external app. Your .NET application already handles integration nuances, authentication, and UI patterns. Why re-create those strengths in Salesforce when you can reuse them?

A quick mental model: the “frame” in a frame

Think of Salesforce as the shell, and the external .NET app as the content within a framed window. The frame is the Salesforce page; the content is the external UI loaded from a trusted URL. The two sides talk to each other, mostly through boundaries that keep things tidy — not by smuggling all data across Salesforce’s boundaries. It’s a modular, pragmatic setup.

What the other options bring to the table (and where they can complicate things)

• B. Custom Visualforce page with a server-side controller that calls out to the other systems

• Pros: Centralizes data retrieval, applies Salesforce-side security, and keeps logic on the server. You could leverage existing Salesforce authentication and governance.

• Cons: It starts to blend Salesforce with external callouts more directly, which can increase maintenance. You may end up duplicating some logic or chasing latency as API calls bounce between systems. It can also complicate error handling and offline scenarios.

• C. Custom Visualforce page with client-side calls to the other systems

• Pros: Lightweight server-side footprint since the browser does the calls; you can build snappy front-end interactions.

• Cons: Client-side calls are heavily dependent on CORS, tokens, and browser security policies. You’ll likely need careful handling of authentication tokens in the browser, which raises risk and complexity. It also means you’re stitching UI from two domains, which can hurt consistency and performance.

• D. A middleware orchestration to persist data from other systems into Salesforce

• Pros: Centralized data, strong control over data freshness, powerful for analytics and reporting inside Salesforce.

• Cons: You’re now maintaining a data lake inside Salesforce. Data latency, storage costs, and synchronization logic become prominent concerns. If the business goal is simply displaying external data in real-time, this can feel like overkill.

If your aim is to display external data in real time without Lightning, the iframe route hits a favorable balance: it avoids unnecessary data duplication while keeping user experience intact, and it respects existing investments in the external app.

Security and integration realities you’ll want to weigh

• Embedding implications. If you embed content from an external app, you’ll need to ensure the app supports being loaded inside an iframe and that security headers won’t block it. The external app should be accessible from the Salesforce domain, and it should handle session continuity in a user-friendly way.

• Authentication and single sign-on. A clean experience usually means users stay authenticated without juggling multiple logins. You can use SSO patterns or token-based bridges, so the user’s Salesforce session authorizes access to the external app. The goal is to minimize friction while preserving security borders.

• Cross-origin considerations. In an iframe, the parent and child are cross-origin. If tasks require interaction (say, you want to pass a selected record from Salesforce to the embedded app, or vice versa), you’ll use postMessage or similar mechanisms. Plan for graceful fallbacks if the embedded app cannot respond.

• UI consistency and responsiveness. The embedded app should render well inside Salesforce’ chrome. Responsive design, accessible controls, and consistent typography help keep the user experience cohesive.

• Accessibility and performance. If the external UI is busy or slow, it can drag down the perceived performance of Salesforce. It’s wise to implement loading indicators, sensible timeouts, and fallback messages for cases when the external content isn’t reachable.

A practical outline for making it work (high level, not code)

• Choose the embedding surface. In Salesforce, you typically place an iframe inside a Visualforce page or a Lightning component (for Lightning experiences). Since you’re not enabling Lightning, a Visualforce approach is a clean fit—just render the iframe pointing to the external .NET app.

• Align security boundaries. Verify that the external app permits being embedded. Set appropriate Content Security Policy (CSP) allowances if you’re using Salesforce’s CSP settings, and confirm X-Frame-Options or equivalent headers won’t block the frame.

• Handle authentication gracefully. Decide on an SSO strategy or a token-based bridge so users don’t repeatedly log in. Centralize user provisioning where possible.

• Test data freshness and latency. The real value here is current data. Validate that the embedded UI reflects the external system’s state in near real-time, and plan for resilience when the external service has hiccups.

• Plan for governance and monitoring. Keep an eye on security events, iframe-related errors, and performance metrics. Logging from the external app and Salesforce should be coherent enough to diagnose issues quickly.

• Ensure accessibility and mobile readiness. Even if your primary audience uses a desktop, you’ll be surprised how often people access Salesforce on tablets or smaller screens. The embedded content should hold up across devices.

Real-world nuance: when this approach shines and when you might pause

• It shines when you have a trusted, mature external system already in heavy use, with robust UI and business logic, and the goal is minimal replication inside Salesforce. It’s also ideal when Lightning Experience is not in scope, or when you want to preserve a familiar UI for end users.

• You might pause if you anticipate frequent changes to the external UI or if you’ll need deep Salesforce-native data manipulations. In such cases, a server-side Visualforce approach (or middleware for data replication) could become more appropriate, depending on governance, data ownership, and performance requirements.

A quick, memorable takeaway

If the objective is to show external data inside Salesforce without moving users into Lightning, embedding a live .NET app through an iframe offers a clean, pragmatic path. It respects existing systems, minimizes rework, and delivers real-time visibility for users who just want the information they need without wrestling with a new interface. The trade-offs—security headers, cross-origin challenges, and careful UI integration—are real, but manageable with thoughtful design and clear ownership.

A few parting notes to keep in mind

• Start with small pilots. A single Visualforce page with an iframe can demonstrate how it feels in practice. Gather feedback from users about performance, layout, and navigation.

• Document the security posture. Stakeholders will want to know how authentication, cookies, and frame embedding are handled. A simple security brief can save headaches later.

• Think beyond the display. If there’s a future path where Lightning shows up, you’ll already have a strategy in place: re-architect to reuse the same external UI or move toward a more integrated Salesforce experience. Either way, you’re not reinventing the wheel from scratch.

So, what’s the verdict when Lightning isn’t part of the picture? An iframe embedding a custom .NET application often fits the bill. It’s the pragmatic choice that leans on what already works, keeps data in its home system, and delivers a seamless view inside Salesforce. And when you pair it with solid security, thoughtful UX, and careful performance tuning, you’ve got a solution that feels both familiar and reliable to users who just want the right information, at the right time, in the right place.