Home > Force.com Customization > Security and Identity >

Customize and Manage User Authentication with Login Flows

Login flows allow administrators to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow as they log in. Use login flows to collect registration information from users, provide a terms of service acceptance form, prompt the user for a second factor of authentication and other customization.
Available in: Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To open, edit, or create a flow in the Cloud Flow Designer: “Manage Force.com Flow”

Use the Flow Designer to create login flows, then associate those flows with specific profiles in your organization. You can connect the same flow to multiple profiles. Users with the profile are directed to the login flow after they authenticate, but before the user is directed to the organization’s content. The login flow screens are embedded within the standard Salesforce login page for an integrated user login experience.

Login flows support all of the Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on and social sign-on through a third-party Auth. Provider. Login flows can be applied to logins to Salesforce organizations, communities and portals.
Note

Note

Currently, login flows cannot be applied to API logins, or when sessions are passed to the UI through frontdoor.jsp from a non-UI login process.

Build Your Own Login Flow

Use the following process to build your own login flow.

  1. Create a new flow using the Flow Designer and Apex.

    For example, you can design a custom IP-based two-factor authentication flow that requires a second factor of authentication only if the user is logging in from outside of the corporate Trusted IP Range. (To find or set the Trusted IP Range, from Setup, choose Security Controls | Network Access.)
    Note

    Note

    Do not set the Login IP Ranges directly in the user profile. The Login IP Ranges set directly in a profile restrict access to the organization for users of that profile who are outside that range, entirely, and those users cannot enter the login flow process.

    The flow should contain the following.

    1. A new Apex class defining an Apex plugin that implements from the (Process.Plugin) and uses the Auth.SessionManagement class to access the time-based one-time password (TOTP) methods and services. The new Apex class for the plugin generates a time-based key with a quick response (QR) code to validate the TOTP provided by the user against the TOTP generated by Salesforce.
    2. A screen element to scan a QR code.
    3. A decision element to handle when the token is valid and when the token is invalid.
    Example Custom Two-Factor Authentication Login Flow

    Within the flow, you can set input variables. If you use the following specified names, these values will be populated for the flow when it starts.

    Name Value Description
    LoginFlow_LoginType The user type, such as Chatter Community external user
    LoginFlow_IpAddress The user’s current IP address
    LoginFlow_LoginIpAddress The user’s IP address used during login, which can change after authentication
    LoginFlow_UserAgent The user agent string provided by the user’s browser
    LoginFlow_Platform The operating system for the user
    LoginFlow_Application Application used to request authentication
    LoginFlow_Community Current Community, if this login flow applies to a Community
    LoginFlow_SessionLevel The current session security level, Standard or High Assurance
    LoginFlow_UserId The user’s 18-character ID.
    During the flow, you can assign the following, pre-defined variables values for specific behavior.
    Note

    Note

    The flow loads these values only after a UI screen is refreshed (a user clicking a button does not load the values, a new screen must be added to the flow for the values to be loaded).

    Name Value Description
    LoginFlow_FinishLocation A Text value. Provide a string that defines where the user goes after completing the login flow. The string should be a valid Salesforce URL (the user cannot leave the organization and stay in the flow) or relative path.
    LoginFlow_ForceLogout A Boolean value. Set this variable to true to log the user out, immediately, and force the user to exit the flow.
  2. Save the flow.
  3. Activate the flow.
  4. Connect the login flow to a profile.

Connect Your Login Flow

After you create a login flow in Flow Designer and activate the flow, you need to associate the login flow with a profile in your organization.
  1. From Setup, click Security Controls | Login Flows.
  2. Click New.
  3. Enter a Name to reference this login flow association if you need to edit or delete it.

    The Name does not need to be unique.

  4. Enter the Profile to connect to the login flow. You can use the picklist to see available profiles.
  5. Select the Login Flow for the profile from the drop-down list. The list includes all the available flows saved in the Flow Designer.
  6. Click Save.

    Users of the profile will now be directed to the login flow.

A single login flow can be associated with one or more profiles. However, a profile can’t be connected to more than one login flow.

For more information, see the Flow Designer Overview in the Salesforce help, and the new Auth.SessionManagement Apex class.