Customize and Manage User Authentication with Login Flows
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To open, edit, or create a flow in the Cloud Flow Designer: | “Manage Force.com Flow” |
Use the Flow Designer to create login flows, then associate those flows with specific profiles in your organization. You can connect the same flow to multiple profiles. Users with the profile are directed to the login flow after they authenticate, but before the user is directed to the organization’s content. The login flow screens are embedded within the standard Salesforce login page for an integrated user login experience.
Build Your Own Login Flow
Use the following process to build your own login flow.
-
Create a new flow using the Flow Designer and Apex.
For example, you can design a custom IP-based two-factor authentication flow that requires a second factor of authentication only if the user is logging in from outside of the corporate Trusted IP Range. (To find or set the Trusted IP Range, from Setup, choose .)The flow should contain the following.
- A new Apex class defining an Apex plugin that implements from the (Process.Plugin) and uses the Auth.SessionManagement class to access the time-based one-time password (TOTP) methods and services. The new Apex class for the plugin generates a time-based key with a quick response (QR) code to validate the TOTP provided by the user against the TOTP generated by Salesforce.
- A screen element to scan a QR code.
- A decision element to handle when the token is valid and when the token is invalid.

Within the flow, you can set input variables. If you use the following specified names, these values will be populated for the flow when it starts.
Name Value Description LoginFlow_LoginType The user type, such as Chatter Community external user LoginFlow_IpAddress The user’s current IP address LoginFlow_LoginIpAddress The user’s IP address used during login, which can change after authentication LoginFlow_UserAgent The user agent string provided by the user’s browser LoginFlow_Platform The operating system for the user LoginFlow_Application Application used to request authentication LoginFlow_Community Current Community, if this login flow applies to a Community LoginFlow_SessionLevel The current session security level, Standard or High Assurance LoginFlow_UserId The user’s 18-character ID. During the flow, you can assign the following, pre-defined variables values for specific behavior.Name Value Description LoginFlow_FinishLocation A Text value. Provide a string that defines where the user goes after completing the login flow. The string should be a valid Salesforce URL (the user cannot leave the organization and stay in the flow) or relative path. LoginFlow_ForceLogout A Boolean value. Set this variable to true to log the user out, immediately, and force the user to exit the flow. - Save the flow.
- Activate the flow.
- Connect the login flow to a profile.
Connect Your Login Flow
- From Setup, click .
- Click New.
- Enter a Name to reference this login flow association if you need
to edit or delete it.
The Name does not need to be unique.
- Enter the Profile to connect to the login flow. You can use the picklist to see available profiles.
- Select the Login Flow for the profile from the drop-down list. The list includes all the available flows saved in the Flow Designer.
- Click Save.
Users of the profile will now be directed to the login flow.
A single login flow can be associated with one or more profiles. However, a profile can’t be connected to more than one login flow.
For more information, see the Flow Designer Overview in the Salesforce help, and the new Auth.SessionManagement Apex class.

