Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Communities
Require High-Assurance Session Security for Sensitive Operations
Custom Login Flows
Create a Login Flow with Flow Builder
Create a Custom Login Flow with Visualforce
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Multi-Factor Authentication Considerations
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Custom Login Flows

A login flow directs users through a login process before they access your Salesforce org or community. You can use a login flow to control the business processes that your users follow when they log in to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they are redirected to their Salesforce org or community. If unsuccessful, the flow can log out users immediately.

To create a flow, use either Flow Builder or Visualforce. Flow Builder is a point-and-click tool that you can use to design a simple flow that users execute when logging in. Use Visualforce to have complete control over how the login page looks and behaves.

After creating a flow, designate the flow as a login flow and associate it with specific profiles in your org. You can create multiple login flows and associate each one with a different user profile. Users assigned to one profile, like sales reps, experience a particular login process as they log in. Users assigned to a different profile like service reps, experience a different login process.

When you associate a login flow with a profile, it’s applied each time a user with that profile logs in to an org or community. The flow is also applied when a user logs in to the Salesforce mobile app and even Salesforce client apps that use OAuth. You can apply login flows to Salesforce orgs and communities, including external identity communities.

Login flows support all Salesforce authentication methods: standard username and password, delegated authentication, SAML single sign-on (SSO), and SSO through a third-party authentication provider. For example, users logging in with a LinkedIn account can go through a login flow specific for LinkedIn users.

You can’t apply login flows to API logins or when sessions are passed to the UI through frontdoor.jsp from a non-UI login process.

Note

Login Flow Use Cases

Wondering what you can use login flows for? Here are some example use cases.

  • Enhance or customize the login experience by adding a logo or login message.
  • Collect and update user data, such as an email address, phone number, or mailing address.
  • Interact with users, and ask them to perform an action. For instance, you can ask them to complete a survey or accept terms of service.
  • Connect to an external identity service or geo-fencing service, and collect or verify user information.
  • Enforce strong authentication, like implementing a multi-factor authentication (MFA) method using hardware, biometric, or another authentication technique.
  • Run a confirmation process. For example, have a user define a secret question, and validate the answer during login.
  • Create more granular policies like setting up a policy that sends a notification every time a user logs in during non-standard working hours.

Login Flow Execution

Before creating a login flow, it’s important to understand login flow execution.
  • To invoke a login flow, the user must first be authenticated. Login flows don’t replace the existing Salesforce authentication process. They integrate new steps or ask the user for information.
  • During login-flow execution, users have restricted access. Users in a login flow can access only the flow—they can’t bypass it to get to the application. They can log in to the org only when they successfully authenticate and complete the flow.

Create and Manage Login Flows

For help with creating and managing login flows, review these articles.