Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Monitor Login History
Field History Tracking
Monitor Setup Changes with Setup Audit Trail
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Monitor Login History

As an admin, you can monitor all attempts to log in to Salesforce and to your Experience Cloud sites. The Login History page shows up to 20,000 records of user logins for the past 6 months. To see more records, download the information to a CSV or GZIP file.
Available in: Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To monitor logins: Monitor Login History

OR

Manage Users

Know who logged in, at what time, and from where. To view this information, go to the Login History in Setup.

  • Authentication Method References. Monitor how your OpenID providers authenticate users that log in to your org through OpenID Connect. For example, see which users log in with multi-factor authentication (MFA).

    To show you how your OpenID provider is authenticating users, Salesforce pulls the authentication method from JSON strings in the OpenID Connect token returned by your provider. Work with your provider to define the values used in the JSON strings. To get started, you can see the values defined by the Internet Engineering Task Force. These values aren't necessarily supported by your OpenID provider. For more information on the Authentication Method References claim, see the OpenID Connect Core 1.0 standards from the OpenID Foundation.

  • HTTP Login Method–View the HTTP method used for the session login: POST, GET, or Unknown.
  • SAML Single Sign-On (SSO)–If your org uses SAML SSO identity provider certificates, view SAML SSO history.
  • My Domain–You can see when users are logging in with a My Domain URL, which is displayed in the Login URL column.
  • License Manager Users–Names in the format 033*********2@00d2********db indicate internal users who are associated with the License Management App (LMA). This app manages the number of licenses used by a subscriber org. These internal users can appear in the License Management org (LMO) and in subscriber orgs that have an AppExchange package managed by the LMA.
  • IP Tracking—The Login History provides two ways to track IP addresses.
    • The Source IP column stores the client IP address of the request that first reaches Salesforce during a login. For example, if the client redirects to a client proxy, then to a Salesforce proxy, and finally to the Salesforce app, the Source IP column stores the IP address of the client proxy.
    • The Forwarded for IP column stores the value that the client passed in the X-Forwarded-For header. This header is sometimes used to store IP addresses when the client redirects through one or more proxies. In that case, you can use this column to see the client’s origin IP address. For example, if the client redirects to a client proxy, then to a Salesforce proxy, and then to the Salesforce app, the Forwarded for IP column can store all four IP addresses—the client (origin) IP, both proxy IPs, and the Salesforce app IP.

      The maximum length is 256 characters. Longer values are truncated. This column doesn’t get populated for OAuth and single sign-on logins.

  • Logins via connected apps–View the login subtype to see logins for connected apps that use these OAuth 2.0 flows.
    • Client credentials flows
    • User-agent flows, including hybrid user-agent and user-agent with ID token flows
    • Username-password flows
    • Web-server flows, including the hybrid web-server flow

    For security, we recommend blocking user-agent and username-password flows.

    Important

  • Password resets—View the login subtype to see when a user resets their password.