Custom Login Flows | Techila
single,single-post,postid-2755,single-format-standard,ajax_updown_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-content-sidebar-responsive,qode-theme-ver-9.4.2,bridge,wpb-js-composer js-comp-ver-4.12,vc_responsive

Custom Login Flows


Custom Login Flows

Login flows allow administrators to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow when logging in. Use login flows to collect registration information from users, provide a terms of service acceptance form, prompt the user for a second factor of authentication, and other customization.

Use the Flow Designer to create login flows, and then associate those flows with specific profiles in your organization. You can connect the same flow to multiple profiles. Users with the profile are directed to the login flow after they authenticate, but before the user is directed to the organization’s content. The login flow screens are embedded within the standard Salesforce login page for an integrated user login experience.

Login flows support all the Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on through a third-party authentication provider. You can apply login flows to Salesforce organizations, communities, and portals.

Create a Login Flow

Use the Cloud Flow Designer to build a login flow process, then associate the finished flow with a profile.

When a user’s profile is associated with a login flow, the user is directed to the flow as part of the authentication process. The login flow screens are embedded in the standard Salesforce login page. During the authentication process, these users have restricted access to the login flow screens. At the end of a successful authentication and completion of the login flow, the user is redirected to the organization. Otherwise, an explicit action can be defined within the flow to deny access.

For example, an administrator can create a login flow that implements a custom two-factor authentication process to add a desired security layer. A flow like this uses Apex methods to get the session context, extract the user’s IP address, and verify if the request is coming from a Trusted IP Range. (To find or set the Trusted IP Range, from Setup, enterNetwork Access in the Quick Find box, then select Network Access.) If the request is coming from within a Trusted IP Range address, Salesforce skips the flow and logs the user into the organization. Otherwise, Salesforce invokes the flow providing one of three options.

  1. Direct the user to log in with additional credentials, such as a time-based one-time password (TOTP).
  2. Force the user to log out.
  3. Direct the user to a page with more options.

You can also build login flows that direct users to customized pages, such as forms to gather more information, or pages providing users with additional information.

Build Your Own Login Flow

Use the following process to build your own login flow.

  1. Create a new flow using the Flow Designer and Apex.

For example, you can design a custom IP-based two-factor authentication flow that requires a second factor of authentication only if the user is logging in from outside of the corporate Trusted IP Range. (To find or set the Trusted IP Range, from Setup, enter Network Access in the Quick Find box, then select Network Access.)

The flow should contain the following:

a.  A new Apex class defining an Apex plugin that implements from the (Process.Plugin) and uses the Auth.SessionManagement class to access the time-based one-time password (TOTP) methods and services. The new Apex class for the plugin generates a time-based key with a quick response (QR) code to validate the TOTP provided by the user against the TOTP generated by Salesforce.

b.  A screen element to scan a QR code.

c.  A decision element to handle when the token is valid and when the token is invalid.


Within the flow, you can set input variables. If you use the following specified names, these values will be populated for the flow when it starts.

  • LoginFlow_LoginType – The type of login, such as Application, OAuth, or SAML
  • LoginFlow_IpAddress – The user’s current IP address
  • LoginFlow_LoginIpAddress – The user’s IP address used during login, which can change after authentication
  • LoginFlow_UserAgent – The user agent string provided by the user’s browser
  • LoginFlow_Platform – The operating system for the user
  • LoginFlow_Application – Application used to request authentication
  • LoginFlow_Community –  Current Community, if this login flow applies to a Community
  • LoginFlow_SessionLevel – The current session security level, Standard or High Assurance
  • LoginFlow_UserId – The user’s 18-character ID.


During the flow, you can assign the following, pre-defined variables values for specific behavior.

  • LoginFlow_FinishLocation – A Text value. Provide a string that defines where the user goes after completing the login flow. The string should be a valid Salesforce URL (the user cannot leave the organization and stay in the flow) or relative path.
  • LoginFlow_ForceLogout – A Boolean value. Set this variable to true to log the user out, immediately, and force the user to exit the flow.

2.  Save the flow.

3.   Activate the flow.

4.   Connect the login flow to a profile.



“Explore – Techila Global Services, A Salesforce development company”

Author: techila

No Comments

Post A Comment