Newer Version Available

This content describes an older version of this product. View Latest

Login Flow Examples

You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common uses cases include collecting and updating user data at login, integrating two-factor authentication, or implementing third-party strong authentication.

An administrator can create multiple login flows and associate each one with a different user profile. Users assigned to one profile (for example, sales reps) experience a particular process as they log in. Users assigned to a different profile (for example, support reps) experience a different login process.

After you associate a login flow with a profile, it is applied each time a user with that profile logs in to Salesforce, communities, the Salesforce app, and even Salesforce client applications that use OAuth. A login flow works with all types of authentication: standard username and password authentication, single sign-on, and social sign-on. For example, users logging in with a LinkedIn account can go through a specific login flow for LinkedIn users.

Set Up a Login Flow

  1. Create a login flow using the Cloud Flow Designer. Build a flow from scratch or use a pre-created flow (like the one provided by Yubico). Or, modify an existing flow to add functionality or enforce more policies.
  2. Connect a login flow to a profile. Navigate to the login flow page, select the flow, and associate it with a user profile.
At runtime, Salesforce authentication redirects every user with that profile through the login flow. Two things to understand about login flow execution:
  • To invoke a login flow, the user must first be authenticated. Login flows don’t replace the existing Salesforce authentication process. Login flows integrate new steps or ask the user for information.
  • During login flow execution, users have restricted access. Users in a login flow can access only the flow—they can’t bypass it to get to the application. They can log in to the org only when they successfully authenticate and complete the flow.

Use Cases for Login Flows

What can you do with a login flow?

  • Enhance or customize the login experience (for example, add a logo or login message).
  • Collect and update user data (for example, request an email address, phone number, or mailing address).
  • Interact with users, and ask them to perform an action (for example, complete a survey or accept terms of service).
  • Connect to an external identity service or geo-fencing service, and collect or verify user information.
  • Enforce strong authentication (for example, implement a two-factor authentication method using hardware, SMS, biometric, or another authentication technique).
  • Run a confirmation process (for example, have a user define a secret question, and validate the answer during login).
  • Create more granular policies (for example, set up a policy that sends a notification every time a user logs in during non-standard working hours).

Collect and Update User Data at Login

This login flow collects and updates information about the user at login by requesting the user’s phone and mobile numbers.

  1. Query the user object to look up the user’s phone and mobile numbers, if they exist.
  2. Display the numbers, and ask the user to confirm or update them.
  3. Update the user object with new numbers, if provided.

steps in example login flow

Create the Flow

  1. Go to the Cloud Flow Designer.
  2. On the Resources tab, create a variable that contains the UserId of the current user.

    The login event passes a list of context attributes to the flow. To query and use these attributes, define local text variables using the LoginFlow_ATTRIBUTE_NAME format, for example, LoginFlow_UserId.

    define a user id variable for the flow

    After you add the attribute, it appears on the Explorer tab under Variables.

    When you use the following input attributes, their values are populated in the flow when it starts.
    • LoginFlow_LoginType
    • LoginFlow_IpAddress
    • LoginFlow_UserAgent
    • LoginFlow_Platform
    • LoginFlow_Application
    • LoginFlow_Community
    • LoginFlow_SessionLevel
    • LoginFlow_UserId

    These output attributes can also be set in the flow.

    • LoginFlow_FinishLocation (type string). This attribute determines where to send the user when the flow completes.
    • LoginFlow_ForceLogout (type boolean). When this variable is set to true, the user is immediately logged out.

    You can use the attribute LoginFlow_UserId to verify the ID of the user logging in and query the associated user object.

  3. On the Resources tab, click Create New and create an SObject variable where you can store the user object.

    define an SObject variable

  4. Create a Fast Lookup element that looks up the user object.

    create a fast lookup element

  5. Specify the user attributes that you want to store in the variable, for example, Phone and MobilePhone.
  6. Create a welcome screen to collect or display the phone numbers at login.

    create a welcome screen

  7. Create a Record Update component to update the numbers.

    record update component

  8. Name the login flow and save it.

    flow properties

  9. Connect the login flow to a user profile. Best practice is to create a dedicated test user with a test profile.

    Don’t associate a login flow with your administrator profile until you are sure that the login flow works properly. Otherwise, if it fails, you can’t log in to your org.

    Note

  10. Log out, and then log in as the test user and test the flow.

    When you test the Welcome Flow example, here’s how it looks using the Lightning Experience.

    welcome screen example

Configure Two-Factor Authentication

This example implements a login flow that enhances time-based one-time password (TOTP) authentication with a two-factor authentication method that Salesforce supports. The TOTP algorithm computes a one-time password from a shared secret key and the current time.

The flow does the following.

  • If the user is not yet registered, generates a new secret key, and prompts the user to register the key with a QR (Quick Response) code. After the user provides a valid TOTP token, the secret key is stored in the user record. The key is reused for future logins.
  • If the user is already registered, prompt the user only for the TOTP token.

Users can use a time-based authentication application (such as Salesforce Authenticator or Google Authenticator) to scan the QR code and generate a TOTP token.

You can enhance this flow and customize the user experience by adding a corporate logo, colors, and so forth. You can even add and enforce different policies. For example, you can build an IP-based, two-factor authentication process that requires a second authentication factor only when IP addresses are outside of a certain range.

This example uses the TwoFactorInfo object and the Auth.SessionManagement Apex class to customize and manage the standards-based TOTP two-factor authentication that Salesforce supports.

  1. Look up the TwoFactorInfo object for the current user. If the user is not registered, generate a key.
  2. Determine whether the user is already registered with TOTP.
  3. If the user is already registered, prompt the user to provide the TOTP token.
  4. If the user is not registered, prompt the user to register with a QR code and provide the TOTP token.
  5. Validate the TOTP token. If the token is valid, the login flow finishes, and the user logs in.
  6. If the TOTP token is invalid, send the user back to step 2.

TOTP flow steps

Configure the TOTP Flow

  1. Create the variables.
    • secret—Stores the secret key for all two–factor operations.
    • qr_url—Stores the URL for the QR code encoding of the secret key.
    • IsTokenValid—Stores the verification result.

    The variables secret and qr_url are text, while IsTokenValid is a Boolean data type.

    TOTP create variables

  2. Set up the TOTPPlugin to generate a new secret for users that are not are already registered with a TOTP.

    A plug-in is an Apex class that extends the standard functionality of a flow. You can use a plug-in to do a complex calculation, make API calls to external services, and more.

    TOTPPlugin accesses the Salesforce TOTP methods, generates a time-based secret key with a QR code, and validates the TOTP. The Apex class for TOTPPlugin is available in the login flow sample package.

    The plug-in takes these input parameters.

    • OTP_INPUT—The TOTP token that the user provides.
    • OTP_REGISTRATION_INPUT—The TOTP token that the user provides when first registering.
    • SECRET_INPUT—The secret key used to generate the TOTP.

    It returns the following parameters.

    • SECRET_OUTPUT—A secret key generated by the plug-in.
    • QR_URL_OUTPUT—A QR encoding of the secret key.
    • IsValid_OUTPUT—If the validation succeeded, it returns true. Otherwise, it returns false.

    TOTP plugin settings

    Configure a TOTPPlugin instance to generate a new secret key and QR code if the user is not already registered. In this case, no input is passed.

    TOTP plugin inputs

    The secret key and URL for the QR code are stored in the qr_url and secret variables.

    TOTP plugin outputs

  3. Configure a decision element to register a user.

    The decision element Registration verifies whether secret is null. If it is not null, the user must register, so define Register as the outcome of the decision. Otherwise, the user is already registered and must provide only the TOTP token. In this case, the outcome is Get TOTP, which is also the default outcome.

    registration decision element

  4. Configure the Get TOTP screen.

    Users that are already registered are redirected to this screen and asked to provide the TOTP token. The input TOTP token is saved in OTP_input.

  5. Configure the Registration screen.

    This screen presents the QR code, asks the user to scan and initialize the TOTP client application and provide the TOTP token.

    get registration token screen

  6. Validate the TOTP token.

    Define another instance of the TOTPPlugin to validate the TOTP token that the user provides.

    define plugin for validation

    The plug-in supports these use cases.

    • The user comes from the Registration screen. The user has to scan the QR code and provide the TOTP token. Both the TOTP token and secret are passed to the TOTPPlugin for validation. The TOTPPlugin validates the TOTP token against the secret. If valid, the secret is registered on the user record and used for future logins.
    • The user comes from the Get Token screen. The user is already registered, so provides only the TOTP. The TOTP token is passed via the TokenInput parameter to the TOTPPlugin for validation.

    TOTP validation inputs

    The isTokenValid parameter returns the validation status, which is then saved in isTokenValid.

    TOTP validation outputs

    The decision element has two possible outcomes.
    • The token is valid if IsTokenValid is true.
    • The token is invalid, which is the default.
  7. Configure a decision element to log in the user.

    If the validation succeeds, the user proceeds to the end of the flow, clicks to the next step, and logs in to the application. If the validation fails, the flow redirects the user back to Step 2 in the flow. In Step 2, a registered user is asked to provide a new TOTP token. If the user isn’t yet registered, the user is asked to register and provide a new TOTP token.

    TOTP login decision

  8. Save the login flow, activate it, and connect it with a user profile.

Integrate Third-Party Strong Authentication Methods

You can also use login flows to interact with external third-party authentication services by using an API.

For example, Yubico offers strong authentication using a hardware token called a YubiKey. Yubico also provides an example Apex library and login flow on GitHub. The library supplies Apex classes for validating YubiKey OTPs (one-time passwords). The classes allow Salesforce users to use a YubiKey as a second authentication factor at login. For more information, see yubikey-salesforce-client.

You can also implement a third-party SMS or voice delivery service, like Twilio or TeleSign, to implement a SMS-based two–factor authentication and identity verification flow. For more information, see Deploy Third–Party SMS–Based Two–Factor Authentication.

Login Flow Samples Package

An unmanaged package installs different login flow samples into your Salesforce org. It contains the following examples.
  • Email Confirmation—Send email with a verification code
  • SF-TOTP—TOTP two-factor authentication
  • Conditional Two–Factor—Skip two-factor authentication for users who come from a trusted IP address
  • Identity Confirmation—Confirm the user identity using email or two-factor authentication
  • Accept Terms of Service—Ask the user to agree to terms before continuing