Monitor Login History

Know who logged in, at what time, and from where. To view this information, go to the Login History in Setup.

• Authentication Method References. Monitor how your OpenID providers authenticate users that log in to your org through OpenID Connect. For example, see which users log in with multi-factor authentication (MFA).

  To show you how your OpenID provider is authenticating users, Salesforce pulls the authentication method from JSON strings in the OpenID Connect token returned by your provider. Work with your provider to define the values used in the JSON strings. To get started, you can see the values defined by the Internet Engineering Task Force. These values aren't necessarily supported by your OpenID provider. For more information on the Authentication Method References claim, see the OpenID Connect Core 1.0 standards from the OpenID Foundation.

• HTTP Login Method–View the HTTP method used for the session login: POST, GET, or Unknown.
• SAML Single Sign-On (SSO)–If your org uses SAML SSO identity provider certificates, view SAML SSO history.
• My Domain–You can see when users are logging in with a My Domain URL, which is displayed in the Login URL column.
• License Manager Users–Names in the format 033*********2@00d2********db indicate internal users who are associated with the License Management App (LMA). This app manages the number of licenses used by a subscriber org. These internal users can appear in the License Management org (LMO) and in subscriber orgs that have an AppExchange package managed by the LMA.
• IP Tracking—The Login History provides two ways to track IP addresses.
  • The Source IP column stores the client IP address of the request that first reaches Salesforce during a login. For example, if the client redirects to a client proxy, then to a Salesforce proxy, and finally to the Salesforce app, the Source IP column stores the IP address of the client proxy.
  • The Forwarded for IP column stores the value that the client passed in the X-Forwarded-For header. This header is sometimes used to store IP addresses when the client redirects through one or more proxies. In that case, you can use this column to see the client’s origin IP address. For example, if the client redirects to a client proxy, then to a Salesforce proxy, and then to the Salesforce app, the Forwarded for IP column can store all four IP addresses—the client (origin) IP, both proxy IPs, and the Salesforce app IP.

    The maximum length is 256 characters. Longer values are truncated. This column doesn’t get populated for OAuth and single sign-on logins.

• Logins via connected apps–View the login subtype to see logins for connected apps that use these OAuth 2.0 flows.
  • Client credentials flows
  • User-agent flows, including hybrid user-agent and user-agent with ID token flows
  • Username-password flows
  • Web-server flows, including the hybrid web-server flow
  

  Important For security, we recommend blocking user-agent and username-password flows.
• Password resets—View the login subtype to see when a user resets their password.