Login Flow Examples

Collect and Update User Data at Login

1. Query the user object for the user’s phone numbers, if they exist.
2. Display the numbers, and ask the user to confirm or update them.
3. Update the user object with new numbers, if provided.

Create the Flow

1. Go to https://help.salesforce.com/articleView?id=flow_builder.htm&language=en_US.
2. From the Manager tab in the toolbox, click New Resource and create a variable to store the user’s ID.

   The login event passes a list of context attributes to the flow. When the flow starts, the corresponding attributes’ values are populated in the appropriate input variable. To use these attributes in the flow, define local text variables using the LoginFlow_ATTRIBUTE_NAME format. For example, LoginFlow_UserId, which you can use to verify the ID of the user logging in and query the associated user object.

   

   After you add each variable, it appears on the Manager tab.

   The following input variables are supported.

   • LoginFlow_LoginType
   • LoginFlow_LoginSubType
   • LoginFlow_IpAddress
   • LoginFlow_UserAgent
   • LoginFlow_Platform
   • LoginFlow_Application
   • LoginFlow_Community
   • LoginFlow_SessionLevel
   • LoginFlow_UserId

   You can also store these attributes as output variables in the flow.

   • LoginFlow_FinishLocation (type Text)—This variable determines where to send the user when the flow is completed.
   • LoginFlow_ForceLogout (type Boolean)—When this variable is set to true, the user is immediately logged out.
3. On the Manager tab, click New Resource to create a record variable to store values from the user.
   
4. Add a Get Records element to look up the user who’s trying to log in.
   
5. Specify the user fields that you want to store in the variable, for example, Phone and MobilePhone.
   
6. Create a welcome screen to ask the user to confirm the phone numbers on file.
   
7. To set a default value for each Phone component in the screen, set Value to the appropriate field on the {!user} record variable. For Phone, that’s {!user.Phone}. For Mobile Phone, that’s {!user.mobilePhone}.
8. To store the user’s entry for each Phone component, set Value in the component’s Store Output Values section to the same field as in the previous step.
   
9. Add an Update Records element that uses the values in the {!user} record variable to update the user’s phone numbers. Since you stored each Phone screen component’s outputs in fields on the {!user} record variable, the flow uses those values to update the user.
   
10. Connect the elements together.
    
11. Name the login flow and save it.
    
12. Connect the login flow to a user profile. Best practice is to create a dedicated test user with a test profile.
    

    Note Don’t associate a login flow with your administrator profile until you’re sure that the login flow works properly. Otherwise, if it fails, you can’t log in to your org.
13. Log out, and then log in as the test user to test the flow.

When you test the Welcome Flow example, here’s how it looks using Lightning Experience.

Configure Multi-Factor Authentication (MFA)

This example implements a login flow that enhances time-based one-time password (TOTP) authentication with an MFA method that Salesforce supports. The TOTP algorithm computes a one-time password from a shared secret key and the current time.

The flow does the following.

• If the user isn’t yet registered, generates a new secret key, and prompts the user to register the key with a Quick Response (QR) code. After the user provides a valid TOTP token, the secret key is stored in the user record. The key is reused for future logins.
• If the user is already registered, prompts the user for only the TOTP token.

Warning When Render Flow in Lightning Runtime is enabled, users using the login flow have access to Salesforce functionality before they complete the flow. Unauthorized user access presents a security risk. If you’re using the custom login flow to enforce security, we recommend that you don't enable this setting.

Users can use a time-based authentication application, such as Salesforce Authenticator or Google Authenticator, to scan the QR code and generate a TOTP token.

You can enhance this flow and customize the user experience by adding a corporate logo and corporate colors. You can even add and enforce different policies. For example, you can build an IP-based MFA process that requires a second authentication factor only when the IP address is outside of a certain range.

This example uses the TwoFactorInfo object and the Auth.SessionManagement Apex class to customize and manage the standards-based TOTP multi-factor authentication that Salesforce supports.

1. Look up the TwoFactorInfo object for the current user. If the user isn’t registered, generate a key.
2. Determine whether the user is already registered with TOTP.
3. If the user is already registered, prompt the user to provide the TOTP token.
4. If the user isn’t registered, prompt the user to register with a QR code and provide the TOTP token.
5. Validate the TOTP token. If the token is valid, the login flow finishes, and the user logs in.
6. If the TOTP token is invalid, send the user back to step 2.

Configure the TOTP Flow

1. Create the variables.
   • secret–Stores the secret key for all multi-factor operations.
   • qr_url–Stores the URL for the QR code encoding of the secret key.
   • IsTokenValid–Stores the verification result.

   secret and qr_url are Text variables, and IsTokenValid is a Boolean variable.

   
2. To generate a new secret for users that aren’t already registered with a TOTP, drag an Apex Action (Legacy) element onto the canvas, and select the TOTPPlugin legacy Apex action.
   

   Apex actions are Apex classes that extend the standard functionality of a flow. You can use an Apex action to do a complex calculation, make API calls to external services, and more.

   TOTPPlugin accesses the Salesforce TOTP methods, generates a time-based secret key with a QR code, and validates the TOTP. The Apex class for TOTPPlugin is available in the login flow sample package.

   The legacy Apex action has these input parameters.

   • OTP_INPUT–The TOTP token that the user provides.
   • OTP_REGISTRATION_INPUT–The TOTP token that the user provides when first registering.
   • SECRET_INPUT–The secret key used to generate the TOTP.

   It returns the following output values.

   • SECRET_OUTPUT–A secret key generated by the plug-in.
   • QR_URL_OUTPUT–A QR encoding of the secret key.
   • IsValid_OUTPUT–If the validation succeeded, it returns true. Otherwise, it returns false.

   Configure this instance of TOTPPlugin to generate a new secret key and QR code if the user isn’t already registered. In this case, no input is passed.

   

   The secret key and URL for the QR code are stored in the qr_url and secret variables.

   
3. Configure a Decision element to register a user.

   This decision verifies whether secret is null. If it’s not null, the user must register. So define Register as an outcome of the decision. Otherwise, the user is already registered and must provide only the TOTP token. Change the label of the default outcome to Get TOTP.

   
4. Configure the Get TOTP screen.

   Users that are already registered are routed to this screen and asked for the TOTP token. Later in the flow, you can use the TOTP token that users enter by referencing the API name of the Text component (OTP_input).

   
5. Configure the Registration screen. Ask the user to scan the QR code, initialize the TOTP client application, and enter the TOTP token.
   
6. To validate the TOTP token that the user enters, configure another instance of the TOTPPlugin legacy Apex action.

   The TOTPPlugin legacy Apex action supports both of these use cases.

   • The user comes from the Registration screen. The user has to scan the QR code and provide the TOTP token. Both the TOTP token and secret are passed to TOTPPlugin for validation. TOTPPlugin validates the TOTP token against the secret. If valid, the secret is registered on the user record and used for future logins.
   • The user comes from the Get Token screen. The user is already registered and provides only the TOTP. The TOTP token is passed via the TokenInput parameter to TOTPPlugin for validation.
   

   The isTokenValid parameter returns the validation status, which is then stored in the isTokenValid flow variable.

   
7. Determine whether to log in the user by configuring another Decision element with two possible outcomes.
   • If IsTokenValid is true, the token is valid.
   • Otherwise, the token is invalid.

   If the validation succeeds, the user proceeds to the end of the flow, clicks to the next step, and logs in to the application. If the validation fails, the flow redirects the user back to step 2 in the flow. In step 2, a registered user is asked to provide a new TOTP token. If the user isn’t yet registered, the user is asked to register and provide a new TOTP token.

   
8. Connect the elements together.
   • To connect the Registration decision to the Registration screen, choose the Register outcome.
   • To connect the Registration decision to the Get TOTP screen, choose the Get TOTP outcome.
   • To connect the Login decision to the Registration decision, choose the Token is invalid outcome.
9. Save the login flow, activate it, and connect it with a user profile.

Integrate Third-Party Strong Authentication Methods

Login Flow Samples Package