Controlling access to your Salesforce Organisation
I was recently working on a customer setup which had the following security access requirements:
- If someone tried to login to the environment via the Browser of App from a trusted range of IP Address then they should not need a verification code or to verify their identity.
- If someone tries to access the environment from outside the corporate network IP range then they should be prompted for an additional verification code every time they attempt to login
These requirements initially sounded straightforward but ended up requiring a slightly unusual fix.
The first requirement was satisfied by setting the trusted IP Addresses of the customer in the Network Access section of the Setup Menu. Once set, any user logging in from within the specified range should not need to complete additional verification.
However, none of the other settings I looked at seemed to meet the second part.
There are a lot of Salesforce security settings. You can set certain types of operation to high assurance, you can force all users to have a 2 step verification at all times but to only ask the non-trusted IP users for a code needed customisation.
However, nothing seemed ready out of the box to only prompt for a second step login for certain users. Luckily, Custom Login Flows came to the rescue!
What is a Custom Login Flow?
Here’s the official answer from Salesforce documentation: “Login flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow when logging in”.
Visit the official page for more background on what they can do: https://help.salesforce.com/articleView?id=security_login_flow.htm&type=5
Login Flow Samples Package
So would a Custom Login Flow help with this customer requirement? It turns out – Yes!
After reading through this examples page of Custom Login Flows, I found an unmanaged package that the lovely folks at Salesforce had put together containing a conditional 2 factor component and a verification code step. It’s free to download and use however you need.
Once downloaded, I was able to edit the unmanaged package to connect the conditional 2 step to the email verification step and once set against the user’s profile, meant that anyone logging in outside of a trusted IP range would always need to enter a verification code.
Give Custom Login Flows a try. The flow designer has recently been revamped to make it a lot easier to work with and having solved one particular problem with it once, I will look forward to using it again in the near future.