A Login Flow is a Flow (built in Flow Builder) that runs after authentication but before the user lands in Salesforce. Think of it as a post-login interception point.
Common uses:
- Acceptable use prompt — display a one-time terms-and-conditions screen the user must accept.
- Step-up MFA — re-verify identity for users connecting from a high-risk geo or with elevated permissions, beyond standard MFA.
- Force a password change — push users to update credentials when a policy demands it.
- Profile completion — require the user to fill in missing fields (mobile number, time zone, manager) on first login.
- Conditional warnings — show a banner if the user is in a sensitive role accessing the org from an unrecognised device.
You build the Flow as a Flow Type = Login Flow in Flow Builder, then in Setup -> Login Flows assign it to specific profiles. Optionally include conditions.
Key constraint: a Login Flow runs every login by default. If the prompt is one-time (e.g., terms acceptance), the flow needs to record that acceptance on the User record (or in a custom Login_Acknowledgements__c table) and short-circuit on subsequent logins.
Login Flows do not run for users authenticating via SAML SSO unless the IdP redirects through Salesforce's login service — most enterprise SSO bypasses Salesforce login entirely, so Login Flows never trigger.