Skip to content
Three Levers symbol Three Levers ← threelevers.com

Salesforce setup

Use this checklist to deploy FlowIframeEmbed in a Salesforce org and expose a flow on a public Salesforce Site.

Prerequisites

Section titled “Prerequisites”
  • You know the Flow API Developer Name to run (for example, Check_In_Dispatch).
  • You have an external page ready to host the iframe/widget.

1) Install FlowIframeEmbed

Section titled “1) Install FlowIframeEmbed”

Install FlowIframeEmbed using the link for your org type:

Org Install link
Production Loading install links…
Sandbox Loading install links…


On the Install FlowIframeEmbed screen:

  1. Select Install for All Users.
  2. Click Install.

Install FlowIframeEmbed: Install for All Users and Install

2) Prepare the flow

Section titled “2) Prepare the flow”
  1. Create or open the target Screen Flow.
  2. Activate the flow.
  3. If you pass URL inputs, create Text input variables with API names matching planned params (for example recordId, source).
  4. Test in Flow Builder to confirm it reaches FINISHED.

Restrict which profiles can run the flow (recommended for Site guest access):

  1. In Setup → Flows, open the action menu for your flow and choose Edit Access.

Flows list: Edit Access for the target flow

  1. Check Override default behavior and restrict access to enabled profiles or permission sets.
  2. Move the Site guest profile (or other profiles that should run the flow) into Enabled Profiles.
  3. Click Save.

Flow access: override default behavior and restrict to enabled profiles

3) Expose the Visualforce page on a Site

Section titled “3) Expose the Visualforce page on a Site”
  1. Go to Setup → User Interface → Sites and Domains → Sites.
  2. Create a site (or reuse an existing public site).
  3. Under Site Visualforce Pages, click Edit and add three_levers__FlowIframeEmbed (the namespaced page from the three_levers package).
  4. Publish/activate the site.

Site Visualforce Pages: Edit to add FlowIframeEmbed

Your iframe base URL should look like:

https://your-domain.force.com/site-prefix/apex/three_levers__FlowIframeEmbed

Note - namespaced Visualforce page URLs: Managed-package Visualforce pages include the namespace prefix in their API name (three_levers__FlowIframeEmbed). On a Salesforce Site, the public path is /apex/three_levers__FlowIframeEmbed (with your site prefix), not /FlowIframeEmbed. Use the namespaced name when adding the page to the Site and when granting profile access.

4) Grant guest user access

Section titled “4) Grant guest user access”

From the site detail page, click Public Access Settings to open the Guest User Profile (or Site profile).

Site detail: Public Access Settings

On the profile:

  1. Enabled Visualforce Page Access: add three_levers__FlowIframeEmbed.
  2. Enabled Apex Class Access (if the flow uses Apex actions): add required classes.
  3. Flow Access: open Flow Access, click Edit, and move your flow into Enabled Flows.

Profile overview: Flow Access

Profile Flow Access: Edit

Profile Flow Access: flow in Enabled Flows

If the flow fails only for guest users, this profile is the first place to check.

5) Configure framing and browser security

Section titled “5) Configure framing and browser security”
  1. In Setup, open Trusted Domains for Inline Frames and click Add Domain for your external parent site (the page that hosts the iframe).

Trusted Domains for Inline Frames: Add Domain

  1. Configure Salesforce clickjack/CSP settings for your external domain as needed.
  2. If using the JavaScript widget, set allowedOrigin to your Salesforce site origin:
window.tlFlowEmbed = {
  embedUrl: 'https://your-domain.force.com/site-prefix/apex/three_levers__FlowIframeEmbed',
  flow: 'Check_In_Dispatch',
  allowedOrigin: 'https://your-domain.force.com'
};

This restricts resize messages to your Salesforce origin.

6) Build the iframe URL correctly

Section titled “6) Build the iframe URL correctly”

Required:

  • flow=<Flow_Developer_Name>

Optional:

  • endUrl=<https URL> redirects parent window on FINISHED
  • inputVars=<comma separated allowlist>
  • extra params that match names in inputVars

Example:

https://your-domain.force.com/site-prefix/apex/three_levers__FlowIframeEmbed?flow=Check_In_Dispatch&endUrl=https://clientsite.com/thanks&inputVars=recordId,source&recordId=001xx0000001234&source=web

7) External page embed

Section titled “7) External page embed”

Use either:

  • JavaScript widget for URL building + dynamic height.
  • Manual iframe plus postMessage listener for { frameHeight: number }.

8) Validation checklist before go-live

Section titled “8) Validation checklist before go-live”
  • Site URL loads publicly without Salesforce login.
  • Flow renders in iframe on client page.
  • Dynamic resize works (no inner scrollbar cutoff).
  • Flow inputs receive expected values.
  • endUrl redirect works on completion.
  • Guest user can complete intended flow paths.
  • Fault path tested and shows safe user message.

Common issues

Section titled “Common issues”
  • Blank iframe / refuses to display: framing/clickjack/CSP missing for host domain.
  • Flow does not start: wrong flow value (must be API Developer Name).
  • Inputs missing: inputVars omitted or names don’t match flow variable API names exactly.
  • No redirect: flow never reaches FINISHED or endUrl missing/invalid.
  • Works for admin, fails for public users: missing guest profile access.
Section titled “Related docs”