OOTB - Financial Services - Main Flow

The OOTB - Financial Services - Main Flow lets users manage account properties and make payments and transfers.

Purpose

The OOTB - Financial Services - Main Flow is the initial flow in the Financial Services solution. It performs a PingOne Protect assessment using the OOTB - Financial Services - Threat Detection - Subflow and enables users to sign on. It then presents users with forms that let them manage account and privacy settings and make payments and transfers.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

Check Session, Call To Protect Analysis & MFA Step-Up

Uses a PingOne node to determine whether the user has an existing session.

If the user has a session:

A hidden HTML node captures risk information and a PingOne node fetches additional user information.
The flow progresses to the Threat Detection and Mitigation section, then returns when this section completes.
A function node checks if the user’s account is enabled, and if so, the flow progresses to the Manage Account section.

If the user doesn’t have a session:

The flow checks for any existing session tokens and uses a PingOne node to delete the prior session.
The flow invokes the OOTB - Financial Services - SignOn - Subflow.
When the subflow completes, a function node saves the protect risk level and a PingOne node creates a session for the user.
A loading screen displays for the user.
A PingOne node retrieves user information.
The flow progresses to the Manage Account section.

Threat Detection & Mitigation

Uses a function node to check whether PingOne Protect analysis is required.

If PingOne Protect analysis isn’t required, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.

If PingOne Protect analysis is required, the flow invokes the OOTB - Financial Services - Threat Detection - Subflow.

If the OOTB - Financial Services - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

If the risk level is low, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.
If the risk level is medium, the flow progresses to the MFA Authentication section. When this section completes, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.
If the risk level is high, a function nodes checks if the high risk was the result of a new device. If not, a PingOne node notifies the user of the suspicious activity. A PingOne node deletes the user session. The flow then progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

If the OOTB - Financial Services - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation ID and an error message displays.

MFA Authentication

A PingOne node retrieves the user’s existing devices, and a hidden HTML node gathers information about biometrics and security keys.

Function nodes then filter the user’s active devices and verify that the user has at least one active device. If the devices couldn’t be filtered or if the user has no active devices, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.

If the user has active devices, the OOTB - Financial Services - Device Authentication - Subflow is invoked. The flow then splits by the subflow result.

If the OOTB - Financial Services - Device Authentication - Subflow completed successfully, a function node stores the authentication method as a variable. The flow then returns to the previous section.
If the OOTB - Financial Services - Device Authentication - Subflow was canceled, the flow returns to the previous section.

Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication

A function node checks whether verification is required for the account.

If verification isn’t required, the OOTB - Financial Services - Device Registration - Subflow is invoked. The flow then splits based on the subflow result.
- If the subflow result was COMPLETE, the authentication method is stored as a variable, then the flow returns to the MFA Authentication section.
- If the subflow result was SKIP, the flow returns to the MFA Authentication section.
If verification is required, the OOTB - Financial Services - Verify Email - Subflow is invoked. If the subflow completes successfully, PingOne nodes enroll email as an MFA device and enable MFA for the user. A function node stores the authentication method as a variable, then the flow returns to the MFA Authentication section.

Manage Account

A PingOne node verifies that the user exists and a function node verifies that the user has all necessary attributes.

If the user has all necessary attributes, the OOTB - Financial Services - Manage Account Subflow is invoked. The flow then progresses to the Return Success section.
If the user does not have all necessary attributes, a PingOne node deletes the session.

Return Success

Sends a success response, indicating that the flow completed successfully. If the risk evaluation ID is present and the user did not cancel, a PingOne node also updates the evaluation status.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully. If the risk evaluation ID is present, a PingOne node also updates the evaluation status.

Input schema

This flow has the following inputs:

Input Name Required Description

Input Name	Required	Description
`flowParameters`	No	An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

flowParameters

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

Output schema

This flow has the following outputs:

Output name Description

Output name	Description
`p1UserId`	The user ID of the current user.
`Result`	The result status of the flow.
`errorMessage`	The error message returned by the flow. Sent only if the flow progressed to the Return Error section.
`errorDetails`	The detailed error information returned by the flow. Sent only if the flow progressed to the Return Error section.

p1UserId

The user ID of the current user.

Result

The result status of the flow.

errorMessage

The error message returned by the flow. Sent only if the flow progressed to the Return Error section.

errorDetails

The detailed error information returned by the flow. Sent only if the flow progressed to the Return Error section.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Description

Variable name	Description
`flowCompanyLogo`	The URL for your company logo.
`p1MFAPolicyId`	The ID of the PingOne MFA policy to use in the flow.
`p1AgreementId`	The ID of the agreement to present to users.
`p1RiskPolicyIdAuthn`	The PingOne risk policy ID to use for authentication.
`p1RiskPolicyIdAR`	The PingOne risk policy ID to use for account recovery.
`p1RiskPolicyIdAuthZ`	The PingOne risk policy ID to use for authorization.
`p1RiskPolicyIdReg`	The PingOne risk policy ID to use for registration.
`protectRiskEvalId`	The risk ID of the current user as used by PingOne Protect.
`authMethod`	The authentication method used in the flow.
`flowProtectAnalysisRequired`	Indicates whether a PingOne Protect analysis must be performed for all users.
`ciam_magicLinkEnabled`	Indicates whether magic link authentication is enabled.
`ciam_agreementEnabled`	Indicates whether the agreement is required.
`ciam_protectAnalysisRequired`	Indicates whether PingOne Protect analysis is required.
`ciam_logoUrl`	The URL for your company logo. This value is used only when the flow is launched with a redirect.
`ciam_companyName`	Displays the name of your company. This value is used only when the flow is launched with a redirect.
`ciam_logoStyle`	The HTML style to use for your company logo. This value is used only when the flow is launched with a redirect.
`flowMethod`	The method used to launch the flow.

flowCompanyLogo

The URL for your company logo.

p1MFAPolicyId

The ID of the PingOne MFA policy to use in the flow.

p1AgreementId

The ID of the agreement to present to users.

p1RiskPolicyIdAuthn

The PingOne risk policy ID to use for authentication.

p1RiskPolicyIdAR

The PingOne risk policy ID to use for account recovery.

p1RiskPolicyIdAuthZ

The PingOne risk policy ID to use for authorization.

p1RiskPolicyIdReg

The PingOne risk policy ID to use for registration.

protectRiskEvalId

The risk ID of the current user as used by PingOne Protect.

authMethod

The authentication method used in the flow.

flowProtectAnalysisRequired

Indicates whether a PingOne Protect analysis must be performed for all users.

ciam_magicLinkEnabled

Indicates whether magic link authentication is enabled.

ciam_agreementEnabled

Indicates whether the agreement is required.

ciam_protectAnalysisRequired

Indicates whether PingOne Protect analysis is required.

ciam_logoUrl

The URL for your company logo.

This value is used only when the flow is launched with a redirect.

ciam_companyName

Displays the name of your company.

This value is used only when the flow is launched with a redirect.

ciam_logoStyle

The HTML style to use for your company logo.

This value is used only when the flow is launched with a redirect.

flowMethod

The method used to launch the flow.