--- title: OOTB - Financial Services - Main Flow description: Learn about the OOTB - Financial Services - Main Flow flow, including its purpose, structure, inputs, outputs, and variables. component: pingone-solutions page_id: pingone-solutions:financial-services:flow-reference/financial-services-main-flow canonical_url: https://docs.pingidentity.com/pingone-solutions/financial-services/flow-reference/financial-services-main-flow.html revdate: July 1, 2025 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables-and-parameters: Variables and parameters --- # OOTB - Financial Services - Main Flow The OOTB - Financial Services - Main Flow lets users manage account properties and make payments and transfers. ## Purpose The OOTB - Financial Services - Main Flow is the initial flow in the Financial Services solution. It performs a PingOne Protect assessment using the **OOTB - Financial Services - Threat Detection - Subflow** and enables users to sign on. It then presents users with forms that let them manage account and privacy settings and make payments and transfers. ## Structure This flow is divided into sections using teleport nodes: * **Flow Configuration** Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. * **Check Session, Call To Protect Analysis & MFA Step-Up** Uses a PingOne node to determine whether the user has an existing session. If the user has a session: 1. A hidden HTML node captures risk information and a PingOne node fetches additional user information. 2. The flow progresses to the **Threat Detection and Mitigation** section, then returns when this section completes. 3. A function node checks if the user's account is enabled, and if so, the flow progresses to the **Manage Account** section. If the user doesn't have a session: 1. The flow checks for any existing session tokens and uses a PingOne node to delete the prior session. 2. The flow invokes the **OOTB - Financial Services - SignOn - Subflow**. 3. When the subflow completes, a function node saves the protect risk level and a PingOne node creates a session for the user. 4. A loading screen displays for the user. 5. A PingOne node retrieves user information. 6. The flow progresses to the **Manage Account** section. * **Threat Detection & Mitigation** Uses a function node to check whether PingOne Protect analysis is required. If PingOne Protect analysis isn't required, the flow returns to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. If PingOne Protect analysis is required, the flow invokes the **OOTB - Financial Services - Threat Detection - Subflow**. If the **OOTB - Financial Services - Threat Detection - Subflow** completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level: * If the risk level is low, the flow returns to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. * If the risk level is medium, the flow progresses to the **MFA Authentication** section. When this section completes, the flow returns to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. * If the risk level is high, a function nodes checks if the high risk was the result of a new device. If not, a PingOne node notifies the user of the suspicious activity. A PingOne node deletes the user session. The flow then progresses to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. If the **OOTB - Financial Services - Threat Detection - Subflow** completes unsuccessfully, a function node stores the risk evaluation ID and an error message displays. * **MFA Authentication** A PingOne node retrieves the user's existing devices, and a hidden HTML node gathers information about biometrics and security keys. Function nodes then filter the user's active devices and verify that the user has at least one active device. If the devices couldn't be filtered or if the user has no active devices, the flow progresses to the **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** section. If the user has active devices, the **OOTB - Financial Services - Device Authentication - Subflow** is invoked. The flow then splits by the subflow result. * If the **OOTB - Financial Services - Device Authentication - Subflow** completed successfully, a function node stores the authentication method as a variable. The flow then returns to the previous section. * If the **OOTB - Financial Services - Device Authentication - Subflow** was canceled, the flow returns to the previous section. * **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** A function node checks whether verification is required for the account. * If verification isn't required, the **OOTB - Financial Services - Device Registration - Subflow** is invoked. The flow then splits based on the subflow result. * If the subflow result was `COMPLETE`, the authentication method is stored as a variable, then the flow returns to the **MFA Authentication** section. * If the subflow result was `SKIP`, the flow returns to the **MFA Authentication** section. * If verification is required, the **OOTB - Financial Services - Verify Email - Subflow** is invoked. If the subflow completes successfully, PingOne nodes enroll email as an MFA device and enable MFA for the user. A function node stores the authentication method as a variable, then the flow returns to the **MFA Authentication** section. * **Manage Account** A PingOne node verifies that the user exists and a function node verifies that the user has all necessary attributes. * If the user has all necessary attributes, the **OOTB - Financial Services - Manage Account Subflow** is invoked. The flow then progresses to the **Return Success** section. * If the user does not have all necessary attributes, a PingOne node deletes the session. * **Return Success** Sends a success response, indicating that the flow completed successfully. If the risk evaluation ID is present and the user did not cancel, a PingOne node also updates the evaluation status. * **Return Error** Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully. If the risk evaluation ID is present, a PingOne node also updates the evaluation status. ## Input schema This flow has the following inputs: | Input Name | Required | Description | | ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------- | | `flowParameters` | No | An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs. | ## Output schema This flow has the following outputs: | Output name | Description | | -------------- | ---------------------------------------------------------------------------------------------------------------------- | | `p1UserId` | The user ID of the current user. | | `Result` | The result status of the flow. | | `errorMessage` | The error message returned by the flow. Sent only if the flow progressed to the **Return Error** section. | | `errorDetails` | The detailed error information returned by the flow. Sent only if the flow progressed to the **Return Error** section. | ## Variables and parameters This flow uses the following variable or parameter values: | Variable name | Description | | ------------------------------ | -------------------------------------------------------------------------------------------------------------- | | `flowCompanyLogo` | The URL for your company logo. | | `p1MFAPolicyId` | The ID of the PingOne MFA policy to use in the flow. | | `p1AgreementId` | The ID of the agreement to present to users. | | `p1RiskPolicyIdAuthn` | The PingOne risk policy ID to use for authentication. | | `p1RiskPolicyIdAR` | The PingOne risk policy ID to use for account recovery. | | `p1RiskPolicyIdAuthZ` | The PingOne risk policy ID to use for authorization. | | `p1RiskPolicyIdReg` | The PingOne risk policy ID to use for registration. | | `protectRiskEvalId` | The risk ID of the current user as used by PingOne Protect. | | `authMethod` | The authentication method used in the flow. | | `flowProtectAnalysisRequired` | Indicates whether a PingOne Protect analysis must be performed for all users. | | `ciam_magicLinkEnabled` | Indicates whether magic link authentication is enabled. | | `ciam_agreementEnabled` | Indicates whether the agreement is required. | | `ciam_protectAnalysisRequired` | Indicates whether PingOne Protect analysis is required. | | `ciam_logoUrl` | The URL for your company logo.This value is used only when the flow is launched with a redirect. | | `ciam_companyName` | Displays the name of your company.This value is used only when the flow is launched with a redirect. | | `ciam_logoStyle` | The HTML style to use for your company logo.This value is used only when the flow is launched with a redirect. | | `flowMethod` | The method used to launch the flow. |