--- title: OOTB - Financial Services - SignOn - Subflow description: Learn about the OOTB - Financial Services - SignOn - Subflow flow, including its purpose, structure, inputs, outputs, and variables. component: pingone-solutions page_id: pingone-solutions:financial-services:flow-reference/financial-services-signon-subflow canonical_url: https://docs.pingidentity.com/pingone-solutions/financial-services/flow-reference/financial-services-signon-subflow.html revdate: January 1, 2025 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables-and-parameters: Variables and parameters --- # OOTB - Financial Services - SignOn - Subflow The**OOTB - Financial Services - SignOn - Subflow** lets users sign on, create a new account, or recover an account. ## Purpose The **OOTB - Financial Services - SignOn - Subflow** enables existing users to sign on using a password and uses the **OOTB - Financial Services - Device Authentication - Subflow** flow to let existing users sign on using a known device. ## Structure This flow is divided into sections using teleport nodes: * **Flow Configuration** Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows, and to verify that the agreement ID is present if agreement is enabled. The flow then progresses to the **Offer Sign On Page** section. * **Offer Sign On Page** Displays an HTML page that lets the user sign on. If the user clicks **Sign On**: 1. A PingOne node looks up the user using their email address. 2. The flow progresses to the **Threat Detection And Mitigation** section. 3. When the **Threat Detection And Mitigation** section completes, the flow progresses to the **Password Authentication** section. * **Password Authentication** Uses two PingOne nodes to look up the user and validate the provided password. * If the password is correct, the flow progresses to the **MFA Authentication** section. When this section completes, a function node evaluates the password status. * If the password status is `OK`, the flow progresses to the **Call Check Agreement and Email Verification Sub-Flow** section. * If the password is correct but must be changed or is expired, the flow progresses to the **Call Change Password Sub-Flow** section. * If the password is incorrect, or the user can't be found, a comparison node checks whether the account is locked. If the account is locked, the flow progresses to the **Return Error** section. If the account is not locked, an error message displays to the user. * **Threat Detection And Mitigation** Uses a function node to check if PingOne Protect analysis is required. * If PingOne Protect analysis is required, the **OOTB - Financial Services - Threat Detection - Subflow** is invoked. If the subflow completes unsuccessfully, an error message is displayed. If the subflow completes successfully, a function node branches based on the reported risk level: * If the risk level is low, a function node sets the `isMFAAuthnReq` variable to false. The flow then progresses to the **Password Authentication** section. * If the risk level is medium, a function node sets the `isMFAAuthnReq` variable to true. The flow then progresses to the **Password Authentication** section. * If the risk level is high, function nodes check if the PingOne user ID is unknown and if the high risk was the result of a new device. If the PingOne ID is unknown, and the high risk is not the result of a new device, a PingOne node sends an email notifying the user of suspicious activity. A function node sets the `isMFAAuthnReq` variable to true, and the flow progresses to the **Password Authentication** section. * If PingOne Protect analysis is not required, a function node sets the `isMFAAuthnReq` variable to true. The flow then progresses to the **Password Authentication** section. * **Call Change Password Sub-Flow** Invokes the **OOTB - Financial Services - Change Password - Subflow** flow. If the subflow completes successfully, the flow displays a success message and a PingOne node sends a password change email the flow. The flow then progresses to the **Call Check Agreement and Email Verification Sub-Flow** section. * **MFA Authentication** Uses function nodes to verify that multi-factor authentication (MFA) is required and that MFA is enabled for the user. * If both conditions are met, a PingOne node looks up the user's existing devices. An HTML node then checks the user's current device for Webauthn support, and comparison nodes filter for unusable devices and check if at least one device is configured. If the user has no active devices, or the user's device information could not be found, the flow progresses to the **Step up to register Email MFA device if no MFA devices found during authentication** section. If the user has active devices, the **OOTB - Financial Services - Device Authentication - Subflow** is invoked. If the subflow completes successfully, a function node saves the authentication method as a variable and the flow returns to the **Password Authentication** section. If the user canceled in the subflow, the flow progresses to the **Offer Sign-on Page** section. If MFA isn't enabled for the user, a function node checks if MFA can be enabled for the user. * If MFA can't be enabled, the section proceeds from the PingOne device lookup node as described above. * If MFA can be enabled, an HTML page presents the user with the option of enabling MFA. If the user selects this option, a PingOne node enables MFA for them. The section then proceeds from the PingOne device lookup node as described above. * **Call Check Agreement and Email Verification Sub-Flow** Invokes the **OOTB - Financial Services - Agreement (ToS) - Subflow**, then uses a PingOne node to retrieve user information. A function node checks whether email verification is required, and if email verification is required, the **OOTB - Financial Services - Verify Email - Subflow** is invoked. The flow then progresses to the **Handle Remember Me if Applicable** section. * **Handle Remember Me if Applicable** Adds **Remember Me** as an authentication method if it is enabled, then progresses to the **Return Success** section. * **Step up to register Email MFA device if no MFA devices found during authentication** A comparison node checks whether email verification is required. * If email verification is not required, invokes the **OOTB - Financial Services - Device Registration - Subflow**, then branches based on the device registration result. * If the new device was registered successfully, a function node saves the authentication method as a variable, then the flow returns to the **Password Authentication** section. * If the user skipped the new device registration, the flow returns to the **Password Authentication** section. * If the user canceled, the flow progresses to the **Offer Sign On Page** section. * If email verification is required, invokes the **OOTB - Financial Services - Verify Email - Subflow**, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node saves the authentication method as a variable, then the flow returns to the **Password Authentication** section. * **Return Success** Displays an HTML success message to the user, then sends a success response, indicating that the flow completed successfully. * **Return Error** Uses a function node to enrich error details, uses a PingOne node to update the evaluation status if it is empty, and sends an error JSON response indicating that the flow completed unsuccessfully. ## Input schema This flow has the following inputs: | Input Name | Required | Description | | --------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------- | | `flowParameters` | No | An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs. | | `p1AgreementId` | No | The ID of the PingOne agreement to present to users. | | `p1MFAPolicyId` | No | The PingOne MFA policy ID. | | `p1RiskPolicyIdReg` | No | The PingOne risk policy ID to use for registration. | | `p1RiskPolicyIdAuthn` | No | The PingOne risk policy ID to use for authentication. | | `p1RiskPolicyIdAR` | No | The PingOne risk policy ID to use for account recovery. | | `canUserEnableMFA` | No | Indicates whether the user can enable MFA for their account. | ## Output schema This flow has the following outputs: | Output Name | Description | | ------------------- | ---------------------------------------------------- | | `errorMessage` | The error message to display in the parent flow. | | `errorDetails` | The details of the error that occurred in this flow. | | `authMethod` | The authentication method used in the flow. | | `p1UserId` | The PingOne user ID of the user. | | `protectRiskLevel` | The risk level found by PingOne Protect. | | `protectRiskEvalId` | The PingOne Protect evaluation ID. | ## Variables and parameters This flow uses the following variable or parameter values: | Variable name | Parameter name | Description | | ----------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ciam_logoStyle` | None | The HTML style to use for your company logo. | | `ciam_logoUrl` | None | The URL for your company logo. | | `ciam_appleEnabled` | `isAppleEnabled` | Indicates whether authentication through Apple is enabled in your environment. | | `ciam_facebookEnabled` | `isFacebookEnabled` | Indicates whether authentication through Facebook is enabled in your environment. | | `ciam_googleEnabled` | `isGoogleEnabled` | Indicates whether authentication through Google is enabled in your environment. | | `ciam_companyName` | None | Displays the name of your company. | | `ciam_magicLinkEnabled` | `isEmailMagicLinkEnabled` | Indicates whether magic link is enabled in your environment. | | `ciam_agreementEnabled` | `isTermsOfServiceEnabled` | A Boolean indicating whether agreement is enabled in your environment. | | `ciam_requireMFA` | `isRequireMFA` | A Boolean that controls whether MFA is required for all users. | | `ciam_resendOtpLimit` | None | The maximum number of times a user can resend a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)*. | | `ciam_verificationLimit` | None | The maximum number of times a user can attempt to verify their email address. | | `ciam_otpFallbackAllowed` | None | A Boolean indicating whether a user can fall back to an OTP if a mobile push request times out. | | `ciam_recoveryLimit` | None | The maximum number of times a user can attempt to recover an account. | | `ciam_accountRecoveryEnabled` | None | A Boolean that controls whether account recovery is enabled in your environment. | | `p1AgreementId` | None | The ID of the PingOne agreement to present to users. | | `p1RiskPolicyIdAuthn` | None | The PingOne risk policy ID to use for authentication. | | `protectRiskEvalId` | None | The risk evaluation ID returned by PingOne Protect. | | `p1RiskPolicyIdReg` | None | The PingOne risk policy ID to use for registration. | | `p1RiskPolicyIdAR` | None | The PingOne risk policy ID to use for account recovery. | | `flowCompanyLogo` | None | The company logo to use during the flow. | | `p1MFAPolicyId` | None | The PingOne MFA policy ID. | | `authMethod` | None | The authentication method used by the user. | | `protectDeviceStatus` | None | The status of the user's device as determined by PingOne Protect. | | `flowRequireMFA` | None | Indicates whether MFA enrollment is required in the flow. | | `isMFAAuthnReq` | None | Indicates whether MFA authentication is required. |