---
title: Healthcare - Progressive Verification during Authentication - SignOn - Subflow
description: Learn about the DEPRECATED - Healthcare Authentication - Account Recovery - Email - Subflow flow, including its purpose, structure, inputs, outputs, and variables.
component: pingone-solutions
page_id: pingone-solutions:healthcare:flow-reference/healthcare-authentication-signon-subflow
canonical_url: https://docs.pingidentity.com/pingone-solutions/healthcare/flow-reference/healthcare-authentication-signon-subflow.html
revdate: January 1, 2025
section_ids:
  purpose: Purpose
  structure: Structure
  input-schema: Input schema
  output-schema: Output schema
  variables: Variables
---

# Healthcare - Progressive Verification during Authentication - SignOn - Subflow

The **Healthcare - Progressive Verification during Authentication - SignOn - Subflow** lets users sign on using MFA and threat detection.

## Purpose

The **Healthcare - Progressive Verification during Authentication - SignOn - Subflow** presents users with a sign-on form. It uses the **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow** to perform a threat assessment, then authenticates the user using the provided password and performs multi-factor authentication (MFA) if enabled, invoking the **Healthcare - Progressive Verification during Authentication - Device Authentication - Subflow** to authenticate and the **Healthcare - Progressive Verification during Authentication - Device Registration - Subflow** to register a new MFA device as necessary.

The flow also invokes the **Healthcare - Progressive Verification during Authentication - Change Password - Subflow** if the user needs to change their password, the **Healthcare - Agreement (ToS) - Subflow** if the user needs to consent to an agreement, and the **Healthcare - Progressive Verification during Authentication - Verify Email - Subflow** if the user is signing on for the first time and must verify their email address.

## Structure

This flow is divided into sections using teleport nodes:

* **Flow Configuration**

  Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow. A function node then checks if agreement is required and an agreement ID is present, then the flow then progresses to the **Offer Sign On Page** section.

* **Offer Sign On Page**

  Displays an HTML page with options to sign on using a password or recover from a forgotten password:

  * If the user uses the sign-on option, a PingOne node looks up the user, then the flow progresses to the **Threat Detection and Mitigation** section. When this section completes, the flow progresses to the **Password Authentication** section.

  - If no options match, a hidden HTML node activates CSS files for social login, and the flow progresses to the **Return Error** section.

* **Password Authentication**

  Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct, the flow progresses to the **MFA Authentication** section. When this section completes, the flow branches based on the password status:

  * If the password is current, the flow progresses to the **Call Check Agreement and Email verification Sub-Flow** section.

  * If the password is expired or must be changed, the flow progresses to the **Call Change Password Sub-Flow** section.

  If the user cannot be found or the password is incorrect, a function node checks if the user's account is locked:

  * If the user's account is not locked, an error message is displayed.

  * If the user's account is locked, the flow progresses to the **Return Error** section.

* **Threat Detection and Mitigation**

  Uses a function node to check if PingOne Protect analysis is required.

  If PingOne Protect analysis is not required, a function node sets the MFA step-up variable to true, and the flow returns to the previous section.

  If PingOne Protect analysis is required, the flow invokes the **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow**.

  If the **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow** completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  * If the risk level is low, a function node sets the MFA step-up variable to false, then the flow returns to the previous section.

  * If the risk level is medium, a function node sets the MFA step-up variable to true, then the flow returns to the previous section.

  * If the risk level is high, function nodes check if the PingOne user ID is empty and if the high risk was the result of a new device. If neither is true, a PingOne node notifies the user. A function node sets the MFA step-up variable to true, then the flow returns to the previous section.

  If the **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow** completes unsuccessfully, a function node stores the risk evaluation as a variable and the flow progresses to the **Return Error** section.

* **Call Change Password Sub-Flow**

  Invokes the **Healthcare - Progressive Verification during Authentication - Change Password - Subflow** flow. If the subflow completes successfully, the flow displays a success message and a PingOne node sends a password change email. The flow then progresses to the **Call Check Agreement and Email Verification Sub-Flow** section.

* **MFA Authentication**

  Uses a function node to check if MFA authentication is required. If not, the flow returns to the **Password Authentication** section.

  If MFA authentication is required, a function node checks if MFA is enabled:

  * If MFA is enabled, a PingOne node retrieves the user's existing devices, and a hidden HTML node checks the user's system for WebAuthn support.

    Function nodes then filter the usable devices and check for active devices. If either check fails, the flow progresses to the **Step up to register Email MFA device if no MFA devices found during authentication** section.

    If the user has one or more active devices, the **Healthcare - Progressive Verification during Authentication - Device Authentication - Subflow** is invoked:

    * If the subflow completes successfully, a function node stores the user's authentication method as a variable, then the flow returns to the **Password Authentication** section.

    * If the user cancels, the flow progresses to the **Offer Sign On Page** section.

  * If MFA is not enabled, a function node checks if the user can enable MFA:

    * If the user cannot enable MFA, the section proceeds as if MFA was enabled.

    * If the user can enable MFA, an HTML form presents the option of enabling MFA. If the user enables MFA, a PingOne node enables MFA for the user. The section then proceeds as if MFA was enabled.

* **Call Check Agreement and Email verification Sub-Flow**

  Invokes the **Healthcare - Progressive Verification during Authentication - Agreement (ToS) - Subflow**, then uses a PingOne node to retrieve user information. A function node checks whether email verification is required:

  * If verification is required, the flow progresses to the **Check If it is time 2nd login then verify email and auto enroll email as MFA** section.

  * If verification is not required, the flow progresses to the **Handle Remember Me if Applicable** section.

* **Check If it is time 2nd login then verify email and auto enroll email as MFA**

  Uses function nodes to check the login count. If this is the user's first login, the **Healthcare - Progressive Verification during Authentication - Verify Email - Subflow** is invoked, then the flow progresses to the **Step up to register Email MFA device if no MFA devices found during authentication** section. When this section completes, or if it is not the user's first login, the flow progresses to the **Handle Remember Me if Applicable** section.

* **Handle Remember Me if Applicable**

  Adds **Remember Me** as an authentication method if it is enabled, then progresses to the **Return Success** section.

* **Step up to register Email MFA device if no MFA devices found during authentication**

  A comparison node checks whether email verification is required.

  If email verification isn't required, the flow invokes the **Healthcare - Progressive Verification during Authentication - Device Registration - Subflow**. The section then branches based on the device registration result:

  * If the result is **Complete**, the user's authentication method is stored as a variable and the flow returns to the **Password Authentication** section.

  * If the result is **Skip**, the flow returns to the **Password Authentication** section.

  * If the result is **Cancel**, the flow returns to the **Offer Sign On Page** section.

  If email verification is required, the flow invokes the **Healthcare - Progressive Verification during Authentication - Verify Email - Subflow**, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. The user's authentication method is stored as a variable, and the flow then returns to the **Password Authentication** section.

* **Return Success**

  Sends a success JSON response, indicating that the flow completed successfully. A function node also checks whether the risk evaluation ID is empty and uses a PingOne node to update the risk evaluation if the ID is present.

* **Return Error**

  Uses a function node to enrich the error details and sends an error JSON response, indicating that the flow completed unsuccessfully. A function node also checks whether the risk evaluation ID is empty and uses a PingOne node to update the risk evaluation if the ID is present.

## Input schema

This flow has the following inputs:

| Input name                            | Required | Description                                                                           |
| ------------------------------------- | -------- | ------------------------------------------------------------------------------------- |
| `flowParameters`                      | No       | An object containing parameters passed in if the flow was launched with the widget.   |
| `p1AgreementId`                       | No       | The ID of the agreement to present to the user.                                       |
| `p1MFAPolicyId`                       | No       | The ID of the PingOne MFA policy to use in the flow.                                  |
| `p1RiskPolicyIdReg`                   | No       | The PingOne risk policy ID to use for registration.                                   |
| `p1RiskPolicyIdAuthn`                 | No       | The PingOne risk policy ID to use for authentication.                                 |
| `p1RiskPolicyIdAR`                    | No       | The PingOne risk policy ID to use for account recovery.                               |
| `canUserEnableMFA`                    | No       | Indicates whether the user can enable MFA.                                            |
| `disableAccountRegistrationButton`    | No       | Indicates whether to disable the option for account registration.                     |
| `disableAccountRecoveryButton`        | No       | Indicates whether to disable the option for account recovery.                         |
| `disableSocialRegistrationButton`     | No       | Indicates whether to disable the option for social registration.                      |
| `bypassRiskEvaluationUpdateOnSuccess` | No       | Indicates whether to skip the updating of the user's risk evaluation on flow success. |

## Output schema

This flow has the following outputs:

| Output name         | Description                                                     |
| ------------------- | --------------------------------------------------------------- |
| `p1UserId`          | The user ID of the current user.                                |
| `protectRiskLevel`  | The risk level of the current user returned by PingOne Protect. |
| `protectRiskEvalId` | The risk ID of the current user returned by PingOne Protect.    |
| `authMethod`        | The authentication method that was configured by the flow.      |
| `errorMessage`      | The error message to display in the parent flow.                |
| `errorDetails`      | The details of the error that occurred in this flow.            |

## Variables

This flow uses the following variables:

| Variable name         | Description                                                  |
| --------------------- | ------------------------------------------------------------ |
| `p1AgreementId`       | The ID of the agreement to present to the user.              |
| `p1MFAPolicyId`       | The ID of the PingOne MFA policy to use in the flow.         |
| `p1RiskPolicyIdReg`   | The PingOne risk policy ID to use for registration.          |
| `p1RiskPolicyIdAuthn` | The PingOne risk policy ID to use for authentication.        |
| `p1RiskPolicyIdAR`    | The PingOne risk policy ID to use for account recovery.      |
| `authMethod`          | The authentication method that was configured by the flow.   |
| `protectRiskEvalId`   | The risk ID of the current user returned by PingOne Protect. |
| `flowCompanyLogo`     | The URL for your company logo.                               |