--- title: CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow description: The CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow flow lets users view the terms of service. component: pingone-solutions page_id: pingone-solutions:pingone-customers-plus:flow_reference/ciam_plus_profile_mgmt_view_agreement_tos canonical_url: https://docs.pingidentity.com/pingone-solutions/pingone-customers-plus/flow_reference/ciam_plus_profile_mgmt_view_agreement_tos.html revdate: June 28, 2024 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables: Variables --- # CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow The CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow flow lets users view the terms of service. ## Purpose The CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow flow checks for an existing session, and uses the **CIAM Plus With Protect - SignOn - Subflow** to let users sign on if they do not already have a session. It uses the **CIAM Plus With Protect - Threat Detection - Subflow** to perform a threat assessment, then displays the terms of service for the user. If the user has not accepted the terms of service, the flow displays a form to allow the user to accept or decline and records the user response. ## Structure This flow is divided into sections using teleport nodes: * **Flow Configuration** Uses function nodes to set variables. Then, if agreement is required, but no agreement ID is present, the flow progresses to the **Check Session, Call To Protect Analysis & MFA Step-Up** section. * **Check Session, Call To Protect Analysis & MFA Step-Up** Uses a PingOne node to check for a valid session: * If a session exists, a hidden HTML node captures risk information, then a PingOne node gathers additional information. The flow then progresses to the **Threat Detection & Mitigation** section. When this section completes, the flow progresses to the **MFA Authentication** section. When this section completes, the **CIAM Plus With Protect - Agreement (ToS) - Subflow** is invoked. The flow then progresses to the **Return Success** section. * If no session exists, a PingOne node deletes any existing session token, then the **CIAM Plus With Protect - SignOn - Subflow** is invoked. When the flow completes, a PingOne node creates or updates the session while a loading screen is displayed for the user. A PingOne node retrieves user information, then the flow progresses to the **MFA Authentication** section. When this section completes, the **CIAM Plus With Protect - Agreement (ToS) - Subflow** is invoked. The flow then progresses to the **Return Success** section. * **Threat Detection & Mitigation** Invokes the **CIAM Plus With Protect - Threat Detection - Subflow**. If the **CIAM Plus With Protect - Threat Detection - Subflow** completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level: * If the risk level is low, the flow returns to the previous section. * If the risk level is medium, the flow progresses to the **MFA Authentication** section. The flow then returns to the previous section. * If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the **Return Error** section. If the **CIAM Plus With Protect - Threat Detection - Subflow** completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the **Return Error** section. * **MFA Authentication** Uses a PingOne node to retrieve the user's devices, then uses a hidden HTML node to check for WebAuthn compatibility. A function node then checks if the user has at least one active device: * If the user has at least one active device, the **CIAM Plus With Protect - Device Authentication - Subflow** is invoked, a function node stores the authentication method as a variable, and the flow then returns to the previous section. * If the user has no active devices, the flow progresses to the **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** section. * **Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication** A comparison node checks whether email verification is required. If email verification is not required, invokes the **CIAM Plus With Protect - Device Registration - Subflow**, then a function node evaluates the device registration result: * If the device registration was completed, the authentication method is stored as a variable, and the flow returns to the **MFA Authentication** section. * If the device registration was skipped, the flow returns to the **MFA Authentication** section. If email verification is required, invokes the **CIAM Plus With Protect - Verify Email - Subflow**, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node stores the user's authentication method as a variable, and the flow returns to the **MFA Authentication** section. * **Return Error** Displays an error message, then sends a JSON error message. * **Return Success** Sends a JSON success message. ## Input schema This flow has the following inputs: | Input Name | Required | Description | | ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------- | | `flowParameters` | No | An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs. | ## Output schema This flow has the following outputs: | Output Name | Description | | -------------- | ---------------------------------------------------- | | `flowResult` | The result status of the flow. | | `p1UserId` | The user's PingOne user ID. | | `errorMessage` | The error message to display in the parent flow. | | `errorDetails` | The details of the error that occurred in this flow. | ## Variables This flow uses the following variables: | Variable name | Parameter name | Description | | ---------------------------- | ------------------------- | ---------------------------------------------------------------------- | | `ciam_logoStyle` | None | The HTML style to use for your company logo. | | `ciam_logoUrl` | None | The URL for your company logo. | | `ciam_companyName` | None | Displays the name of your company. | | `ciam_magicLinkEnabled` | `isEmailMagicLinkEnabled` | Indicates whether magic link is enabled in your environment. | | `ciam_agreementEnabled` | `isTermsOfServiceEnabled` | A boolean indicating whether agreement is enabled in your environment. | | `ciam_sessionLengthInMinute` | None | The maximum allowed session length for a user in the flow. | | `p1AgreementId` | None | The ID of the PingOne agreement to present to users. | | `p1RiskPolicyIdAuthn` | None | The PingOne risk policy ID to use for authentication. | | `protectRiskEvalId` | None | The risk evaluation ID returned by PingOne Protect. | | `p1RiskPolicyIdReg` | None | The PingOne risk policy ID to use for registration. | | `p1RiskPolicyIdAR` | None | The PingOne risk policy ID to use for account recovery. | | `flowCompanyLogo` | None | The company logo to use during the flow. | | `p1MFAPolicyId` | None | The PingOne MFA policy ID. | | `p1RiskPolicyIdAuthZ` | None | The PingOne risk policy ID to use for authorization. | | `authMethod` | None | The authentication method used by the user. |