CIAM Plus With Protect - Device Registration - Subflow

The CIAM Plus With Protect - Device Registration - Subflow lets users register a new device.

Purpose

The CIAM Plus With Protect - Device Registration - Subflow presents users with options to register any available device type. The flow finds the available devices, then uses an HTML node to let the user select one:

If the user selects Mobile Application, the flow creates a pairing key to pair the application with the account.
If the user selects Biometrics/Security Key, the flow pairs the current FIDO-supported device.
If the user selects Authenticator App, the flow uses a key URL to pair an authenticator app with the account.
If the user selects Text Message, the flow gathers the number and uses an one-time passcode (OTP) to verify the SMS number.
If the user selects Voice the flow gathers the number and uses an OTP to verify the phone number.
If the user selects Email, the flow uses an OTP to verify the email address.

After any successful device registration, or if the user selects password, the flow returns to the CIAM Plus With Protect - Account Registration - Subflow parent flow.

Structure

This flow is divided into sections using teleport nodes:

Gather device types that user can register with: Uses a hidden HTML form to gather browser information, then uses a PingOne node to retrieve the user’s current devices. If the user has compatible devices and can register at least one device, the flow progresses to the Check Whether MFA Greetings Required To Be Displayed To User? section.
Check Whether MFA Greetings Required To Be Displayed To User?: Uses a function node to check if the greeting page should be displayed.

If the greeting should be displayed, an HTML node asks for user consent to add an MFA device. If the user clicks Skip or Back, the flow progresses to the Return Success section.

If the user does not select Skip or Back, or if the greeting page is not displayed, a function node checks whether the user’s email is known. If the user’s email address is not known, the flow progresses to the User select device to register with section.

If the user’s email address is known, a function node checks whether direct enrollment of the user’s email is requested. If direct enrollment is not requested, the flow progresses to the User select device to register with section. If direct enrollment is requested, function nodes verify that the email address is not in use and set the canEnrollOnlyEmail variable to true, then the flow progresses to the Prepare to register OTP device section.
User select device to register with: Presents the user with an HTML page that provides them with the available authentication method options.

If the user selects Voice or SMS, the flow progresses to the User selected SMS/VOICE section.

If the user selects Email, the flow progresses to the User selected email section.

If the user selects TOTP, the flow progresses to the Prepare to register OTP device section.

If the user selects FIDO2, the flow progresses to the Register FIDO2 device and enable MFA for user section.

If the user selects Mobile, the flow progresses to the Mobile app registration flow section.

If the user selects Cancel, a function node determines whether MFA is required. If MFA is required, the flow progresses to the Return Success section with the cancel result. If MFA is not required, the flow progresses to the Return Success section with the skip result.
User selected SMS/VOICE: Displays an HTML page gives the user the option to provide a voice or SMS number.

If the user enters a voice or SMS number, a function node verifies that the number is not in use, then the flow progresses to the Prepare to register OTP device section.

If the user clicks Cancel, the flow returns to the User select device to register with section.
User selected email: Uses a function node to check for a known user email.

If the user’s email is not present, an HTML node lets the user enter an email and submit it or cancel.

If the user clicks Cancel, the flow returns to the User select device to register with section.

If the user submits an email, or if their email was already present, a function node verifies that the email is not already registered. If the email is not already registered, the flow progresses to the Prepare to register OTP device section. If the email is already registered, a function node determines the correct error message to display.
Prepare to register OTP device: Uses a PingOne node to create an OTP device.

If the OTP device creation succeeds, a function node sets the device ID, then the flow progress to the TOTP (Authenticator app) registration flow section if the device type is TOTP, or to the Ask for OTP section if the device is SMS, voice, or email.

If the OTP device creation fails, an error message is displayed.
Ask for OTP: Uses function nodes to begin tracking the number of resend attempts, mask the phone number or email, and determine the cancel behavior, then displays an HTML node prompting the user for the OTP.

If the user submits a code, the flow progresses to the Activate OTP device and enable MFA for user section. Otherwise, the flow progresses to the Resend OTP section.
Resend OTP: If the user clicks Resend at the OTP prompt screen, function nodes increment the resend attempts and check if the maximum has been reached. If the maximum has not been reached, PingOne nodes delete the previous OTP device and create a new device, a function node updates the device ID, and a message is displayed for the user.

If the user clicks Cancel at the OTP prompt screen, a PingOne node deletes the OTP device. A function node then redirects the flow based on the cancel button behavior. If this value is Back, the flow progresses to the User select device to register with section. If this value is Skip, the flow progresses to the Return Success section with the Skip result. If this value is Cancel, the flow progresses to the Return Success section with the Cancel result.
TOTP (Authenticator app) registration flow: Uses a function node to create a QR code for the key URL, then displays an HTML page on which the user can scan the QR code and enter a secret.

If the user enters the secret, the flow progresses to the Activate OTP device and enable MFA for user section.

If the user clicks Cancel, a PingOne node deletes the OTP device, and the flow returns to the User select device to register with section.
Activate OTP device and enable MFA for user: Uses a PingOne node to activate the OTP device. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user’s MFA status. The flow then progresses to the Return Success section.
Register FIDO2 device and enable MFA for user: Uses a PingOne node to create a FIDO2 device, then presents the user with an HTML registration page.

If the user successfully registers the device, a PingOne node activates the device. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user’s MFA status. The flow then progresses to the Return Success section.

If the user clicks Cancel, a PingOne node deletes the device and the flow returns to the User select device to register with section.
Mobile app registration flow: Uses a PingOne node to create a pairing key, then creates a QR code using the key. An HTML node then presents the QR code to the user.

If the user clicks Cancel, a PingOne node deletes the pairing key and the flow returns to the User select device to register with section.

A PingOne node reads the key, then a polling node determines when to proceed. If the polling status is claimed, a function node determines whether the user has any pre-registered devices. If the user has no pre-registered devices, a PingOne node activates MFA for the user and the flow progresses to the Return Success section.

If the user has pre-registered devices, a function node determines whether the new device should be set as the default. If the new device should not be set as default, a PingOne node enables MFA for the user. If the new device should be the default, a PingOne node reads the user’s mobile devices, a function node finds the device ID, and a PingOne node sets the device as default. A PingOne node then enables MFA for the user.

If the polling fails, an error message is displayed, a PingOne node deletes the pairing key, and the flow returns to the User select device to register with section.
Return Success: Sends a success JSON response, indicating that the flow completed successfully.
Return Error: Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs:

Input name Required Description

Input name	Required	Description
`email`	No	The email address to use for registration.
`p1UserId`	Yes	The user ID of the current user.
`notShowMFAGreetingsPage`	No	A boolean indicating whether to show the user greetings page.
`allowOnlyEmail`	No	A boolean indicating whether email should be the only permitted MFA device.
`requireMFA`	No	A boolean indicating whether MFA is required.
`setNewDeviceAsDefault`	No	A boolean indicating whether a newly added device should be set as the default device.
`allowedDeviceTypes`	No	A string containing any or all of `SMS, EMAIL, FIDO2, MOBILE, VOICE, TOTP` indicating the allowed device types.
`companyLogo`	No	The company logo. Used only when the main flow was launched using a redirect.
`resendOtpLimit`	Yes	The maximum number of times the user can resend the OTP.

email

The email address to use for registration.

p1UserId

Yes

The user ID of the current user.

notShowMFAGreetingsPage

A boolean indicating whether to show the user greetings page.

allowOnlyEmail

A boolean indicating whether email should be the only permitted MFA device.

requireMFA

A boolean indicating whether MFA is required.

setNewDeviceAsDefault

A boolean indicating whether a newly added device should be set as the default device.

allowedDeviceTypes

A string containing any or all of SMS, EMAIL, FIDO2, MOBILE, VOICE, TOTP indicating the allowed device types.

companyLogo

The company logo.

Used only when the main flow was launched using a redirect.

resendOtpLimit

Yes

The maximum number of times the user can resend the OTP.

Output schema

This flow has the following outputs:

Output name Description

Output name	Description
`subflowResult`	The result status of the flow.
`authMethod`	The authentication method that was configured by the flow.
`errorMessage`	The error message to display in the parent flow.
`errorDetails`	The details of the error that occurred in this flow.

subflowResult

The result status of the flow.

authMethod

The authentication method that was configured by the flow.

errorMessage

The error message to display in the parent flow.

errorDetails

The details of the error that occurred in this flow.

Variables

This flow uses the following variables:

Variable name Description

Variable name	Description
`canEnrollOnlyEmail`	A boolean indicating whether email should be the only permitted MFA device.
`resendOtpAttempts`	The number of times the user has resent the OTP.
`p1MFADeviceId`	The device ID for the device being registered.

canEnrollOnlyEmail

A boolean indicating whether email should be the only permitted MFA device.

resendOtpAttempts

The number of times the user has resent the OTP.

p1MFADeviceId

The device ID for the device being registered.

PingOne for Customers Plus