CIAM Plus With Protect - Registration and Authentication with Username and Password - Main Flow
The CIAM Plus With Protect - Registration and Authentication with Username and Password - Main Flow lets users sign on, create a new account, or recover an account. It can be launched through the widget or through PingOne.
Purpose
The CIAM Plus With Protect - Registration and Authentication with Username and Password - Main Flow is the initial flow in the PingOne for Customers Plus solution. It enables existing users to sign on using a password, uses the CIAM Plus With Protect - Account Registration - Subflow flow to let new users register, uses the CIAM Plus With Protect - Account Recovery - Email - Subflow flow to let existing users recover their account, and uses the CIAM Plus With Protect - Device Authentication - Subflow flow to let existing users sign on using a known device.
Structure
This flow is divided into sections using teleport nodes:
- Flow Configuration
-
Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.
- Check for Session
-
Uses a PingOne node to determine whether the user has an existing session.
If the user has a session, a hidden HTML node captures risk information and a PingOne node fetches additional user information, then the flow progresses to the Threat Detection and Mitigation section. When this section completes, the flow progresses to the Return Success section.
If the user does not have a session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Sign On Page section.
- Offer Sign On Page
-
Displays an HTML page with options to sign on using a password, recover from a forgotten password, or register a new account. The sign-on option progresses to the Password Authentication section, the forgot password option progresses to the Call Account Recovery Sub-Flow section, and the register option progresses to the Call Account Registration Sub-Flow section. If no options match, a hidden HTML node activates CSS files for social login, and the flow progresses to the Call Check Agreement and Email Verification Sub-Flow section.
- Call Account Recovery Sub-Flow
-
Invokes the CIAM Plus With Protect - Account Recovery - Email - Subflow flow, then progresses to the Offer Sign On Page section.
- Call Account Registration Sub-Flow
-
Invokes the CIAM Plus With Protect - Account Registration - Subflow flow. If the subflow’s result is
signOn
, the flow progresses to the Offer Sign On Page section. If the subflow’s result iscomplete
, the flow invokes the CIAM Plus With Protect - Device Registration - Subflow flow, uses a PingOne node to send an account creation email, and then progresses to the Return Success section. - Threat Detection and Mitigation
-
Invokes the CIAM Plus With Protect - Threat Detection - Subflow.
If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:
-
If the risk level is low, a function node sets the
isMFAAuthnReq
variable to false. The flow then progresses to the Return Success section if an existing session was found, and to the Password Authentication section if no session was found. -
If the risk level is medium, a function node sets the
isMFAAuthnReq
variable to true. The flow then progresses to the MFA Authentication section if an existing session was found, and to the Password Authentication section if no session was found. -
If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user and a function node sets the
isMFAAuthnReq
variable to true. The flow then progresses to the MFA Authentication section if an existing session was found, and to the Password Authentication section if no session was found.
If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, an error message is displayed, a function node stores the risk evaluation as a variable, and the flow progresses to the Return Error section.
-
- Password Authentication
-
Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct, but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section. If the password is incorrect or the user cannot be found, a comparison node checks whether the account is locked. If the account is locked, the flow progresses to the Return Error section. If the account is not locked, an error message is displayed to the user.
- MFA Authentication
-
Uses a function node to check if multi-factor authentication (MFA) is required and returns to the calling node if MFA is not required. The flow then uses a PingOne node to look up the user’s existing devices. An HTML node then checks the user’s current device for Webauthn support, and comparison nodes filter for unusable devices and check if at least one device is configured.
If the user has no active devices or the user’s device information could not be found, the flow progresses to the Step up to register Email MFA device if no MFA devices found during authentication section.
If the user has active devices, the flow invokes the CIAM Plus With Protect - Device Authentication - Subflow. If the subflow completes successfully, a function node saves the user’s authentication method as a variable, and the flow progresses to the Return Success section if an existing session was found, and to the Password Authentication section if no session was found. If the user canceled the subflow, the flow progresses to the Return Error section if an existing session was found, and to the Offer Sign On Page section if no session was found.
- Call Change Password Sub-Flow
-
Invokes the CIAM Plus With Protect - Change Password - Subflow flow. If the subflow completes successfully, the flow displays a success message and a PingOne node sends a password change email the flow. The flow then progresses to the Call Check Agreement and Email Verification Sub-Flow section.
- Step up to register Email MFA device if no MFA devices found during authentication
-
A comparison node checks whether email verification is required.
If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow. The section then branches based on the device registration result:
-
If the result is Complete, the user’s authentication method is stored as a variable and the flow returns to the previous section.
-
If the result is Skip, the flow returns to the previous section.
-
If the result is Cancel, the flow returns to the Return Error section if an existing session was found, and to the Offer Sign On Page section if no session was found.
If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. The user’s authentication method is stored as a variable, and the flow then returns to the previous section.
-
- Call Check Agreement and Email Verification Sub-Flow
-
Invokes the CIAM Plus With Protect - Agreement (ToS) - Subflow, then uses a PingOne node to retrieve user information. A function node checks whether email verification is required, and if email verification is required, the CIAM Plus With Protect - Verify Email - Subflow is invoked. The flow then progresses to the Handle Remember Me if Applicable section.
- Handle Remember Me if Applicable
-
Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.
- Return Success
-
Displays a success message, then uses a function node to determine how the flow was launched. If the flow was launched with the widget, a PingOne node looks up the user. A PingOne Authentication node then sends a success response and creates a session with a duration of two days.
- Return Error
-
Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.
Input schema
This flow has the following inputs:
Input Name | Required | Description |
---|---|---|
|
No |
An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs. |
Variables and parameters
This flow uses the following variable or parameter values:
Variable name | Parameter name | Description |
---|---|---|
|
|
Indicates whether authentication through Apple is enabled in your environment. |
|
|
Indicates whether authentication through Facebook is enabled in your environment. |
|
|
Indicates whether authentication through Google is enabled in your environment. |
|
|
Indicates whether magic link is enabled in your environment. |
|
None |
The maximum time a user can spend in the flow before it times out. |
|
None |
The HTML style to use for your company logo. This value is only used when the flow is launched with a redirect. |
|
None |
The URL for your company logo. This value is only used when the flow is launched with a redirect. |
|
None |
Displays the name of your company. This value is only used when the flow is launched with a redirect. |
|
|
A boolean that controls whether account recovery is enabled in your environment. |
|
|
A boolean indicating whether agreement is enabled in your environment. |
|
None |
The ID of the PingOne agreement to present to users. |
|
None |
The PingOne risk policy ID to use for authentication. |
|
None |
The PingOne risk policy ID to use for account recovery. |
|
None |
The PingOne risk policy ID to use for registration. |
|
None |
The PingOne MFA policy ID. |
|
None |
Indicates whether MFA authentication is required. |
|
None |
Indicates whether MFA enrollment is required or optional in the flow. |
|
None |
The company logo to use during the flow. |
|
None |
The risk evaluation ID returned by PingOne Protect. |
|
None |
The authentication method used by the user. |
|
None |
The maximum number of times a user can resend a one-time passcode (OTP). |
|
None |
The maximum number of times a user can attempt to recover an account. |
|
None |
A boolean indicating whether a user can fall back to an OTP if a mobile push request times out. |
|
None |
The maximum number of times a user can attempt to verify their email address. |
|
|
A boolean that controls whether MFA enrollment is required for all users. |