PingOne for Customers Plus

CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow

The CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow lets users view and manage the devices associated with their account.

Purpose

The CIAM Plus With Protect - Profile Management - Manage MFA - Main Flow verifies the user’s session or lets the user sign on using the CIAM Plus With Protect - SignOn - Subflow and performs a threat assessment using the CIAM Plus With Protect - Threat Detection - Subflow. It presents users with their current multi-factor authentication (MFA) devices, then presents the options for users to add new devices, change the name or status of existing devices, or remove an existing device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses function nodes to set variables. Then, if agreement is required, but no agreement ID is present, the flow progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

Check Session, Call To Protect Analysis & MFA Step-Up

Uses a PingOne node to check for a valid session:

  • If a session exists, a hidden HTML node captures risk information, then a PingOne node gathers additional information. The flow then progresses to the Threat Detection & Mitigation section. When this section completes, the flow progresses to the MFA Authentication section. When this section completes, the flow progresses to the Display User Devices section.

  • If no session exists, a PingOne node deletes any existing session token, then the CIAM Plus With Protect - SignOn - Subflow is invoked. When the flow completes, a PingOne node creates or updates the session while a loading screen is displayed for the user. A PingOne node retrieves user information, then the flow progresses to the MFA Authentication section. When this section completes, the flow progresses to the Display User Devices section.

Threat Detection & Mitigation

Invokes the CIAM Plus With Protect - Threat Detection - Subflow.

If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  • If the risk level is low, the flow returns to the previous section.

  • If the risk level is medium, the flow progresses to the MFA Authentication section. The flow then returns to the previous section.

  • If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the Return Error section.

If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the Return Error section.

MFA Authentication

Uses a function node to check if MFA is enabled.

If MFA is enabled, the flow uses a PingOne node to retrieve the user’s devices, then uses a hidden HTML node to check for WebAuthn compatibility. Function nodes check if the user has at least one active device:

  • If the user has at least one active device, the CIAM Plus With Protect - Device Authentication - Subflow is invoked, a function node stores the authentication method as a variable, and the flow then returns to the previous section.

  • If the user has no active devices, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.

If MFA is not enabled, an HTML node provides the user with the option to enable MFA. If the user enables MFA, a PingOne node enables MFA and the flow returns to the beginning of the section.

Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication

A comparison node checks whether email verification is required.

If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow, then a function node evaluates the device registration result:

  • If the device registration was completed, the authentication method is stored as a variable, and the flow returns to the MFA Authentication section.

  • If the device registration was skipped, the flow returns to the MFA Authentication section.

If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node stores the user’s authentication method as a variable, and the flow returns to the MFA Authentication section.

Display User Devices

Uses a PingOne node to retrieve the user’s known devices. If the user can add devices, a custom HTML template presents the user with device options. If the user selects Add, the flow progresses to the Add Device section. If the user selects Done or Cancel, the flow progresses to the Return Success section. If the user selects an existing device, the flow progresses to the Update Device section.

Add Device

Invokes the CIAM Plus With Protect - Device Registration - Subflow flow. It then progresses to the Display User Devices section if the addition was successful or canceled.

Update Device

Presents users with a custom HTML page showing options for a currently selected device. The Save and Default options trigger PingOne to save a new device name or set the current device as default. The Remove option triggers an HTML node that asks the user to confirm the deletion. If the user confirms the deletion, a PingOne node removes the current device, then the flow progresses to the Display User Devices section. If the user cancels, the flow progresses to the Display User Devices section.

Return Success

Sends a JSON success message.

Return Error

Displays an error message, then sends a JSON error response.

Input schema

This flow has the following inputs:

Input Name Description

flowParameters

Parameters passed in when the flow is launched using the widget.

Output schema

This flow has the following outputs:

Output Name Description

flowResult

The result status of the flow.

p1UserId

The user’s PingOne user ID.

errorMessage

The error message to display in the parent flow.

errorDetails

The details of the error that occurred in this flow.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Parameter name Description

ciam_logoStyle

None

The HTML style to use for your company logo.

ciam_logoUrl

None

The URL for your company logo.

ciam_companyName

None

Displays the name of your company.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_requireMFA

None

A boolean that controls whether MFA is required for all users.

ciam_resendOtpLimit

None

The maximum number of times a user can resend a one-time passcode (OTP).

ciam_verificationLimit

None

The maximum number of times a user can attempt to verify their email address.

ciam_sessionLengthInMinute

None

The maximum allowed session length for a user in the flow.

ciam_otpFallbackAllowed

None

A boolean indicating whether a user can fall back to an OTP if a mobile push request times out.

p1AgreementId

None

The ID of the PingOne agreement to present to users.

p1RiskPolicyIdAuthn

None

The PingOne risk policy ID to use for authentication.

protectRiskEvalId

None

The risk evaluation ID returned by PingOne Protect.

p1RiskPolicyIdReg

None

The PingOne risk policy ID to use for registration.

p1RiskPolicyIdAR

None

The PingOne risk policy ID to use for account recovery.

flowCompanyLogo

None

The company logo to use during the flow.

p1MFAPolicyId

None

The PingOne MFA policy ID.

p1RiskPolicyIdAuthZ

None

The PingOne risk policy ID to use for authorization.

authMethod

None

The authentication method used by the user.