PingOne for Customers Plus

CIAM Plus With Protect - Profile Management - Basic Profile Management - Main Flow

The CIAM Plus With Protect - Profile Management - Basic Profile Management - Main Flow flow lets users update their account information.

Purpose

The CIAM Plus With Protect - Profile Management - Basic Profile Management - Main Flow flow presents users with an option to update their account information. The flow uses the CIAM Plus With Protect - SignOn - Subflow to let users sign on if they do not already have a session, and uses the CIAM Plus With Protect - Threat Detection - Subflow to perform a threat assessment. Users are then presented are presented with a form that enables them to change the name and address associated with their account. The flow uses PingOne nodes to make the changes to the account.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses function nodes to set variables. Then, if agreement is required but no agreement ID is present, the flow progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

Check Session, Call To Protect Analysis & MFA Step-Up

Uses a PingOne node to check for a valid session:

  • If a session exists, a hidden HTML node captures risk information, then a PingOne node gathers additional information. The flow then progresses to the Threat Detection & Mitigation section. When this section completes, the flow progresses to the MFA Authentication section. When this section completes, the flow progresses to the Update Profile section.

  • If no session exists, a PingOne node deletes any existing session token, then the CIAM Plus With Protect - SignOn - Subflow is invoked. When the flow completes, a PingOne node creates or updates the session while a loading screen is displayed for the user. A PingOne node retrieves user information, then the flow progresses to the MFA Authentication section. When this section completes, the flow progresses to the Update Profile section.

Threat Detection & Mitigation

Invokes the CIAM Plus With Protect - Threat Detection - Subflow.

If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  • If the risk level is low, the flow returns to the previous section.

  • If the risk level is medium, the flow progresses to the MFA Authentication section. The flow then returns to the previous section.

  • If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the Return Error section.

If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the Return Error section.

MFA Authentication

Uses a PingOne node to retrieve the user’s devices, then uses a hidden HTML node to check for WebAuthn compatibility. A function node then checks if the user has at least one active device:

  • If the user has at least one active device, the CIAM Plus With Protect - Device Authentication - Subflow is invoked, a function node stores the authentication method as a variable, and the flow then returns to the previous section.

  • If the user has no active devices, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.

Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication

A comparison node checks whether email verification is required.

If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow, then a function node evaluates the device registration result:

  • If the device registration was completed, the authentication method is stored as a variable, and the flow returns to the MFA Authentication section.

  • If the device registration was skipped, the flow returns to the MFA Authentication section.

If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as a multi-factor authentication (MFA) device and enable MFA for the user. A function node stores the user’s authentication method as a variable, and the flow returns to the MFA Authentication section.

Update Profile

Uses a PingOne node to find the user. The flow then presents users with a custom HTML form that lets them enter updated name and address information. When the user submits this information, function nodes determine whether a new address was submitted, then PingOne nodes update the user’s information with or without the address. The flow displays a success message on the custom HTML form, then progresses to the Return Success section.

Return Success

Sends a JSON success message.

Return Error

Displays an error message, then sends a JSON error message.

Input schema

This flow has the following inputs:

Input Name Required Description

flowParameters

No

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

Output schema

This flow has the following outputs:

Output Name Description

flowResult

The result status of the flow.

p1UserId

The user’s PingOne user ID.

errorMessage

The error message to display in the parent flow.

errorDetails

The details of the error that occurred in this flow.

Variables

This flow uses the following variables:

Variable name Parameter name Description

ciam_logoStyle

None

The HTML style to use for your company logo.

ciam_logoUrl

None

The URL for your company logo.

ciam_companyName

None

Displays the name of your company.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_requireMFA

None

A boolean that controls whether MFA enrollment is required for all users.

ciam_resendOtpLimit

None

The maximum number of times a user can resend a one-time passcode (OTP).

ciam_verificationLimit

None

The maximum number of times a user can attempt to verify their email address.

ciam_sessionLengthInMinute

None

The maximum allowed session length for a user in the flow.

ciam_otpFallbackAllowed

None

A boolean indicating whether a user can fall back to an OTP if a mobile push request times out.

p1AgreementId

None

The ID of the PingOne agreement to present to users.

p1RiskPolicyIdAuthn

None

The PingOne risk policy ID to use for authentication.

protectRiskEvalId

None

The risk evaluation ID returned by PingOne Protect.

p1RiskPolicyIdReg

None

The PingOne risk policy ID to use for registration.

p1RiskPolicyIdAR

None

The PingOne risk policy ID to use for account recovery.

flowCompanyLogo

None

The company logo to use during the flow.

p1MFAPolicyId

None

The PingOne MFA policy ID.

p1RiskPolicyIdAuthZ

None

The PingOne risk policy ID to use for authorization.

authMethod

None

The authentication method used by the user.