PingOne for Customers Plus

CIAM Plus With Protect - SignOn - Subflow

The CIAM Plus With Protect - SignOn - Subflow lets users sign on, create a new account, or recover an account.

Purpose

The CIAM Plus With Protect - SignOn - Subflow enables existing users to sign on using a password, uses the CIAM Plus With Protect - Account Registration - Subflow flow to let new users register, uses the CIAM Plus With Protect - Account Recovery - Email - Subflow flow to let existing users recover their account, and uses the CIAM Plus With Protect - Device Authentication - Subflow flow to let existing users sign on using a known device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Offer Sign On Page section.

Offer Sign On Page

Displays an HTML page with options to sign on using a password, recover from a forgotten password, or register a new account.

If the user clicks Sign On, a PingOne node looks up the user using their email address. The flow then progresses to the Threat Detection And Mitigation section. When this section completes, the flow progresses to the Password Authentication section.

If the user selects the forgot password option, the flow progresses to the Call Account Recovery Sub-Flow section.

If the user selects the registration option, the flow progresses to the Call Account Registration Sub-Flow section.

If no options match, a hidden HTML node activates CSS files for social login, and the flow progresses to the Call Check Agreement and Email Verification Sub-Flow section.

Call Account Recovery Sub-Flow

Invokes the CIAM Plus With Protect - Account Recovery - Email - Subflow flow, then progresses to the Offer Sign On Page section.

Call Account Registration Sub-Flow

Invokes the CIAM Plus With Protect - Account Registration - Subflow flow. If the subflow’s result is signOn, the flow progresses to the Offer Sign On Page section. If the subflow’s result is complete, the flow invokes the CIAM Plus With Protect - Device Registration - Subflow flow, uses a PingOne node to send an account creation email, and then progresses to the Return Success section.

Threat Detection And Mitigation

Invokes the CIAM Plus With Protect - Threat Detection - Subflow.

If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  • If the risk level is low, a function node sets the isMFAAuthnReq variable to false. The flow then progresses to the Return Success section if an existing session was found, and to the Password Authentication section if no session was found.

  • If the risk level is medium, a function node sets the isMFAAuthnReq variable to true. The flow then progresses to the Password Authentication section.

  • If the risk level is high, function nodes check if the PingOne user ID is unknown and if the high risk was the result of a new device. If the PingOne ID is unknown and the high risk was not the result of a new device, a PingOne node sends an email notifying the user of suspicious activity. A function node sets the isMFAAuthnReq variable to true, and the flow progresses to the Password Authentication section.

If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, an error message is displayed.

Password Authentication

Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section. If the password is incorrect or the user cannot be found, a comparison node checks whether the account is locked. If the account is locked, the flow progresses to the Return Error section. If the account is not locked, an error message is displayed to the user.

MFA Authentication

Uses a PingOne node to look up the user’s existing devices. An HTML node then checks the user’s current device for Webauthn support, and comparison nodes filter for unusable devices and check if at least one device is configured.

If the user has no active devices or the user’s device information could not be found, the flow progresses to the Step up to register Email MFA device if no MFA devices found during authentication section.

If the user has active devices, a PingOne node enables MFA, then invokes the CIAM Plus With Protect - Device Authentication - Subflow. If the subflow completes successfully, the flow progresses to the Check Password Status node in the Password Authentication section.

Call Change Password Sub-Flow

Invokes the CIAM Plus With Protect - Change Password - Subflow flow. If the subflow completes successfully, the flow displays a success message and a PingOne node sends a password change email the flow. The flow then progresses to the Call Check Agreement and Email Verification Sub-Flow section.

Step up to register Email MFA device if no MFA devices found during authentication

A comparison node checks whether email verification is required.

If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow, then progresses to the Check Password Status node in the Password Authentication section.

If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device, enable MFA for the user, and send an email confirming the email device registration. The flow then progresses to the Check Password Status node in the Password Authentication section.

Call Check Agreement and Email Verification Sub-Flow

Invokes the CIAM Plus With Protect - Agreement (ToS) - Subflow, then uses a PingOne node to retrieve user information. A function node checks whether email verification is required, and if email verification is required, the CIAM Plus With Protect - Verify Email - Subflow is invoked. The flow then progresses to the Handle Remember Me if Applicable section.

Handle Remember Me if Applicable

Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.

Return Success

Displays an HTML success message to the user, then sends a success response, indicating that the flow completed successfully.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs:

Input Name Required Description

flowParameters

No

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

p1AgreementId

No

The ID of the PingOne agreement to present to users.

p1MFAPolicyId

No

The PingOne MFA policy ID.

p1RiskPolicyIdReg

No

The PingOne risk policy ID to use for registration.

p1RiskPolicyIdAuthn

No

The PingOne risk policy ID to use for authentication.

p1RiskPolicyIdAR

No

The PingOne risk policy ID to use for account recovery.

canUserEnableMFA

No

Indicates whether the user can enable MFA for their account.

Output schema

This flow has the following outputs:

Output Name Description

errorMessage

The error message to display in the parent flow.

errorDetails

The details of the error that occurred in this flow.

authMethod

The authentication method used in the flow.

p1UserId

The PingOne user ID of the user.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Parameter name Description

ciam_logoStyle

None

The HTML style to use for your company logo.

ciam_logoUrl

None

The URL for your company logo.

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_companyName

None

Displays the name of your company.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_requireMFA

None

A boolean that controls whether MFA is required for all users.

ciam_resendOtpLimit

None

The maximum number of times a user can resend a one-time passcode (OTP).

ciam_verificationLimit

None

The maximum number of times a user can attempt to verify their email address.

ciam_otpFallbackAllowed

None

A boolean indicating whether a user can fall back to an OTP if a mobile push request times out.

ciam_recoveryLimit

None

The maximum number of times a user can attempt to recover an account.

ciam_accountRecoveryEnabled

None

A boolean that controls whether account recovery is enabled in your environment.

p1AgreementId

None

The ID of the PingOne agreement to present to users.

p1RiskPolicyIdAuthn

None

The PingOne risk policy ID to use for authentication.

protectRiskEvalId

None

The risk evaluation ID returned by PingOne Protect.

p1RiskPolicyIdReg

None

The PingOne risk policy ID to use for registration.

p1RiskPolicyIdAR

None

The PingOne risk policy ID to use for account recovery.

flowCompanyLogo

None

The company logo to use during the flow.

p1MFAPolicyId

None

The PingOne MFA policy ID.

authMethod

None

The authentication method used by the user.

protectDeviceStatus

None

The status of the user’s device as determined by PingOne Protect.

flowRequireMFA

None

Indicates whether MFA enrollment is required in the flow.

isMFAAuthnReq

None

Indicates whether MFA authentication is required.