CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow
The CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow flow lets users view the terms of service.
Purpose
The CIAM Plus With Protect - Profile Management - Agreement TOS - Main Flow flow checks for an existing session, and uses the CIAM Plus With Protect - SignOn - Subflow to let users sign on if they do not already have a session. It uses the CIAM Plus With Protect - Threat Detection - Subflow to perform a threat assessment, then displays the terms of service for the user. If the user has not accepted the terms of service, the flow displays a form to allow the user to accept or decline and records the user response.
Structure
This flow is divided into sections using teleport nodes:
- Flow Configuration
-
Uses function nodes to set variables. Then, if agreement is required, but no agreement ID is present, the flow progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.
- Check Session, Call To Protect Analysis & MFA Step-Up
-
Uses a PingOne node to check for a valid session:
-
If a session exists, a hidden HTML node captures risk information, then a PingOne node gathers additional information. The flow then progresses to the Threat Detection & Mitigation section. When this section completes, the flow progresses to the MFA Authentication section. When this section completes, the CIAM Plus With Protect - Agreement (ToS) - Subflow is invoked. The flow then progresses to the Return Success section.
-
If no session exists, a PingOne node deletes any existing session token, then the CIAM Plus With Protect - SignOn - Subflow is invoked. When the flow completes, a PingOne node creates or updates the session while a loading screen is displayed for the user. A PingOne node retrieves user information, then the flow progresses to the MFA Authentication section. When this section completes, the CIAM Plus With Protect - Agreement (ToS) - Subflow is invoked. The flow then progresses to the Return Success section.
-
- Threat Detection & Mitigation
-
Invokes the CIAM Plus With Protect - Threat Detection - Subflow.
If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:
-
If the risk level is low, the flow returns to the previous section.
-
If the risk level is medium, the flow progresses to the MFA Authentication section. The flow then returns to the previous section.
-
If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the Return Error section.
If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the Return Error section.
-
- MFA Authentication
-
Uses a PingOne node to retrieve the user’s devices, then uses a hidden HTML node to check for WebAuthn compatibility. A function node then checks if the user has at least one active device:
-
If the user has at least one active device, the CIAM Plus With Protect - Device Authentication - Subflow is invoked, a function node stores the authentication method as a variable, and the flow then returns to the previous section.
-
If the user has no active devices, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.
-
- Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication
-
A comparison node checks whether email verification is required.
If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow, then a function node evaluates the device registration result:
-
If the device registration was completed, the authentication method is stored as a variable, and the flow returns to the MFA Authentication section.
-
If the device registration was skipped, the flow returns to the MFA Authentication section.
If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node stores the user’s authentication method as a variable, and the flow returns to the MFA Authentication section.
-
- Return Error
-
Displays an error message, then sends a JSON error message.
- Return Success
-
Sends a JSON success message.
Input schema
This flow has the following inputs:
| Input Name | Required | Description |
|---|---|---|
|
No |
An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs. |
Output schema
This flow has the following outputs:
| Output Name | Description |
|---|---|
|
The result status of the flow. |
|
The user’s PingOne user ID. |
|
The error message to display in the parent flow. |
|
The details of the error that occurred in this flow. |
Variables
This flow uses the following variables:
| Variable name | Parameter name | Description |
|---|---|---|
|
None |
The HTML style to use for your company logo. |
|
None |
The URL for your company logo. |
|
None |
Displays the name of your company. |
|
|
Indicates whether magic link is enabled in your environment. |
|
|
A boolean indicating whether agreement is enabled in your environment. |
|
None |
The maximum allowed session length for a user in the flow. |
|
None |
The ID of the PingOne agreement to present to users. |
|
None |
The PingOne risk policy ID to use for authentication. |
|
None |
The risk evaluation ID returned by PingOne Protect. |
|
None |
The PingOne risk policy ID to use for registration. |
|
None |
The PingOne risk policy ID to use for account recovery. |
|
None |
The company logo to use during the flow. |
|
None |
The PingOne MFA policy ID. |
|
None |
The PingOne risk policy ID to use for authorization. |
|
None |
The authentication method used by the user. |