PingOne for Customers Plus

CIAM Plus With Protect - Set User Consent Preferences - Main Flow

The CIAM Plus With Protect - Set User Consent Preferences - Main Flow lets users manage their consent settings.

Purpose

The CIAM Plus With Protect - Set User Consent Preferences - Main Flow enables existing users to update their consent settings. It lets the user sign on if no existing session is found, and performs a threat analysis using PingOne Protect. If the threat level is medium, it also performs MFA authentication, adding a new MFA option if necessary. When the user has been authenticated, they are presented with a form on which they can update their consent settings. The new settings are then saved in PingOne.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then uses a function node to check if agreement is enabled without an agreement ID present. If not, the flow progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section. If so, the flow progresses to the Return Error section.

Check Session, Call To Protect Analysis & MFA Step-Up

Uses a PingOne node to check for an existing session.

If a session is found, an HTML node collects the user’s metadata, then a PingOne node retrieves additional user information. The flow then progresses to the Threat Detection & Mitigation section. When this section completes, the flow progresses to the MFA Authentication section. When this section completes, the flow progresses to the Set User Consent Preferences section.

If no session is found, a function node looks for an existing token, and a PingOne node deletes the session if a token is found. The flow then invokes the CIAM Plus With Protect - SignOn - Subflow. When the subflow completes, a PingOne node creates a new session for the user as a loading screen is displayed for the user. A second PingOne node retrieves additional user information. The flow then progresses to the MFA Authentication section. When this section completes, the flow progresses to the Set User Consent Preferences section.

Threat Detection & Mitigation

Invokes the CIAM Plus With Protect - Threat Detection - Subflow.

If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  • If the risk level is low, the flow returns to the previous section.

  • If the risk level is medium, the flow progresses to the MFA Authentication section. The flow then returns to the previous section.

  • If the risk level is high, a function node checks if the high risk was the result of a new device. If not, a PingOne node notifies the user. The flow then progresses to the Return Error section.

If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation as a variable, then the flow progresses to the Return Error section.

MFA Authentication

Uses a PingOne node to look up the user’s existing devices. An HTML node then checks the user’s current device for Webauthn support, and comparison nodes filter for unusable devices and check if at least one device is configured.

If the user has no active devices or the user’s device information could not be found, the flow progresses to the Step up to register Email MFA device if no MFA devices found during authentication section.

If the user has active devices, the flow invokes the CIAM Plus With Protect - Device Authentication - Subflow. If the subflow completes successfully, a function node saves the user’s authentication method as a variable. The flow then returns to the previous section.

Step up to register Email MFA device if no MFA devices found during authentication

A comparison node checks whether email verification is required.

If email verification is not required, invokes the CIAM Plus With Protect - Device Registration - Subflow, then progresses to the Check Password Status node in the Password Authentication section.

If email verification is required, invokes the CIAM Plus With Protect - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device and enable MFA for the user. A function node stores the user’s authentication method as a variable, and the flow returns to the previous section.

Set User Consent Preferences

Uses a PingOne node to find the user, then displays an HTML form on which the user can select their consent preferences. The flow then branches based on the user’s selection.

If the user clicks Save, a function node prepares the information provided by a user, then a PingOne node saves it. An HTML success message is displayed, then the flow progresses to the Return Success section.

If the user clicks Cancel, the flow progresses to the Return Success section.

Return Success

Displays an HTML success message to the user, then sends a success response, indicating that the flow completed successfully.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs:

Input Name Required Description

flowParameters

No

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

Output schema

This flow has the following outputs:

Output Name Description

flowResult

The result status of the flow.

p1UserId

The PingOne user ID of the user.

errorMessage

The error message to display in the parent flow.

errorDetails

Details about the error that occurred in this flow.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Parameter name Description

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_logoStyle

None

The HTML style to use for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_logoUrl

None

The URL for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_companyName

None

Displays the name of your company.

This value is only used when the flow is launched with a redirect.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_requireMFA

None

A boolean that controls whether MFA is required for all users.

ciam_resendOtpLimit

None

The maximum number of times a user can have a one-time passcode (OTP) resent.

ciam_verificationLimit

None

The maximum number of times a user can attempt to verify their email address.

ciam_sessionLengthInMinute

None

The maximum allowed session length for a user in the flow.

ciam_otpFallbackAllowed

None

A boolean indicating whether a user can fall back to an OTP if a mobile push request times out.

p1AgreementID

None

The PingOne agreement ID to use in the solution.

p1MFAPolicyID

None

The ID of the PingOne MFA policy to use in the solution.

p1RiskPolicyIdAuthn

None

The PingOne risk policy ID to use for authentication.

protectRiskEvalId

None

The risk evaluation ID returned by PingOne Protect.

p1RiskPolicyIdReg

None

The PingOne risk policy ID to use for account registration.

p1RiskPolicyIdAR

None

The PingOne risk policy ID to use for account recovery.

flowCompanyLogo

None

The company logo to use during the flow.

p1RiskPolicyIdAuthZ

None

The PingOne risk policy ID to use for authorization.

authMethod

None

The method used by the user to authenticate.