OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow - PingOne Services - PingOne Cloud Platform - PingOne

Page created: 26 Jun 2023 |

Page updated: 28 Sep 2023

| 6 min read

PingOne DaVinci Product PingOne Cloud Platform PingOne PingOne Services Administrator Guide User task Configuration Content Type Guide Solution Guide

The OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow lets users sign on, create a new account, or recover an account.

Purpose

The OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow is the initial flow in the PingOne for Customers Passwordless solution. It enables existing users to sign on using a password, uses the OOTB - Account Registration - Subflow flow to let new users register, uses the OOTB - Account Recovery - Subflow flow to let existing users recover their account, and uses the OOTB - Device Authentication - Subflow flow to let existing users sign on using a known device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration: Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.
Check for Session: Uses a PingOne node to determine whether the user has an existing session. If so, it returns a success response. If not, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Passwordless Sign On Page section.
Offer Passwordless Sign On Page: Uses a compare node to check if passwordless is required. If passwordless is not required, an HTML page is displayed with options to sign on using a password, recover from a forgotten password, or register a new account.
The sign-on option progresses to the Password Authentication section, the forgot password option progresses to the Call Account Recovery Sub-Flow section, and the register option progresses to the Call Account Registration Sub-Flow section. If passwordless is required, the flow progresses to the Require Passwordless Sign On Page section.
Require Passwordless Sign On Page: Presents the user with an HTML page with options to sign on, recover the account, or register a new account.
The sign-on option uses a PingOne node to look up the user and then progresses to the Call Device Authentication Sub-Flow section, the forgot password option progresses to the Call Account Recovery Sub-Flow section, and the register option progresses to the Call Account Registration Sub-Flow section.
Call Account Recovery Sub-Flow: Invokes the OOTB - Account Recovery - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
Call Account Recovery Sub-Flow: Invokes the OOTB - Account Recovery - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
Call Account Registration Sub-Flow: Invokes the OOTB - Account Registration - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
Call Device Authentication Sub-Flow: Invokes the OOTB - Device Authentication - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Call Check Agreement Sub-Flow section depending on the subflow result.
The Password Authentication section uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password section.
Call Change Password: Invokes the OOTB - Change Password - Subflow flow, then displays a success message and progresses to the Return Success section if the subflow completes successfully.
Call Check Agreement Sub-Flow: Invokes the OOTB - Agreement (ToS) - Subflow flow, then checks if verification is required. If so, the flow progresses to the Call Verify Email Sub-Flow section. If not, the flow progresses to the Handle Remember Me if Applicable section.
Call Verify Email Sub-Flow: Uses a PingOne to send a verification code to the user's email, then invokes the OOTB - Verify Email - Subflow flow. When the subflow completes the flow progresses to the Handle Remember Me if Applicable section.
Handle Remember Me if Applicable: Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.
Return Success: Checks to see if a session should be created. If so, it creates a session with a duration specified by a variable. If not, it creates a session with a duration of 1 minute. The flow then sends a success response, indicating that the flow completed successfully.
Return Error: Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has no required or optional inputs.

Output schema

This flow has no outputs.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name	Parameter name	Description
`ciam_appleEnabled`	isAppleEnabled	Indicates whether authentication through Apple is enabled in your environment.
`ciam_facebookEnabled`	isFacebookEnabled	Indicates whether authentication through Facebook is enabled in your environment.
`ciam_googleEnabled`	isGoogleEnabled	Indicates whether authentication through Google is enabled in your environment.
`ciam_passwordlessRequired`	isPasswordlessRequired	Indicates whether passwordless authentication is required for sign-on.
`ciam_magicLinkEnabled`	isEmailMagicLinkEnabled	Indicates whether magic link is enabled in your environment.
`ciam_sessionLengthInMinute`	None	The maximum time a user can spend in the flow before it times out.
`ciam_logoStyle`	None	The HTML style to use for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_logoUrl`	None	The URL for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_companyName`	None	Displays the name of your company. This value is only used when the flow is launched with a redirect.
`ciam_accountRecoveryEnabled`	isAccountRecoveryEnabled	A boolean that controls whether account recovery is enabled in your environment.
`ciam_smsOtpEnabled`	isSmsOTPEnabled	A boolean indicating whether one-time passcode using sms is enabled in your environment.
`ciam_emailOtpEnabled`	isEmailOTPEnabled	A boolean indicating whether one-time passcode using email is enabled in your environment.
`ciam_fidoPasskeyEnabled`	isFidoPasskeyEnabled	A boolean indicating whether FIDO passkey is enabled in your environment.
`ciam_agreementEnabled`	isTermsOfServiceEnabled	A boolean indicating whether agreement is enabled in your environment.