Purpose

The OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow is the initial flow in the PingOne for Customers Passwordless solution. It enables existing users to sign on using a password, uses the OOTB - Account Registration - Subflow flow to let new users register, uses the OOTB - Account Recovery - Subflow flow to let existing users recover their account, and uses the OOTB - Device Authentication - Subflow flow to let existing users sign on using a known device.

Structure

SUCCESSSUCCESSSUCCESSSUCCESSSUCCESSSUCCESSCall subflow:Verify EmailCheck for sessionRequire passwordlesssign-on pagePasswordauthenticationHandle Remember Meif applicableCall subflow:Change PasswordPASSWORDCall subflow:Account RecoveryCall subflow:Agreement (ToS)Call subflow:Account RegistrationCall subflow:Device AuthenticationOer passwordlesssign-on pageFlow configuration

This flow is divided into sections using teleport nodes:

Flow Configuration
Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.
Check for Session
Uses a PingOne node to determine whether the user has an existing session.

If the user has an existing session, a hidden HTML node initiates the sk-risk component, then the flow progresses to the PingOne Protect threat detection analysis section. When this section completes, the flow progresses to the Return Success section.

If the user does not have an existing session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Passwordless Sign On Page section.

Check if user is active
Uses a PingOne node to retrieve user information, then uses a series of comparison nodes to verify that the user is enabled, that the user can authenticate, and that the user's account status is active. If the user information cannot be found or if a condition is not met, an error message is displayed. If the conditions are all met, the flow returns to the previous section.
Offer Passwordless Sign On Page
Uses a compare node to check if passwordless is required. If passwordless is not required, an HTML page is displayed with options to sign on using a password, recover from a forgotten password, or register a new account.
  • The sign-on option uses a PingOne to find the user, then progresses to the PingOne Protect threat detection analysis section. When that section completes, a function node checks whether the user is enabled, then the progresses to the Password Authentication section.
  • The forgot password option progresses to the Call Account Recovery Sub-Flow section.
  • The register option progresses to the Call Account Registration Sub-Flow section.

If passwordless is required, the flow progresses to the Require Passwordless Sign On Page section.

Require Passwordless Sign On Page
Presents the user with an HTML page with options to sign on, recover the account, or register a new account.

The sign-on option progresses to the Check if user is active section, then progresses to the Call Device Authentication Sub-Flow section. The forgot password option progresses to the Call Account Recovery Sub-Flow section. The register option progresses to the Call Account Registration Sub-Flow section.

Call Account Recovery Sub-Flow
Invokes the OOTB - Account Recovery - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
Call Account Registration Sub-Flow
Invokes the OOTB - Account Registration - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
Call Device Authentication Sub-Flow
Invokes the OOTB - Device Authentication - Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Call Check Agreement Sub-Flow section depending on the subflow result.
Password Authentication

Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section.

Call Change Password Sub-Flow
Invokes the OOTB - Change Password - Subflow flow, then displays a success message and progresses to the Return Success section if the subflow completes successfully.
Call Check Agreement Sub-Flow
Invokes the OOTB - Agreement (ToS) - Subflow flow, then checks if verification is required. If so, the flow progresses to the Call Verify Email Sub-Flow section. If not, the flow progresses to the Handle Remember Me if Applicable section.
Call Verify Email Sub-Flow
Uses a PingOne node to send a verification code to the user's email, then invokes the OOTB - Verify Email - Subflow flow. When the subflow completes the flow progresses to the Handle Remember Me if Applicable section.
Handle Remember Me if Applicable
Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.
PingOne Protect threat detection analysis

Uses a PingOne node to look up the user, then invokes the OOTB - PingOne Protect Threat Detection - Subflow subflow.

If the OOTB - PingOne Protect Threat Detection - Subflow subflow completes successfully, the PingOne Protect values are saved as variables. A function node then checks whether the device is known, and if not a PingOne node sends an email notification to the user.

A function node then examines the risk score.
  • If the risk score is low, the flow returns to the previous section.
  • If the risk score is medium, a PingOne node retrieves the user's MFA devices and a function node checks whether the user has zero MFA devices. If the user has zero MFA devices, a PingOne node adds the user's email as an MFA device and an HTML page prompts the user to enter the OTP sent to that email. Additional PingOne nodes then activate the MFA device and send an email confirming the device creation. The flow then returns to the previous section.
  • If the risk score is high, the flow progresses to the Return Error section.

If the OOTB - PingOne Protect Threat Detection - Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes send an email notification to the user informing them that their account is disabled and update the user's status. The flow then progresses to the Return Error section.

Return Success
Checks to see if a session should be created. If so, it creates a session with a duration specified by a variable. If not, it creates a session with a duration of 1 minute. The flow then sends a success response, indicating that the flow completed successfully.
Return Error
Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has no required or optional inputs.

Output schema

This flow has no outputs.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_passwordlessRequired

isPasswordlessRequired

Indicates whether passwordless authentication is required for sign-on.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_sessionLengthInMinute

None

The maximum time a user can spend in the flow before it times out.

ciam_logoStyle

None

The HTML style to use for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_logoUrl

None

The URL for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_companyName

None

Displays the name of your company.

This value is only used when the flow is launched with a redirect.

ciam_accountRecoveryEnabled

isAccountRecoveryEnabled

A boolean that controls whether account recovery is enabled in your environment.

ciam_smsOtpEnabled

isSmsOTPEnabled

A boolean indicating whether one-time passcode using sms is enabled in your environment.

ciam_emailOtpEnabled

isEmailOTPEnabled

A boolean indicating whether one-time passcode using email is enabled in your environment.

ciam_fidoPasskeyEnabled

isFidoPasskeyEnabled

A boolean indicating whether FIDO passkey is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.