1. Enter or verify the values for each company variable that's used in the PingOne for Customers Passwordless solution.

    These variables determine whether some processes and subflows are included or excluded.

    Note:

    If you plan to invoke the flow using the widget, you can pass in parameter values that override some of these variables. These parameters are described later in this procedure.

    1. In DaVinci, click the Variables tab.
    2. Locate a variable and click the Pencil icon.
    3. In the Value field, verify that the value is correct, or enter a new value for the variable.
    4. Click Update.
    5. Repeat steps b-d for each remaining variable.
    Company variables
    Company variables

    Variable

    Description

    ciam_sessionLengthInMinute

    The maximum allowed session length for a user in the flow.

    The default value is 5 minutes.

    ciam_appleEnabled

    A boolean that controls whether Apple is enabled as a social sign-on option.

    The default value is false.

    ciam_facebookEnabled

    A boolean that controls whether Facebook is enabled as a social sign-on option.

    The default value is false.

    ciam_googleEnabled

    A boolean that controls whether Google is enabled as a social sign-on option.

    The default value is false.

    ciam_passwordlessRequired

    A boolean that controls whether all end users must use passwordless authentication.

    The default value is false.

    ciam_magicLinkEnabled

    A boolean that controls whether magic links are enabled for your end users.

    The default value is false.

    ciam_logoUrl

    The URL for the version of your company logo to display in flows.

    The default value is https://assets.pingone.com/ux/ui-library/5.0.2/images/logo-pingidentity.png.

    ciam_logoStyle

    The CSS style to use for your company logo.

    The default value is width: 65px; height: 65px;.

    ciam_companyName

    The name of your company as it should be displayed in user-facing text.

    The default value is Ping Identity.

    ciam_agreementEnabled

    A boolean that controls whether agreement is enabled in your environment.

    The default value is false.

    ciam_agreementId

    The ID of the agreement to present to users if agreement is enabled.

    This value was copied in the Configuring PingOne procedure. There is no default value.

    ciam_recoveryLimit

    The maximum number of times a user can attempt to recover an account.

    The default value is 5.

    ciam_verificationLimit

    The maximum number of times a user can attempt to verify their email address.

    The default value is 5.

    ciam_smsOtpEnabled

    A boolean that controls whether one-time passcode using SMS is enabled in your environment.

    The default value is true.

    ciam_emailOtpEnabled

    A boolean that controls whether one-time passcode using email is enabled in your environment.

    The default value is true.

    ciam_fidoPasskeyEnabled

    A boolean that controls whether FIDO passkey is enabled in your environment.

    The default value is false.

    ciam_accountRecoveryEnabled

    A boolean that controls whether account recovery is enabled in your environment.

    The default value is false.

  2. Verify the configuration of the following connectors in your environment.

    Connector

    Description

    Connector documentation

    PingOne

    Enables DaVinci to view and update PingOne user information.

    PingOne Connector

    PingOne MFA

    Enables DaVinci to use the PingOne MFA service for multi-factor authentication.

    PingOne MFA Connector

    PingOne Notifications

    Enables DaVinci flows to send users general communications via SMS, email, and voice message with PingOne’s notifications feature.

    PingOne Notifications Connector

    1. On the Connectors tab, find the connector that you want to verify and click ... > Edit..
    2. Verify that the Environment ID and Client ID fields match your PingOne values.
    3. If you have made any changes to the values, click Apply.
    4. Repeat the previous steps for each remaining connector.
  3. Configure the skrisk component to enable PingOne Protect.
    1. Click Flows.
    2. Select the OOTB - Account Registration - Subflow and click ... > Edit.
    3. Click the NOP UI Page node.
    4. Click the skrisk component.
    5. In the Environment ID, enter your PingOne Protect environment ID.
    6. In the Collect Behavioral Data list, select True.
    7. In the Risk Property Name field, enter the risk property name for your PingOne Protect environment.
    8. Select the OOTB - Account Recovery - Subflow and click ... > Edit.
    9. Click the NOP UI Page node.
    10. Click the skrisk component.
    11. In the Environment ID, enter your PingOne Protect environment ID.
    12. In the Collect Behavioral Data list, select True.
    13. In the Risk Property Name field, enter the risk property name for your PingOne Protect environment.
    14. Select the OOTB - Device Authentication - Subflow and click ... > Edit.
    15. Click the Get Origin node.
    16. Click the skrisk component.
    17. In the Environment ID, enter your PingOne Protect environment ID.
    18. In the Collect Behavioral Data list, select True.
    19. In the Risk Property Name field, enter the risk property name for your PingOne Protect environment.
  4. Configure the PingOne Authentication node.
    1. Click Flows.
    2. Select the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow and click ... > Edit.
    3. In the Return Success section, click the PingOne Authentication node.
    4. Verify that the PingOne Application list is set to Use Application ID.
    5. Verify that your Application ID is present in the Application ID field.
    6. Click Apply.
    7. Click Save.
  5. If you want to use social sign-on, update the skIdp component in the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow to use your PingOne identity provider (IdP).
    1. Click Flows.
    2. Select the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow and click ... > Edit.
    3. Click the Password Sign On Page node.
    4. Click the skIdp component corresponding to a social IdP option you want to provide.

      The section of the node contents that contains these components looks like this:

      {{#if googleEnabled}}
           {{skIDP}}
      
      {{/if}}
      {{#if facebookEnabled}}
           {{skIDP}}
      {{/if}}
      {{#if appleEnabled}}
           {{skIDP}}
      {{/if}}
    5. In the Identity Provider Connector list, select PingOne Authentication.
    6. In the PingOne External Identity Provider list, select an external IdP.
    7. Select Link with PingOne User.
    8. In the PingOne Population list, select Default.
    9. Click Save.
    10. Click Apply.
    11. Repeat steps d-j for each other social IdP option you want to use.
    12. Click the Passwordless Sign On Page node and repeat steps d-k.
  6. If you want to use an agreement or ToS in your environment, verify or add the agreement ID.
    1. Click Flows.
    2. Select the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow and click ... > Edit.
    3. Click the Set Flow Constants node.
    4. In the Variable Value field, enter the Agreement ID value you copied in the Configuring PingOne procedure if it is not present.
      Note: If your trial environment has only one agreement, this value is automatically populated.
    5. Click Apply.
  7. If you want to launch the solution using the widget, add your company name.
    1. Click Flows.
    2. Select the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow and click ... > Edit.
    3. Click the Set Industry Variables node.
    4. In the Code section, update the text to include your company name. For example:
      	const flowCompanyGreeting = (flowMethod === 'WIDGET' )
      		? '<p class="text-muted text-center mb-5">Welcome to Company Name</p>'
      		: `<p class="text-muted text-center">Welcome to ${ciam_companyName}</p>`;
    5. Click Apply.
  8. Verify that the PingOne flow setting is correct for your environment.
    • If you want to launch the PingOne for Customers Passwordless solution using a redirect, the flow must be configured as a PingOne flow.
    • If you want to launch the PingOne for Customers Passwordless solution using the widget, the flow must not be configured as a PingOne flow.
    1. Click Flows.
    2. Click the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow.
    3. Click More Options (⋮) > Flow Settings.
    4. If you plan to launch the flow through a redirect, click the PingOne Flow toggle.
    5. If you made changes to the flow settings, click Save,close the flow settings pane, and clickDeploy.
    6. If you plan to use the profile management flows, repeat steps a-e for the OOTB - Device Management - Main Flow, OOTB - Basic Profile Management, and OOTB - Password Reset - Main Flow flows.
  9. Configure a DaVinci application with a flow policy that invokes the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow. For more information, see Creating an application.
    1. On the Applications tab, click Add Application.
    2. In the Name field, enter a name for the application.
    3. Click Create.
  10. Create a flow policy for the application you created.
    For more information, see Configuring a flow policy.
    1. On the Applications tab, find the application you created and click Edit.
    2. On the Flow Policy tab, click Add Flow Policy.
    3. In the Name field, enter a name for the flow policy.
    4. Select PingOne Flow Policy if you plan to invoke the flow using a PingOne redirect.
    5. In the Flows section, select a flow.
      Note:

      To launch the PingOne for Customers Passwordless solution, select the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow. To launch a device management flow, select OOTB - Password Reset - Main Flow or OOTB - Device Management - Main Flow.

    6. In the Version section, select one or more versions of the flow to use.
    7. Click Create Flow Policy.
    8. In the Distribution field, set the weight for the CIAM - Main flow to 100.
    9. Click Save Flow Policy.
    10. Click Apply.
  11. If you are using a test environment, move the flows to your production environment:
    1. In your testing environment, click Flows.
    2. Click the OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow.
    3. Click More options (⋮) > Download Flow JSON.

      The Export Flow panel opens.

    4. Click Yes.

      The flow and its subflows are downloaded locally.

    5. Sign on to your production environment and click Flows.
    6. Click Add Flow > Import from JSON.
    7. Select the JSON file containing the flows.
    8. Click Import.
    9. Optional: Repeat steps a-h for the OOTB - Device Management - Main Flow, OOTB - Basic Profile Management, and OOTB - Password Reset - Main Flow flows.
    10. Repeat steps 1-14 in your production environment.
  12. If you imported the OOTB - Device Management - Main Flow or OOTB - Password Reset - Main Flow flows, remove the duplicate copies of the OOTB - Device Registration - Subflow and OOTB - Change Password - Subflow flows.

    The duplicate copies of the flows have - 1 appended to the flow name.

    1. Click Flows.
    2. Find the OOTB - Device Registration - Subflow - 1 flow and click ... > Delete, then click Delete in the confirmation window.
    3. Find the OOTB - Change Password - Subflow - 1 flow and click ... > Delete, then click Delete in the confirmation window.
    4. Click the OOTB - Device Management - Main Flow.
    5. Click the Flow Conductor connector, then replace the contents of the Flow ID field with the OOTB - Device Registration - Subflow flow.
    6. Click Save.
    7. Click Deploy.
    8. Click Flows.
    9. Click the OOTB - Password Reset - Main Flow.
    10. Click the Flow Conductor connector, then replace the contents of the Flow ID field with the OOTB - Change Password - Subflow flow.
    11. Click Save.
    12. Click Deploy.
  13. Invoke the flow or flows using the widget or a redirect.
    • If you want to launch the flow in a separate window using a PingOne redirect, use the procedure in Launching a PingOne flow with a redirect. The OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow flow can be launched with a redirect.
    • If you want to launch the flow in a widget within the user's current window, use the procedure in Launching a flow with the widget. The following flows can be launched with the widget:
      • OOTB - Passwordless - Registration, Authentication, & Account Recovery - Main Flow
      • OOTB - Device Management - Main Flow
      • OOTB - Basic Profile Management
      • OOTB - Password Reset - Main Flow
    Note:
    When you invoke the flow using the widget, you must include your company logo as a background image in the dialog-content-header__logo CSS class. For example:
    .dialog-content-header__logo {
      background-image: url("./company-logo.svg");
    }
    Note:

    When you invoke the flow using the widget, you can include any of the following parameters. When present, the parameter value is used instead of the corresponding variable value.

    Use the following format to pass parameters to the flow:

    flowParameters:{
        parameter1: "value",
        parameter2: "value" 
    } 
    Parameters
    Parameters

    Parameter

    Corresponding variable

    Description

    isAppleEnabled

    ciam_appleEnabled

    A boolean indicating whether Apple is enabled as a social sign-on option.

    isFacebookEnabled

    ciam_facebookEnabled

    A boolean indicating whether Facebook is enabled as a social sign-on option.

    isGoogleEnabled

    ciam_googleEnabled

    A boolean indicating whether Google is enabled as a social sign-on option.

    isPasswordlessRequired

    ciam_passwordlessRequired

    A boolean indicating whether all end users must use passwordless authentication.

    isEmailMagicLinkEnabled

    ciam_magicLinkEnabled

    A boolean indicating whether magic links are enabled for your end users.

    isTermsOfServiceEnabled

    ciam_agreementEnabled

    A boolean indicating whether agreement is enabled in your environment.

    isSmsOTPEnabled

    ciam_smsOtpEnabled

    A boolean indicating whether one-time passcode using SMS is enabled in your environment.

    isEmailOTPEnabled

    ciam_emailOtpEnabled

    A boolean indicating whether one-time passcode using email is enabled in your environment.

    isFidoPasskeyEnabled

    ciam_fidoPasskeyEnabled

    A boolean indicating whether FIDO passkey is enabled in your environment.

    isAccountRecoveryEnabled

    ciam_accountRecoveryEnabled

    A boolean indicating whether account recovery is enabled in your environment.