Purpose

The CIAM Plus - Account Recovery - Email - Subflow presents users who have forgotten their password with the ability to reset it using their email address. Users provide and verify their email address. The flow provides a form for the user to enter a new password, then verifies and saves the new password.

Structure

This flow is divided into sections using teleport nodes:

Forgot Password Form
Presents a custom HTML form on which users can enter the email address of their account. When the user clicks Submit, the flow progresses to the Verify User And Validate Entered Email section.
Verify User And Validate Entered Email
Uses a PingOne node to find a user with the specified email address. If the user is found, is active, and currently has a password, the flow progresses to the Check If MFA Enabled And Return To Send OTP To Email section. The flow then invokes the CIAM Plus - Verify Email - Subflow, then progresses to the Reset Password Form section.
Reset Password Form
Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page to enter and confirm a new password. If the user submits a new password, the flow progresses to the Verify Password section.
Verify Password
Uses function nodes to validate the new password and verify that the new password and the confirmed password match, displaying an error message if either condition is not met. The number of recovery attempts is then incremented by one and compared to the maximum. If it does not exceed the maximum, the flow progresses to the Update Password and Show Success Message section.
Update Password And Show Success Message
Uses a PingOne node to save the new password, then displays a success message and uses a second PingOne node to send a password change email. The flow then progresses to the Return Success section. If the recovery code or new password is incorrect or invalid, an error message is displayed.
Check If MFA Enabled And Return To Send OTP To Email
Uses a PingOne node to check if MFA is enabled. If MFA is not enabled, an HTML node presents the user with the option to enable it and a PingOne node saves the new MFA status. After MFA is enabled, the flow returns to the Verify User and Validate Entered Email section.
Return Success
Sends a success JSON response, indicating that the flow has completed successfully.
Return Error
Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.

Input Name Required? Description

ciam_companyLogo

No

The company logo.

Used only when the main flow was launched using the widget.

ciam_mfaPolicyId

No

The ID of the PingOne MFA policy to use in the flow.

username

No

The username of the account being recovered.

Output schema

This flow has the following outputs.

Output Name Description

ciam_pingOneUserId

The user ID of the current user.

ciam_subflowResult

The result status of the flow.

ciam_authMethod

The authentication method that was configured by the flow.

ciam_errorMessage

The error message to display in the parent flow.

Variables

This flow uses the following variables.

Variable Name Description

ciam_logoStyle

The HTML style to use for your company logo.

ciam_logoUrl

The URL for your company logo.

ciam_companyName

Displays the name of your company.

ciam_recoveryLimit

The maximum number of times a user can attempt to recover an account.