The CIAM Plus - Device Registration - Subflow lets users register a new device.
Purpose
The CIAM Plus - Device Registration - Subflow presents users with options to register any available device type. The flow finds the available devices, then uses an HTML node to let the user select one:
- If the user selects Mobile Application, the flow creates a pairing key to pair the application with the account.
- If the user selects Biometrics/Security Key, the flow pairs the current device.
- If the user selects Authenticator App, the flow uses a key URL to pair an authenticator app with the account.
- If the user selects Text Message, the flow gathers the number and uses an one-time passcode (OTP) to verify the SMS number.
- If the user selects Voicethe flow gathers the number and uses an OTP to verify the phone number.
- If the user selects Email, the flow uses an OTP to verify the email address.
After any successful device registration, or if the user selects password, the flow returns to the parent flow.
Structure
This flow is divided into sections using teleport nodes:
- Gather device types that user can register with
- Uses a hidden HTML form to gather browser information and a function node to set flow instance variables, then uses a PingOne node to retrieve the user's current devices. If the user has compatible devices and can register at least one additional device, the flow progresses to the Check Whether MFA Greetings Required To Be Displayed To User? section.
- Check Whether MFA Greetings Required To Be Displayed To User?
- Uses a function node to check if the greeting page should be displayed.
If the greeting should be displayed, an HTML node asks for user consent to add an MFA device. If the user clicks Skip, the flow progresses to the Return Success section. If the user does not select Skip, or if the greeting page is not displayed, a function node checks whether email is the only allowed option.
If email is the only allowed option, the flow progresses to the Prepare to register OTP device section. If email is not the only allowed option, the flow progresses to the User select device to register with section.
- User select device to register with
- Presents the user with an HTML page that provides them with the available
authentication method options.
If the user selects Voice or SMS, the flow progresses to the User selected SMS/VOICE section.
If the user selects Email, the flow progresses to the User selected email section.
If the user selects TOTP, the flow progresses to the Prepare to register OTP device section.
If the user selects FIDO2, the flow progresses to the Register FIDO2 device and enable MFA for user section.
If the user selects Mobile, the flow progresses to the Mobile app registration flow section.
If the user selects Cancel, a function node determines whether the user should be returned to the calling flow. If so, the flow progresses to the Return Success section. If not, the flow progresses to the Check Whether MFA Greetings Required To Be Displayed To User? section.
- User selected SMS/VOICE
- Displays an HTML page gives the user the option to provide a voice or SMS
number.
If the user enters a voice or SMS number, a function node verifies that the number is not in use, then the flow progresses to the Prepare to register OTP device section.
If the user clicks Cancel, the flow returns to the User select device to register with section.
- User selected email
- Uses a function node to check for a known user email.
If the user's email is already present, the flow progresses to the Prepare to register OTP device section.
If the user's email is not present, an HTML node lets the user enter an email and submit it or cancel.
If the user clicks Cancel, the flow returns to the User select device to register with section.
If the user submits an email, a function node verifies that the email is not already registered, then the flow progresses to the Prepare to register OTP device section.
- Prepare to register OTP device
- Uses a PingOne node to
create an OTP device.
If the OTP device creation succeeds, a function node sets the device ID, then the flow progress to the TOTP (Authenticator app) registration flow section if the device type is TOTP, or to the Ask for OTP section if the device is SMS, voice, or email.
If the OTP device creation fails, an error message is displayed.
- Ask for OTP
- Uses function nodes to begin tracking the number of resend attempts, mask
the phone number or email, and determine the cancel behavior, then displays
an HTML node prompting the user for the OTP.
If the user submits a code, the flow progresses to the Activate OTP device and enable MFA for user section. Otherwise, the flow progresses to the Resend OTP section.
- Resend OTP
-
If the user clicks Cancel at the OTP prompt screen, a PingOne node deletes the OTP device, then the flow returns to either the User select device to register with section or the Check Whether MFA Greetings Required To Be Displayed To User? section depending on the cancel behavior.
If the user clicks Resened at the OTP prompt screen, function nodes increment the resend attempts and check if the maximum has been reached. If the maximum has not been reached, PingOne nodes delete the previous OTP device and create a new device, a function node updates the device ID, and a message is displayed for the user.
- TOTP (Authenticator app) registration flow
- Uses a function node to create a QR code for the key URL, then displays an
HTML page on which the user can scan the QR code and enter a secret.
If the user enters the secret, the flow progresses to the Activate OTP device and enable MFA for user section.
If the user clicks Cancel, a PingOne node deletes the OTP device, and the flow returns to the User select device to register with section.
- Activate OTP device and enable MFA for user
- Uses PingOne nodes to activate the OTP device and send a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.
- Register FIDO2 device and enable MFA for user
- Uses a PingOne node to
create a FIDO2 device, then presents the user with an HTML registration
page.
If the user successfully registers the device, PingOne nodes activate the device and send a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.
If the user clicks Cancel, a PingOne node deletes the device and the flow returns to the User select device to register with section.
- Mobile app registration flow
- Uses a PingOne node to
create a pairing key, then creates a QR code using the key. An HTML node
then presents the QR code to the user.
If the user clicks Cancel, a PingOne node deletes the pairing key and the flow returns to the User select device to register with section.
A PingOne node reads the key, then a polling node determines when to proceed. If the polling status is claimed, a PingOne sends a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.
If the polling fails, an error message is displayed, a PingOne node deletes the pairing key, and the flow returns to the User select device to register with section.
- Return Success
- Sends a success JSON response, indicating that the flow has completed successfully.
- Return Error
- Sends an error JSON response, indicating that the flow completed unsuccessfully.
Input schema
This flow has the following inputs.
Input name | Required | Description |
---|---|---|
|
Yes |
The email address to use for registration. |
|
Yes |
The user ID of the current user. |
|
No |
A boolean indicating whether to show the user greetings page. |
|
No |
A boolean indicating whether email should be the only permitted MFA device. |
|
No |
A boolean indicating whether MFA is required. |
|
No |
The user's first name. |
|
No |
A boolean indicating whether the subflow should return to the calling flow on completion. |
|
No |
A boolean indicating whether a newly added device should be set as the default device. |
|
No |
A string containing any or all of |
|
No |
The company logo. Used only when the main flow was launched using the widget. |
Output schema
This flow has the following outputs.
Output name | Description |
---|---|
|
The result status of the flow. |
|
The authentication method that was configured by the flow. |
|
The error message to display in the parent flow. |
Variables
This flow uses the following variables.
Variable name | Description |
---|---|
|
The HTML style to use for your company logo. |
|
The URL for your company logo. |
|
Displays the name of your company. |