Purpose

The CIAM Plus - Device Registration - Subflow presents users with options to register any available device type. The flow finds the available devices, then uses an HTML node to let the user select one:

  • If the user selects Mobile Application, the flow creates a pairing key to pair the application with the account.
  • If the user selects Biometrics/Security Key, the flow pairs the current device.
  • If the user selects Authenticator App, the flow uses a key URL to pair an authenticator app with the account.
  • If the user selects Text Message, the flow gathers the number and uses an one-time passcode (OTP) to verify the SMS number.
  • If the user selects Voicethe flow gathers the number and uses an OTP to verify the phone number.
  • If the user selects Email, the flow uses an OTP to verify the email address.

After any successful device registration, or if the user selects password, the flow returns to the parent flow.

Structure

This flow is divided into sections using teleport nodes:

Gather device types that user can register with
Uses a hidden HTML form to gather browser information and a function node to set flow instance variables, then uses a PingOne node to retrieve the user's current devices. If the user has compatible devices and can register at least one additional device, the flow progresses to the Check Whether MFA Greetings Required To Be Displayed To User? section.
Check Whether MFA Greetings Required To Be Displayed To User?
Uses a function node to check if the greeting page should be displayed.

If the greeting should be displayed, an HTML node asks for user consent to add an MFA device. If the user clicks Skip, the flow progresses to the Return Success section. If the user does not select Skip, or if the greeting page is not displayed, a function node checks whether email is the only allowed option.

If email is the only allowed option, the flow progresses to the Prepare to register OTP device section. If email is not the only allowed option, the flow progresses to the User select device to register with section.

User select device to register with
Presents the user with an HTML page that provides them with the available authentication method options.

If the user selects Voice or SMS, the flow progresses to the User selected SMS/VOICE section.

If the user selects Email, the flow progresses to the User selected email section.

If the user selects TOTP, the flow progresses to the Prepare to register OTP device section.

If the user selects FIDO2, the flow progresses to the Register FIDO2 device and enable MFA for user section.

If the user selects Mobile, the flow progresses to the Mobile app registration flow section.

If the user selects Cancel, a function node determines whether the user should be returned to the calling flow. If so, the flow progresses to the Return Success section. If not, the flow progresses to the Check Whether MFA Greetings Required To Be Displayed To User? section.

User selected SMS/VOICE
Displays an HTML page gives the user the option to provide a voice or SMS number.

If the user enters a voice or SMS number, a function node verifies that the number is not in use, then the flow progresses to the Prepare to register OTP device section.

If the user clicks Cancel, the flow returns to the User select device to register with section.

User selected email
Uses a function node to check for a known user email.

If the user's email is already present, the flow progresses to the Prepare to register OTP device section.

If the user's email is not present, an HTML node lets the user enter an email and submit it or cancel.

If the user clicks Cancel, the flow returns to the User select device to register with section.

If the user submits an email, a function node verifies that the email is not already registered, then the flow progresses to the Prepare to register OTP device section.

Prepare to register OTP device
Uses a PingOne node to create an OTP device.

If the OTP device creation succeeds, a function node sets the device ID, then the flow progress to the TOTP (Authenticator app) registration flow section if the device type is TOTP, or to the Ask for OTP section if the device is SMS, voice, or email.

If the OTP device creation fails, an error message is displayed.

Ask for OTP
Uses function nodes to begin tracking the number of resend attempts, mask the phone number or email, and determine the cancel behavior, then displays an HTML node prompting the user for the OTP.

If the user submits a code, the flow progresses to the Activate OTP device and enable MFA for user section. Otherwise, the flow progresses to the Resend OTP section.

Resend OTP

If the user clicks Cancel at the OTP prompt screen, a PingOne node deletes the OTP device, then the flow returns to either the User select device to register with section or the Check Whether MFA Greetings Required To Be Displayed To User? section depending on the cancel behavior.

If the user clicks Resened at the OTP prompt screen, function nodes increment the resend attempts and check if the maximum has been reached. If the maximum has not been reached, PingOne nodes delete the previous OTP device and create a new device, a function node updates the device ID, and a message is displayed for the user.

TOTP (Authenticator app) registration flow
Uses a function node to create a QR code for the key URL, then displays an HTML page on which the user can scan the QR code and enter a secret.

If the user enters the secret, the flow progresses to the Activate OTP device and enable MFA for user section.

If the user clicks Cancel, a PingOne node deletes the OTP device, and the flow returns to the User select device to register with section.

Activate OTP device and enable MFA for user
Uses PingOne nodes to activate the OTP device and send a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.
Register FIDO2 device and enable MFA for user
Uses a PingOne node to create a FIDO2 device, then presents the user with an HTML registration page.

If the user successfully registers the device, PingOne nodes activate the device and send a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.

If the user clicks Cancel, a PingOne node deletes the device and the flow returns to the User select device to register with section.

Mobile app registration flow
Uses a PingOne node to create a pairing key, then creates a QR code using the key. An HTML node then presents the QR code to the user.

If the user clicks Cancel, a PingOne node deletes the pairing key and the flow returns to the User select device to register with section.

A PingOne node reads the key, then a polling node determines when to proceed. If the polling status is claimed, a PingOne sends a device registration email. If the new device should be the default, a PingOne node sets it as the default, then another PingOne node updates the user's MFA status. The flow then progresses to the Return Success section.

If the polling fails, an error message is displayed, a PingOne node deletes the pairing key, and the flow returns to the User select device to register with section.

Return Success
Sends a success JSON response, indicating that the flow has completed successfully.
Return Error
Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.

Input name Required Description

email

Yes

The email address to use for registration.

pingOneUserId

Yes

The user ID of the current user.

ciam_notShowMFAGreetingsPage

No

A boolean indicating whether to show the user greetings page.

ciam_allowOnlyEmail

No

A boolean indicating whether email should be the only permitted MFA device.

ciam_requireMFA

No

A boolean indicating whether MFA is required.

firstName

No

The user's first name.

ciam_returnToCallingFlow

No

A boolean indicating whether the subflow should return to the calling flow on completion.

ciam_setNewDeviceAsDefault

No

A boolean indicating whether a newly added device should be set as the default device.

allowedDeviceTypes

No

A string containing any or all of SMS, EMAIL, FIDO2, MOBILE, VOICE, TOTP indicating the allowed device types.

ciam_companyLogo

No

The company logo.

Used only when the main flow was launched using the widget.

Output schema

This flow has the following outputs.

Output name Description

ciam_subflowResult

The result status of the flow.

ciam_authMethod

The authentication method that was configured by the flow.

ciam_errorMessage

The error message to display in the parent flow.

Variables

This flow uses the following variables.

Variable name Description

ciam_logoStyle

The HTML style to use for your company logo.

ciam_logoUrl

The URL for your company logo.

ciam_companyName

Displays the name of your company.