Purpose

The CIAM Plus - Registration and Authentication with Username and Password - Main Flow is the initial flow in the PingOne for Customers Plus solution. It enables existing users to sign on using a password, uses the CIAM Plus - Account Registration - Subflow flow to let new users register, uses the CIAM Plus - Account Recovery - Email - Subflow flow to let existing users recover their account, and uses the CIAM Plus - Device Authentication - Subflow flow to let existing users sign on using a known device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration
Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.
Check for Session
Uses a PingOne node to determine whether the user has an existing session. If so, the flow progresses to the Return Success section. If not, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Sign On Page section.
Offer Sign On Page

Displays an HTML page with options to sign on using a password, recover from a forgotten password, or register a new account. The sign-on option progresses to the Password Authentication section, the forgot password option progresses to the Call Account Recovery Sub-Flow section, and the register option progresses to the Call Account Registration Sub-Flow section.

Call Account Recovery Sub-Flow
Invokes the CIAM Plus - Account Recovery - Email - Subflow flow, then progresses to the Offer Sign On Page section.
Call Account Registration Sub-Flow
Invokes the CIAM Plus - Account Registration - Subflow flow. If the subflow's result is signOn, the flow progresses to the Offer Sign On Page section. If the subflow's result is complete, the flow invokes the CIAM Plus - Device Registration - Subflow flow, uses a PingOne node to send an account creation email, and then progresses to the Return Success section.
Password Authentication
Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section. If the password is incorrect or the user cannot be found, a comparison node checks whether the account is locked. If the account is locked, the flow progresses to the Return Error section. If the account is not locked, an error message is displayed to the user.
MFA Authentication

Uses a PingOne node to look up the user's existing devices. An HTML node then checks the user's current device for Webauthn support, and comparison nodes filter for unusable devices and check if at least one device is configured.

If the user has no active devices or the user's device information could not be found, the flow progresses to the Step up to register Email MFA device if no MFA devices found during authentication section.

If the user has active devices, a PingOne node enables MFA, then invokes the CIAM Plus - Device Authentication - Subflow. If the subflow completes successfully, the flow progresses to the Check Password Status node in the Password Authentication section.

Call Change Password Sub-Flow
Invokes the CIAM Plus - Change Password - Subflow flow. If the subflow completes successfully, the flow displays a success message and a PingOne node sends a password change email the flow. The flow then progresses to the Call Check Agreement and Email Verification Sub-Flow section.
Step up to register Email MFA device if no MFA devices found during authentication

A comparison node checks whether email verification is required.

If email verification is not required, invokes the CIAM Plus - Device Registration - Subflow, then progresses to the Check Password Status node in the Password Authentication section.

If email verification is required, invokes the CIAM Plus - Verify Email - Subflow, then uses PingOne nodes to enroll email as an MFA device, enable MFA for the user, and send an email confirming the email device registration. The flow then progresses to the Check Password Status node in the Password Authentication section.

Call Check Agreement and Email Verification Sub-Flow
Invokes the CIAM Plus - Agreement (ToS) - Subflow, then uses a PingOne node to retrieve user information. A function node checks whether email verification is required, and if email verification is required, the CIAM Plus - Verify Email - Subflow is invoked. The flow then progresses to the Handle Remember Me if Applicable section.
Handle Remember Me if Applicable
Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.
Return Success
Displays a success message, then uses a function node to determine how the flow was launched. If the flow was launched with the widget, a PingOne node looks up the user. A PingOne Authentication node then sends a success response and creates a session with a duration of two days.
Return Error
Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.
Input Name Required Description

flowParameters

No

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

loginHint

No

Information used to pre-fill the username.

maxSecondsSinceLastSignOn

No

The maximum amount of time allowed since the user last authenticated.

authorizationRequest

No

An object containing all of the parameters from the OIDC authorization request.

samlRequest

No

An object containing all of the parameters from the SAML authorization request.

wsFedRequest

No

An object containing all of the parameters from the WS-FED authorization request.

application

Yes

An object containing the configuration information from the PingOne application that initiated the authentication request.

relayState

Yes

State information used by PingOne.

Output schema

This flow has no outputs.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_sessionLengthInMinute

None

The maximum time a user can spend in the flow before it times out.

ciam_logoStyle

None

The HTML style to use for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_logoUrl

None

The URL for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_companyName

None

Displays the name of your company.

This value is only used when the flow is launched with a redirect.

ciam_accountRecoveryEnabled

isAccountRecoveryEnabled

A boolean that controls whether account recovery is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.

ciam_agreementID

None

The PingOne agreement ID to use in the solution.

ciam_mfaPolicyID

None

The ID of the PingOne MFA policy to use in the solution.