The CIAM Plus - MFA Device Management - Main Flow lets users view and manage the devices associated with their account. It can only be launched using the widget.
Purpose
The CIAM Plus - MFA Device Management - Main Flow presents users with their current multi-factor authentication (MFA) devices. It then presents the options for users to add new devices, change the name or status of existing devices, or remove an existing device.
Structure
This flow is divided into sections using teleport nodes:
- Check for valid session and Enable MFA
- Uses function nodes to set variables, then uses a PingOne node to check for a
valid session.
-
If a session exists, a hidden HTML node invokes the skpolling component.
-
If no session exists, a PingOne node deletes any existing session token, then the CIAM Plus - SignOn - Subflow is invoked. When the flow completes, a PingOne node creates or updates the session.
A function node retrieves the user ID, then a PingOne node retrieves the user details. The flow then progresses to the MFA Authentication section.
When the previous section completes, an HTML node presents the user with the option to enable MFA. If the user proceeds, PingOne nodes enable MFA and read all enabled devices for the user. The flow progresses to the Verifying and auto enrolling the email section if the user has zero devices, and to the Display User Devices section if the user has more than zero devices.
-
- MFA Authentication
- Uses a PingOne node to retrieve the user's devices, then uses a hidden HTML node to check for WebAuthn compatibility. Function nodes verify that the user has at least one active device, then a PingOne node enables MFA for the user. The CIAM Plus - Device Authentication - Subflow is invoked, then the flow returns to the Check for valid session and Enable MFA section.
- Verifying and auto enrolling the email
- Uses a PingOne node to send a verification code, then presents an HTML page on which the user can enter the verification code. If the user submits a code, PingOne nodes validate the code, register email as an MFA device, and send a device registration email. The flow then progresses to the Display User Devices section.
- Display User Devices
- Uses a PingOne node to retrieve the user's known devices. If the user can add devices, a custom HTML template presents the user with device options. If the user selects Add, the flow progresses to the Add Device section. If the user selects Done or Cancel, the flow progresses to the Return Success section. If the user selects an existing device, the flow progresses to the Update Device section.
- Add Device
- Uses a PingOne node to retrieve user information, then invokes the CIAM Plus - Device Registration - Subflow flow. It then progresses to the Display User Devices section if the addition was successful or canceled.
- Update Device
- Presents users with a custom HTML page showing options for a currently selected device. The Save and Default options trigger PingOne to save a new device name or set the current device as default. The Remove option triggers an HTML node that asks the user to confirm the deletion. If the user confirms the deletion, a PingOne node removes the current device, then the flow progresses to the Display User Devices section. If the user cancels, the flow progresses to the Display User Devices section.
- Return Success
- Sends a JSON success message.
- Return Error
- Displays an error message, then sends a JSON error response.
Input schema
This flow has no inputs.
Output schema
This flow has the following outputs.
Output Name | Description |
---|---|
|
The error message to display in the parent flow. |
|
The error code to display in the parent flow. |
Variables and parameters
This flow uses the following variable or parameter values.
Variable name | Parameter name | Description |
---|---|---|
|
None |
The HTML style to use for your company logo. |
|
None |
The URL for your company logo. |
|
None |
Displays the name of your company. |
|
None |
The method used to launch the flow, such as widget. |
|
isEmailMagicLinkEnabled |
Indicates whether magic link is enabled in your environment. |
|
isTermsOfServiceEnabled |
A boolean indicating whether agreement is enabled in your environment. |
|
None |
A boolean indicating whether passwordless login is required in the environment. |
|
isAppleEnabled |
Indicates whether authentication through Apple is enabled in your environment. |
|
isFacebookEnabled |
Indicates whether authentication through Facebook is enabled in your environment. |
|
isGoogleEnabled |
Indicates whether authentication through Google is enabled in your environment. |
|
None |
A boolean indicating whether account recovery is enabled in the environment. |