PingOne for Customers Passwordless

CIAM-Passwordless-Protect-Account-Registration-Subflow

The CIAM-Passwordless-Protect-Account-Registration-Subflow lets users register a new account.

Purpose

The CIAM-Passwordless-Protect-Account-Registration-Subflow presents users with the ability to create a new account. The flow first uses PingOne Protect to check for bots and high-risk users before proceeding to account creation. Depending on your environment’s properties, the flow can let a user create a password, add an multi-factor authentication (MFA) device using the CIAM-Passwordless-Protect-Device-Registration-Subflow flow, and view and agree to an agreement using the CIAM-Passwordless-Protect-Agreement(ToS)-Subflow flow.

Structure

Diagram of the structure, as described below.

This flow is divided into sections using teleport nodes:

Progressive Profiling

Uses hidden nodes to enable a PingOne Protect analysis and initialize variables, then presents users with an HTML form on which to enter their email address.

  • If the user clicks Sign On, the flow progresses to the Return Success section.

  • If the user clicks Register the flow progresses to the PingOne Protect Threat Detection Analysis section.

After the PingOne Protect Threat Detection Analysis section has completed, a PingOne node looks for a user with the specified email address. If none is found, the flow progresses to the Verify Email section.

After the Verify Email section has completed, an HTML form lets the user enter a first and last name.

  • If the user clicks Back, the flow returns to the beginning of the Progressive Profiling section.

  • If the user clicks Register, the flow progresses to the Create Account section.

PingOne Protect Threat Detection Analysis

Invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables.

A function node then examines the risk score.

  • If the risk score is low or medium, the flow returns to the Progressive Profiling section.

  • If the risk score is high, an error message is displayed.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables, then the flow progresses to the Return Error section.

Create Account

Uses a function node to check if passwordless is required.

If passwordless isn’t required, an HTML node lets the user enter a password and click Register, Other, or Back.

  • If the user clicks Register, function nodes verify that the password and confirmed password match and that the password is valid, then a PingOne node creates the new user. If the user creation succeeds, the flow progresses to the Accept Agreement and Verify Email section.

  • If the user clicks Other, a PingOne node creates the new user. If the user creation succeeds, the flow progresses to the Accept Agreement and Verify Email section.

  • If the user clicks Back, the flow returns to the second HTML node in the Progressive Profiling section.

Accept Agreement and Verify Email

Invokes the CIAM-Passwordless-Protect-Agreement(ToS)-Subflow flow to ensure that the user agrees to any required agreements, then uses a PingOne node to enroll the email address as an MFA device without verification. The flow then progresses to the Device Registration section.

Device Registration

Checks if the user selected passwordless.

  • If the user selected passwordless, the flow progresses to the Return Success section.

  • If the user did not select passwordless, the CIAM-Passwordless-Protect-Device-Registration-Subflow flow is invoked, after which the flow progresses to the Return Success section.

Set Password

Uses an HTML node to prompt the user for a new password, verifies that the password matches the confirmed password, and uses a PingOne node to set the password. The flow then progresses to the Return Success section.

Verify Email

Uses a PingOne MFA node to create a device authentication, then uses an HTML template to prompt the user for the verification code.

  • If the user clicks Verify, a PingOne MFA node verifies the passcode, then the flow returns to the Progressive Profiling section.

  • If the user clicks Resend, the number of resend attempts is increased by one. If the number of resend attempts is less than five, the flow then returns to the beginning of the Verify Email section.

Return Success

Sends a success JSON response, indicating that the flow has completed successfully.

Return Error

Sends an error JSON response, indicating that the flow completed unsuccessfully. A comparison node also checks for a risk ID, and uses a PingOne node to update the risk evaluation if a risk ID is present.

Input schema

This flow has the following inputs:

Input name Required Description

ciam_passwordlessRequired

Yes

Indicates whether passwordless authentication is required for sign-on.

allowedDeviceTypes

Yes

A string containing any or all of SMS, EMAIL, FIDO2 indicating the allowed device types.

ciam_agreementEnabled

Yes

Indicates whether agreement is enabled for user registration.

ciam_agreementId

Yes

The ID of the agreement to present to users.

ciam_companyLogo

No

The company logo.

Used only when the main flow was launched using the widget.

ciam_riskPolicyID

None

The PingOne Protect policy ID.

Output schema

This flow has the following outputs:

Output name Description

ciam_subflowResult

The result status of the flow.

ciam_pingOneUserId

The user ID of the current user.

ciam_authMethod

The authentication method chosen by the user.

ciam_errorMessage

The error message text to display, if any.

Variables and parameters

This flow uses the following variable or parameter values:

Variable name Parameter name Description

ciam_passwordlessRequired

isPasswordlessRequired

Indicates whether passwordless authentication is required for sign-on.

ciam_logoStyle

None

The HTML style to use for your company logo.

ciam_logoUrl

None

The URL for your company logo.

ciam_companyName

None

Displays the name of your company.

ciam_riskPolicyID

None

The PingOne Protect policy ID.

ciam_protectPredictor

None

The recommendation made by PingOne Protect.

ciam_protectDeviceStatus

None

The status of the user’s device as determined by PingOne Protect.

ciam_protectRiskID

None

The risk ID of the current user as used by PingOne Protect.

ciam_protectRiskLevel

None

The risk level of the current user as determined by PingOne Protect.