Gift Card Redemption Authentication

Gift Card Redemption - Update Email & Redeem Rewards - Main Flow

The Gift Card Redemption - Update Email & Redeem Rewards - Main Flow lets users update their email addresses and redeem rewards.

Purpose

The Gift Card Redemption - Update Email & Redeem Rewards - Main Flow is the initial flow in the Gift Card solution. It performs a PingOne Protect assessment using the Gift Card Redemption - Threat Detection - Subflow and enables users to sign on. It then presents users with forms that let them update their email address or redeem rewards.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

Check Session, Call To Protect Analysis & MFA Step-Up

Uses a PingOne node to determine whether the user has an existing session.

If the user has a session, a hidden HTML node captures risk information and a PingOne node fetches additional user information, then the flow progresses to the Threat Detection and Mitigation section. When this section completes, a function node checks if the user’s account is enabled, and if so, the flow progresses to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

If the user does not have a session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before invoking the Gift Card Redemption - SignOn - Subflow with the disableAccountRegistrationButton, disableAccountRecoveryButton, and disableSocialRegistrationButton values set to true. When the subflow completes, a function node saves the protect risk level and a PingOne node creates a session for the user. A loading screen is displayed for the user, then a PingOne node retrieves user information. The flow then progresses to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

Threat Detection & Mitigation

Uses a function node to check whether PingOne Protect analysis is required.

If PingOne Protect analysis isn’t required, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.

If PingOne Protect analysis is required, the flow invokes the Gift Card Redemption - Threat Detection - Subflow.

If the Gift Card Redemption - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

  • If the risk level is low, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.

  • If the risk level is medium, the flow progresses to the MFA Authentication section. When this section completes, the flow returns to the Check Session, Call To Protect Analysis & MFA Step-Up section.

  • If the risk level is high, a function nodes checks if the high risk was the result of a new device. If not, a PingOne node notifies the user of the suspicious activity. A PingOne node deletes the user session. The flow then progresses to the Check Session, Call To Protect Analysis & MFA Step-Up section.

If the Gift Card Redemption - Threat Detection - Subflow completes unsuccessfully, a function node stores the risk evaluation ID and an error message is displayed.

MFA Authentication

A PingOne node retrieves the user’s existing devices, and a hidden HTML node gathers information about biometrics and security keys.

Function nodes then filter the user’s active devices and verify that the user has at least one active device. If the devices could not be filtered or if the user has no active devices, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.

If the user has active devices, the Gift Card Redemption - Device Authentication - Subflow is invoked. The flow then splits by the subflow result.

  • If the Gift Card Redemption - Device Authentication - Subflow completed successfully, a function node stores the authentication method as a variable. The flow then returns to the previous section.

  • If the Gift Card Redemption - Device Authentication - Subflow was canceled, the flow returns to the previous section.

Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication

A function node checks whether verification is required for the account.

If verification is not required, the Gift Card Redemption - Device Registration - Subflow is invoked. The flow then splits based on the subflow result.

  • If the subflow completed successfully, the authentication method is stored as a variable, then the flow returns to the MFA Authentication section.

  • If the user canceled, the flow returns to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section if that was the previous section.

If verification is required, the Gift Card Redemption - Verify Email - Subflow is invoked. If the subflow completes successfully, PingOne nodes enroll email as an MFA device and enable MFA for the user. A function node stores the authentication method as a variable, then the flow returns to the MFA Authentication section.

Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level

An HTML page presents the user with a choice of updating their email or redeeming rewards. If risk mitigation is required, a function node examines the PingOne Protect risk level. If the risk level is low, a PingOne node updates the risk evaluation if the risk evaluation ID is known. If the risk level is medium or high, the flow progresses to the Step Up To Register Email MFA Device, If No MFA Devices Found During Authentication section.

The flow then progresses to the Update Email section or the Redeem Rewards section depending on the user’s selection.

Update Email

Uses a PingOne node to look up the user, then displays an email update form. The flow then branches based on the user’s selection.

If the user cancels, the flow returns to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

If the user submits an email, function nodes verify that the new email is valid and that the current email matches the user’s profile email. PingOne nodes then verify that the new email is not used by another user before updating the user’s email address.

The Gift Card Redemption - Verify Email - Subflow is then invoked. If the subflow completes successfully, a success message is displayed, then the flow returns to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

Redeem Rewards

Uses a PingOne node to look up the user, then displays a reward redemption form. The flow then branches based on the user’s selection.

If the user cancels, the flow returns to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

If the user proceeds, a function node calculates the user’s remaining balance, then a PingOne node updates the user’s balance. A success message displays, showing the user’s updated balance, then the flow returns to the Manage Account: Prompt User To Update Email / Redeem Rewards and step-up with MFA based on risk level section.

Return Success

Sends a success response, indicating that the flow completed successfully. If the risk evaluation ID is present and the user did not cancel, a PingOne node also updates the evaluation status.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully. If the risk evaluation ID is present, a PingOne node also updates the evaluation status.

Input schema

This flow has the following inputs:

Input Name Required Description

flowParameters

No

An object containing parameters passed in if the flow was launched with the widget. This input replaces all other inputs.

Output schema

This flow has the following outputs:

Output name Description

p1UserId

The user ID of the current user.

flowResult

The result status of the flow.

errorMessage

The error message returned by the flow. Sent only if the flow progressed to the Return Error section.

errorDetails

The detailed error information returned by the flow. Sent only if the flow progressed to the Return Error section.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Description

flowCompanyLogo

The URL for your company logo.

p1MFAPolicyId

The ID of the PingOne MFA policy to use in the flow.

p1AgreementId

The ID of the agreement to present to users.

p1RiskPolicyIdAuthn

The PingOne risk policy ID to use for authentication.

p1RiskPolicyIdAR

The PingOne risk policy ID to use for account recovery.

p1RiskPolicyIdAuthZ

The PingOne risk policy ID to use for authorization.

p1RiskPolicyIdReg

The PingOne risk policy ID to use for registration.

protectRiskEvalId

The risk ID of the current user as used by PingOne Protect.

protectRiskLevel

The risk level of the current user as determined by PingOne Protect.

authMethod

The authentication method used in the flow.

flowProtectAnalysisRequired

Indicates whether a PingOne Protect analysis must be performed for all users.

ciam_magicLinkEnabled

Indicates whether magic link authentication is enabled.

ciam_agreementEnabled

Indicates whether the agreement is required.

ciam_logoUrl

The URL for your company logo.

This value is used only when the flow is launched with a redirect.

ciam_companyName

Displays the name of your company.

This value is used only when the flow is launched with a redirect.

ciam_logoStyle

The HTML style to use for your company logo.

This value is used only when the flow is launched with a redirect.

ciam_sessionLengthInMinute

The maximum time a user can spend in the flow before it times out.