PingAM Auth node reference

Device Match node

Compares any collected device metadata with that stored in the user’s profile.

Use this node with the Device Profile Collector node to determine if the authenticating user is on a previously saved, trusted device.

Use this node with the Device Location Match node or Device Geofencing node to verify both the device and location of the user.

The Device Match node supports the following methods of comparison:

  1. Built-in Matching

    The node handles the comparison and matching, and you can configure the acceptable variance, and specify a time frame that profiles are considered current.

    When using built-in matching, the node compares all attributes from the device profile collected by the Device Profile Collector node against the attributes in the user’s saved device profiles. Each differing attribute value adds to the variance count.

    Examples of attributes compared include:

    • Hardware details (manufacturer, model)

    • Operating system information (OS version, build number)

    • Browser environment (user-agent, screen resolution)

    • Network information (IP address, MAC address)

    This mode is ideal for matching devices that don’t change frequently, such as point-of-sale machines. It’s also simpler to implement because you don’t have to write a script to handle and compare specific device attributes.

    However, this method treats all attributes of a device equally, and each difference in attribute values counts towards the Acceptable Variance value you configure.

  2. Custom Matching

    Create a custom script to compare captured device data against trusted device profiles.

    This mode is ideal if you issue specific hardware to your users, or you want to prioritize certain device attribute matches over others.

    The script lets you control which device attributes are captured and how they’re compared to the trusted device profile.

    For example, you could ignore attributes that are known to change frequently, such as screen layouts or orientation.

    To view a customizable template script for device matching, follow these steps:

    1. In the AM admin UI, go to Realms > realm name > Scripts.

    2. Click Device Profile Match Template - Decision Node Script.

    There’s also a comprehensive sample script (with usage instructions) and a development toolkit in the GitHub sample repository.

Compatibility

Product Compatible?

PingOne Advanced Identity Cloud

ForgeRock Access Management (self-managed)

Ping Identity Platform (self-managed)

Outcomes

  • True

  • False

  • Unknown Device

Evaluation continues along the True path if the collected device profile matches a saved profile, within the configured variance; otherwise, evaluation continues along the False path.

If the user has no trusted device profiles, or the identity of the user has not been established, evaluation continues along the Unknown Device path.

Properties

Property Usage

Acceptable Variance

Specify the maximum amount of device attribute differences acceptable for a match.

Expiration

Specify the maximum age, in the number of days since being saved, that existing profiles can be considered for comparison. Device profiles saved to the user’s profile before this time will not be compared to the collected metadata.

Use Custom Matching Script

Specifies whether to use a custom script to compare the collected metadata with saved device profiles.

The script type must be Decision node script for authentication trees (standalone AM) or Journey Decision Node (Ping Identity Platform deployments).

When a custom matching script is used, the Acceptable Variance and Expiration properties are ignored.

Default: Authentication Tree Decision Node Script

Custom Matching Script

Specifies the custom script to use if the Use Custom Matching Script property is enabled.

Only scripts of type Decision node script for authentication trees (standalone AM) or Journey Decision Node (Ping Identity Platform deployments) appear in the list.