---
title: Identity Store Decision node
description: The Identity Store Decision node attempts to match the provided username and password with the credentials stored in the identity store.
component: auth-node-ref
version: latest
page_id: auth-node-ref:cloud:identity-store-decision
canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/cloud/identity-store-decision.html
keywords: ["Nodes &amp; Trees", "Journeys", "Authentication", "Identity Store", "Data Store"]
page_aliases: ["auth-node-identity-store-decision.adoc"]
section_ids:
  example: Example
  alternative_nodes: Alternative nodes
  availability: Availability
  inputs: Inputs
  dependencies: Dependencies
  configuration: Configuration
  outputs: Outputs
  outcomes: Outcomes
---

# Identity Store Decision node

The Identity Store Decision node attempts to match the provided username and password with the credentials stored in the identity store.

If the credentials exist, the node checks the following:

* Is the profile locked?

* Has the provided password expired?

* Has the user cancelled a password reset?

## Example

![The Identity Store Decision node in context](_images/tree-identity-store-decision.png)

This example illustrates a simple login process.

* A [Page node](../page.html) with the embedded nodes ([Platform Username node](../platform-username.html) and [Platform Password node](../platform-password.html)) prompts the user for their credentials.

* The Identity Store Decision node assesses the credentials:

  * If it finds the credentials in the data store and the credentials are valid, the journey follows the `True` outcome. An [Increment Login Count node](../increment-login-count.html) increments the login count and the user is authenticated.

  * If the credentials don't exist in the data store, the journey follows the `False` outcome and authentication fails.

  * If the credentials exist in the data store but the account is locked, the journey follows the `Locked` outcome. A [Message node](../message.html) displays a custom lockout message and authentication fails.

  * If the credentials exist in the data store but the user must change their password, the node prompts the user to change their password. If the user cancels this change request, the journey follows the `Cancelled` outcome. A [Message node](../message.html) displays a custom message and authentication fails.

  * If the credentials exist in the data store but the password has expired, the node follows the `Expired` outcome. The user is routed to an inner tree journey that contains the password reset logic and then routes the user to the start of the journey to authenticate again.

## Alternative nodes

* The [Data Store Decision node](../data-store-decision.html) is a simpler node with only two outcomes, `True` and `False`. Use this node if the flow only requires these outcomes.

## Availability

| Product                               | Available? |
| ------------------------------------- | ---------- |
| PingOne Advanced Identity Cloud       | Yes        |
| PingAM (self-managed)                 | No         |
| Ping Identity Platform (self-managed) | No         |

## Inputs

The node reads the `username` and `password` fields from the node state.

The journey can provide these credentials in a number of ways, for example, with a combination of the [Platform Username node](../platform-username.html) and [Platform Password node](../platform-password.html), or by using the [Zero Page Login Collector node](../zero-page-login-collector.html).

## Dependencies

This node has no dependencies.

## Configuration

| Property                                    | Usage                                                                                                                                                                                                                                                                                            |
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Minimum Password Length                     | For password change requests, the node rejects passwords that are shorter than this value. If you set this value to `0`, the node doesn't check the password length.Default: `8`                                                                                                                 |
| Username as Universal Identifier            | If you enable this property, the `username` property is set to the value of the `uuid`. For example, `"username": "c636b756-ba6b-481d-ab4a-ab8c064cb24b"`.If this property is false, the value of the `username` property remains unchanged. For example, `"username": "bjensen"`.Default: false |
| Use mixed case for password change messages | Return password change messages in mixed (sentence) case.By default password reset and password change messages are transformed to upper case. Enable this option to return messages in sentence case.Default: Disabled                                                                          |

## Outputs

This node copies shared and transient state into the outgoing node state.

## Outcomes

* `True`

  The credentials match those found in the identity store.

* `False`

  The credentials don't match those found in the identity store.

* `Locked`

  The profile associated with the provided credentials is locked.

* `Cancelled`

  The user cancelled a password change request. The [example](#example) provides a detailed explanation of this outcome.

* `Expired`

  The credentials match those found in the identity store, but the password has expired.