---
title: IdentityX Check Enrollment Status node
description: Verifies that a user is enrolled with the Daon IdentityX platform.
component: auth-node-ref
version: latest
page_id: auth-node-ref:cloud:identityx-check-enrollment-status
canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/cloud/identityx-check-enrollment-status.html
keywords: ["Nodes & Trees", "Journeys", "Authentication", "OAuth 2.0"]
page_aliases: ["auth-node-identityx-check-enrollment-status.adoc"]
section_ids:
  examples: Daon IdentityX examples
  check_enrollment_before_continuing: Check enrollment before continuing
  out_of_band_authentication: Out-of-band authentication
  mobile_authentication: Mobile authentication
  sponsor_user_enrollment: Sponsor user (enrollment)
  dependencies: Dependencies
  daon_identityx_configuration: Daon IdentityX configuration
  ping_identity_platform_configuration: Ping Identity Platform configuration
  outcomes: Outcomes
  configuration: Configuration
---

# IdentityX Check Enrollment Status node

Verifies that a user is enrolled with the [Daon IdentityX](https://www.daon.com/technology/identityx-platform/) platform.

|   |                                                                                                                                          |
| - | ---------------------------------------------------------------------------------------------------------------------------------------- |
|   | This node configures integration with the IdentityX platform.Journeys that integrate with the IdentityX platform must include this node. |

## Daon IdentityX examples

### Check enrollment before continuing

The following example demonstrates the use of this node before an inner tree with additional IdentityX nodes:

![Check enrollment before using other IdentityX nodes.](_images/identityx-check-enrollment.png)

### Out-of-band authentication

The following example uses the IdentityX platform in an out-of-band flow over a separate, secure channel:

![After sending the request](_images/identityx-out-of-band.png)

### Mobile authentication

The following example uses the IdentityX platform in a mobile authentication flow:

![After sending the request](_images/identityx-mobile.png)

### Sponsor user (enrollment)

The following example enrolls the user, if necessary:

![Sponsor the user who has not enrolled yet.](_images/identityx-sponsor-user.png)

## Dependencies

Before you start, configure the IdentityX platform and a service application client.

### Daon IdentityX configuration

The nodes require a connection to an IdentityX server. Contact your Daon representative for connection details.

Follow these high-level steps:

1. In the Daon Admin Console, go to Administration > System Configuration > REST Authentication.

   The URL to the REST Authentication screen has the form `https://api.identityx-cloud.com/your-Daon-instance/AdminConsole/#configurations/restauthentication`.

2. Update JWT Signature Validation Keys URLs to use your JWK URI.

   Make sure the algorithm is `RS256`.

   ```json
   {
     "endpoints": [{
       "url": "https://<tenant-env-fqdn>:443/am/oauth2/alpha/connect/jwk_uri",
       "alg": "RS256"
     }]
   }
   ```

3. For REST Authentication Mode, enable JSON Web Token (JWT).

4. Set a name for the JWT Roles Claim Name.

   Record the name for use when setting up the service application client.

5. Set the JWT Read Timeout to `500` (milliseconds).

6. Create a new role.

   Go to Administration > Roles and click Create Role.

   Use the following settings and save the new role:

   * Role Name

     Anything (example: `forgerockjwt`)

   * Description

     Anything (example: `forgerockjwt`)

   * External ID

     Anything (example: `forgerockjwt`)

   * Entity

     `All (*)`

   * Permission Selector

     Select your Daon tenant.

   * Enable these flags

     `CREATE`\
     `READ`\
     `UPDATE`\
     `DELETE`\
     `BLOCK`\
     `UNBLOCK`\
     `ALL(*)`

   Record your choice for external ID for use when setting up the service application client.

### Ping Identity Platform configuration

1. Create an OAuth2 Access Token Modification script to use the IdentityX role you configured.

   In the Advanced Identity Cloud admin UI, go to Scripts > Auth Scripts, click + New Script, and create an OAuth2 Access Token Modification script.

   Save a new script such as the following, where the field value is the Daon role ID:

   ```js
   (function () {
     // Always includes this field in the token.
     accessToken.setField('roles', 'forgerockjwt');
   }());
   ```

   Record the name of your script for use when setting up the ForgeRock service application client.

2. Create a service application to access the IdentityX platform.

   Go to Applications and click + Add Application.

   Select Service as the application type.

   Create a client ID and secret for your application.

   Record the client ID and secret for use when setting up journeys that use the IdentityX platform.

3. Use the following settings for your new service application:

   * Grant Types

     `Client Credentials`

   * Scopes

     `fr:idm:*`

4. Use the following advanced settings for your new service application:

   * Default Scopes

     `fr:idm:*`

   * Response Types

     `Token`

5. Configure signing and override OAuth 2.0 provider settings for your application.

   In the AM admin UI, go to Realms > *Realm Name* > Applications > OAuth 2.0 > Clients > *client-ID*.

   Switch to the Signing and Encryption tab, verify the following settings and save your changes:

   * Token Endpoint Authentication Signing Algorithm

     `RS256`

   * ID Token Signing Algorithm

     `RS256`

   * Authorization Response JWT Signing Algorithm

     `RS256`

   * Token introspection response signing algorithm

     `RS256`

   Switch to the OAuth2 Provider Overrides tab, update the following settings and save your changes:

   * Enable OAuth2 Provider Overrides

     Enabled

   * Access Token Modification Plugin Type

     `SCRIPTED`

   * Access Token Modification Script

     Your OAuth2 Access Token Modification script

6. Update the OAuth2 token signing algorithm in the OAuth 2.0 provider service for the realm.

   In the AM admin UI, go to Realms > *Realm Name* > Services > OAuth2 Provider.

   Switch to the Advanced tab, update the following setting and save your changes:

   * OAuth2 Token Signing Algorithm

     `RS256`

   This setting must match the configuration completed on the IdentityX administrative console.

## Outcomes

* `User Enrolled`

  Successfully verified enrollment.

* `User Not Enrolled`

  Failed to verify enrollment.

* `Error`

  An error occurred.

## Configuration

| Property                | Usage                                                                                                                                                                                       |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ForgeRock Client ID     | The client ID of your ForgeRock service application for communications with the IdentityX platform.                                                                                         |
| ForgeRock Client Secret | The client secret of your ForgeRock service application for communications with the IdentityX platform.                                                                                     |
| IdentityX Base URL      | The IdentityX URL has the following form `https://yourHostName/yourTenantName/IdentityXServices/rest/v1`.                                                                                   |
| User Id Attribute       | The shared state attribute that holds the Daon identifier for the end user.Leave this blank to collect the Daon User ID with a [Platform Username node](../platform-username.html) instead. |