PingOne Identity Match node

The PingOne Identity Match node checks that users that exist in the ForgeRock platform also exist in the PingOne platform.

Availability

Product	Available?
PingOne Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node reads the username field from the shared node state to access the user’s identity profile.

Implement a Username Collector node (standalone AM) or Platform Username node (Advanced Identity Cloud and Ping Identity Platform deployments) earlier in the journey.

You should also verify the user’s identity by using a Data Store Decision node (PingAM) or Identity Store Decision node (Advanced Identity Cloud).

Dependencies

This node requires a PingOne Worker Service configuration so that it can authenticate to your PingOne instance.

Find information on the configuration properties in the PingOne Worker service documentation for:

Configuration

Property Usage

Property	Usage
PingOne Worker Service ID	The ID of the PingOne worker service for connecting to PingOne.
Population ID	The ID of the population in PingOne to check for users or provision new ones. If not specified, the node uses the environment’s default population ID.
AM Identity Attribute	The attribute from the user’s ForgeRock profile that the node uses to match their account in PingOne. Default: `uid`
Ping Identity Attribute	The attribute from the user’s PingOne profile that the node uses to search for a matching account. If there are multiple entries with the same attribute value in the PingOne directory server, ensure that this property is specific enough to retrieve only one entry. Default: `username`
Capture failure	Capture the details in shared state if a failure occurs. The node stores the details in a variable named `pingOneIdentityMatchFailureReason`. Default: `False` Example: `{ "code": "ACCESS_TOKEN", "message": "Unable to get access token for PingOne Worker.", "exception": "", }`

PingOne Worker Service ID

The ID of the PingOne worker service for connecting to PingOne.

Population ID

The ID of the population in PingOne to check for users or provision new ones.

If not specified, the node uses the environment’s default population ID.

AM Identity Attribute

The attribute from the user’s ForgeRock profile that the node uses to match their account in PingOne.

Default: uid

Ping Identity Attribute

The attribute from the user’s PingOne profile that the node uses to search for a matching account.

If there are multiple entries with the same attribute value in the PingOne directory server, ensure that this property is specific enough to retrieve only one entry.

Default: username

Capture failure

Capture the details in shared state if a failure occurs.

The node stores the details in a variable named pingOneIdentityMatchFailureReason.

Default: False

Example:

{
  "code": "ACCESS_TOKEN",
  "message": "Unable to get access token for PingOne Worker.",
  "exception": "",
}

Outputs

The node is non-interactive and does not send a callback to the client.

If the node was able to find a unique match in PingOne it stores the PingOne user identifier in a state variable named pingOneUserId. For example a648aaac-ch15-b357-457b-8d2e714180ff.

If you select Capture failure, the node stores any error response in a shared state variable named pingOneIdentityMatchFailureReason.

Outcomes

True

The node found a unique matching account in PingOne.

False

The node did not find a unique match in PingOne.

Example

The following example journey integrates PingOne Verify to perform user identity verification.

Figure 1. Example PingOne Verify journey

The user enters their credentials and the Data Store Decision node matches them against the identity store.
a The PingOne Identity Match node checks PingOne for a matching user.
b If a user is found, the PingOne Verify Completion Decision node checks the user’s most recent verification transaction to determine the status:
Success

The user successfully completed the most recent PingOne Verify transaction, so the journey progresses directly to the Success node and authentication is successful.

Not Completed

The user has an existing PingOne Verify transaction in progress, so the journey resumes the existing verification transaction.

The node adds the user’s existing transaction ID to the shared node state in a variable named pingOneVerifyTransactionId.

Not Started / Failure / Expired
The user doesn’t have an existing PingOne Verify transaction (Not Started)

The user hasn’t successfully completed the most recent PingOne Verify transaction

The most recent PingOne Verify transaction has expired
The journey continues to start a new verification transaction.
c If no matching user is found, the PingOne Create User node creates a new user in PingOne.
d The PingOne Verify Evaluation node starts a new PingOne Verify evaluation or continues an existing evaluation if pingOneVerifyTransactionId is present in the shared node state. The node either completes or fails the journey based on the result.

Auth node reference