--- title: Create authentication journey(s) description: To enable workstation authentication integration, you need to create relevant journeys to support the MFA authentication method(s) you want. These journeys allow workstation authentication to work directly with the Ping Identity environment. component: enterprise-connect version: latest page_id: enterprise-connect:workstation-windows-guide-3.7.2.7293:creating-authentication-journey canonical_url: https://docs.pingidentity.com/enterprise-connect/latest/workstation-windows-guide-3.7.2.7293/creating-authentication-journey.html section_ids: example_push_journey: Example of push journey example_otp_journey: Example of OTP from authenticator app journey example_sms_email_journey: Example of OTP SMS/email/voice call journey example_sso_url_journey: Example of SSO journey --- # Create authentication journey(s) To enable workstation authentication integration, you need to create relevant journeys to support the MFA authentication method(s) you want. These journeys allow workstation authentication to work directly with the Ping Identity environment. Since Enterprise Connect integrates with PingOne Advanced Identity Cloud or self-managed PingAM, the examples that follow depict the various UI changes between the two. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Do not deviate from the following journeys when you configure Enterprise Connect or use the journeys you create for any other purpose (including repurposing the journeys). You must strictly follow the placement of the nodes to ensure the product works correctly.Failure to do so or the addition of other nodes could result in unexpected behavior. | ## Example of push journey The push journeys for Enterprise Connect allow users to approve a push notification from the PingID mobile app. End users must download the PingID mobile app and pre-register (from another journey you define) to be able to use the push journeys. * PingOne Advanced Identity Cloud * PingAM ![create journey push identity cloud](../_images/workstation-windows-guide/create-journey-push-identity-cloud.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When configuring the push journey in PingOne Advanced Identity Cloud, you must enable services in the AM admin UI (native console). Learn more in [Create a push authentication journey](https://docs.pingidentity.com/pingoneaic/planning/plan-security.html#proc-authn-mfa-tree-push). | ![create journey push am](../_images/workstation-windows-guide/create-journey-push-am.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When configuring the push journey in PingAM, you must enable services in the AM admin UI (self managed). Learn more in [Create a push authentication journey](https://docs.pingidentity.com/pingoneaic/planning/plan-security.html#proc-authn-mfa-tree-push). | ## Example of OTP from authenticator app journey The following journeys show the OTP that is presented from the PingID mobile app. End users must download the PingID mobile app and pre-register (from another journey you define) to be able to use the OTP journeys. * PingOne Advanced Identity Cloud * PingAM ![create journey otp identity cloud](../_images/workstation-windows-guide/create-journey-otp-identity-cloud.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. ![create journey otp am](../_images/workstation-windows-guide/create-journey-otp-am.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. ## Example of OTP SMS/email/voice call journey The following journeys show the OATH OTP (HOTP) that can be presented to an end user via SMS/email/voice. Ensure end users have the appropriate data in their user profile to facilitate the MFA method(s) you allow an end user to select. * PingOne Advanced Identity Cloud * PingAM ![create journey sms email identity cloud](../_images/workstation-windows-guide/create-journey-sms-email-identity-cloud.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | In the Choice Collector node, the options correlate to the following MFA methods within Enterprise Connect Windows Workstation Authentication:1) SMS 2) Email 3) VoiceTherefore, ensure SMS is the first choice in the node, followed by email. If voice call is a method you configure, it must be the third option.Do not deviate from this order. | If you choose to use the *voice* option, you could use the [Twilio](https://backstage.forgerock.com/docs/auth-node-ref/latest/cloud/auth-node-twilio-verify-collector-decision.html#twilio-examples) nodes (you must have a valid subscription with Twilio). ![create journey sms email am](../_images/workstation-windows-guide/create-journey-sms-email-am.png) If you configure [Use credentials](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) in the MSI Updater client, then you must include the *Platform Password* and *Data Store Decision* nodes. Otherwise, you must omit these nodes in your journey configuration. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | In the Choice Collector node, the options correlate to the following MFA methods within Enterprise Connect Windows Workstation Authentication:1) SMS 2) Email 3) VoiceTherefore, ensure SMS is the first choice in the node, followed by email. If voice call is a method you configure, it must be the third option.Do not deviate from this order. | If you choose to use the *voice* option, you could use the [Twilio](https://marketplace.pingone.com/item/twilio-verify-auth-tree-notes) nodes (you must have a valid subscription with Twilio). ## Example of SSO journey The following journeys depict the flow that Enterprise Connect uses after a user authenticates to their workstation. The end user Ping Identity environment opens in a default browser. If you configure the [Enable SSO](configuring-windows-msiupdater.html#msiupdater_forgerock_tab) setting in the MSI Updater client, then this journey applies to you. In this setting, you must supply the journey URL. An example SSO URL to enter in this field is `https:///am/XUI/?realm=alpha&authIndexType=service&authIndexValue=sso-journey&ForceAuth=true`. | | | | - | ---------------------------------------------------------------------------------------------------------------------- | | | The `authIndexValue` references the journey to use for SSO. Ensure to add `ForceAuth=true` to the end of your SSO URL. | * PingOne Advanced Identity Cloud * PingAM ![create journey sso url identity cloud](../_images/workstation-windows-guide/create-journey-sso-url-identity-cloud.png) The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script: ```java if (typeof existingSession !== 'undefined') { outcome = "hasSession"; } else { outcome = "noSession"; } ``` ![create journey sso url am](../_images/workstation-windows-guide/create-journey-sso-url-am.png) The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script: ```java if (typeof existingSession !== 'undefined') { outcome = "hasSession"; } else { outcome = "noSession"; } ``` Enterprise Connect Windows Workstation Authentication installation/configuration checklist * [icon: check-square-o, set=fa]Download and install the binaries from [Backstage](https://backstage.forgerock.com/downloads/browse/ig/all/productId:enterprise-connect) (you must be logged in). This includes the base MSI file as well as the MSI Updater client. * [icon: check-square-o, set=fa]Pre-configure the relevant [journey(s)](creating-authentication-journey.html). * [icon: square-o, set=fa]*[Install](installing-windows-msiupdater.html) the MSI Updater client on an administrative Windows machine.* * [icon: square-o, set=fa][Configure](configuring-windows-msiupdater.html) the MSI Updater client specific to your organization's needs. * [icon: square-o, set=fa]\(Optional) Consider [additional configurations](windows-additional-reference.html). * [icon: square-o, set=fa][Deploy](deploying-msi.html#msi_deployment_of_workstation_authentication) the generated MSI file through your desired mechanism. * [icon: square-o, set=fa][Verify and test](verify-windows-authentication.html) your deployment.