---
title: Map module and chain functionality to trees
description: Authentication nodes aren't a direct replacement for authentication modules. Modules contain more logic, more code, and typically do more things. It's expected that you'd use multiple nodes to replace the functionality of an existing module.
component: pingam
version: 8.1
page_id: pingam:am-authentication:map-modules-chains-to-trees
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-authentication/map-modules-chains-to-trees.html
section_ids:
  multi-factor-authentication: Multi-factor authentication (MFA)
  account-lockout: Account lockout
  step-up-authentication: Step-up authentication
  adaptive-risk-authentication: Adaptive risk authentication
  run-custom-scripts: Run custom scripts
  radius-authentication: RADIUS authentication
  set-session-properties: Set session properties
  send-logout-notifications: Send logout notifications
  set-redirection-urls: Set redirection URLs
---

# Map module and chain functionality to trees

Authentication nodes aren't a direct replacement for authentication modules. Modules contain more logic, more code, and typically do more things. It's expected that you'd use multiple nodes to replace the functionality of an existing module.

The following sections provide mapping details for common use cases to help you understand how to replace modules and chains with nodes and trees:

* [Multi-factor authentication (MFA)](#multi-factor-authentication)

* [Account lockout](#account-lockout)

* [Step-up authentication](#step-up-authentication)

* [Adaptive risk authentication](#adaptive-risk-authentication)

* [Run custom scripts](#run-custom-scripts)

* [RADIUS authentication](#radius-authentication)

* [Set session properties](#set-session-properties)

* [Send logout notifications](#send-logout-notifications)

* [Set redirection URLs](#set-redirection-urls)

|   |                                                                                                                                                |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The [node reference](auth-nodes-reference.html) includes example journeys to demonstrate how nodes can be used to achieve a specific use case. |

## Multi-factor authentication (MFA)

With chains, you enforced MFA by ordering a sequence of modules, such as the LDAP module followed by the OATH module. The logic was linear and defined by the order in the chain.

With trees, you have more flexibility when designing an MFA journey because trees allow branching, loops, and decision points. For example, users can register a device for both push and OATH at the same time using the [Combined MFA Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/combined-mfa-registration.html). The [Push Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/push-sender.html) can then send a push notification, which the user can respond to or choose to enter a one-time password instead. Depending on the user's choice, either the [Push Result Verifier node](https://docs.pingidentity.com/auth-node-ref/8.1/push-result-verifier.html) can validate the user's response to the push notification or the [OATH Token Verifier node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-token-verifier.html) can accept the user's OTP.

AM supports the following multi-factor authentication protocols:

* [MFA: Open Authentication (OATH)](authn-mfa-about-oath.html) to enable one-time password authentication.

* [MFA: Push authentication](authn-mfa-about-push.html) to receive push notifications on a device as part of the authentication process.

* [MFA: Web authentication (WebAuthn) and passkeys](authn-mfa-webauthn.html) to enable authentication using an authenticator device, such as a fingerprint scanner, or using passkeys for passwordless and usernameless authentication.

Learn more about creating trees for MFA in [Multi-factor authentication (MFA)](authn-mfa.html).

## Account lockout

With chains, account lockout was configured at the realm or global level via the authentication settings and applied to all chains.

Trees support account lockout by default and provide the following nodes to check and change a user's status to give you more granular control:

* [Account Active Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/account-active-decision.html)

* [Account Lockout node](https://docs.pingidentity.com/auth-node-ref/8.1/account-lockout.html)

Learn more in [Account lockout for trees](auth-nodes-and-journeys.html#account-lockout-trees).

## Step-up authentication

In chains, you performed step-up authentication by directing users to a separate chain with a higher authentication level.

In trees, you can use the [Modify Auth Level node](https://docs.pingidentity.com/auth-node-ref/8.1/modify-auth-level.html) to increase the authentication level within the same journey.

Learn more in [Authentication levels for trees](auth-nodes-and-journeys.html#authentication-levels-trees) and [Session upgrade](../am-sessions/session-upgrade.html).

## Adaptive risk authentication

The Adaptive Risk module let AM perform risk-based authentication.

With trees, you can create flexible adaptive risk authentication journeys by using a combination of contextual nodes and risk management nodes.

For example, you can use device-related nodes, such as the [Device Location Match node](https://docs.pingidentity.com/auth-node-ref/8.1/device-location-match.html), or cookie-related nodes, such as the [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/persistent-cookie-decision.html), to make risk-based decisions.

For advanced risk assessment, you can integrate with PingOne Protect by using the PingOne Protect nodes, such as the [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/8.1/pingone/pingone-protect-evaluation.html).

> **Collapse: What other nodes can I use for adaptive risk authentication?**
>
> The following nodes can help you design adaptive risk authentication journeys:
>
> * Authentication level related nodes
>
>   * [Auth Level Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/auth-level-decision.html)
>
>   * [Modify Auth Level node](https://docs.pingidentity.com/auth-node-ref/8.1/modify-auth-level.html)
>
> * Device related nodes
>
>   * [Device Profile Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/device-profile-collector.html)
>
>   * [Device Profile Save node](https://docs.pingidentity.com/auth-node-ref/8.1/device-profile-save.html)
>
>   * [Device Match node](https://docs.pingidentity.com/auth-node-ref/8.1/device-match.html)
>
>   * [Device Location Match node](https://docs.pingidentity.com/auth-node-ref/8.1/device-location-match.html)
>
>   * [Device Geofencing node](https://docs.pingidentity.com/auth-node-ref/8.1/auth-node-device-geofencing.html)
>
>   * [Device Tampering Verification node](https://docs.pingidentity.com/auth-node-ref/8.1/device-tampering-verification.html)
>
> * Cookie related nodes
>
>   * [Set Custom Cookie node](https://docs.pingidentity.com/auth-node-ref/8.1/set-custom-cookie.html)
>
>   * [Cookie Presence Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/cookie-presence-decision.html)
>
>   * [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/8.1/set-persistent-cookie.html)
>
>   * [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/persistent-cookie-decision.html)
>
> * Certificate related nodes
>
>   * [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html)
>
>   * [Certificate User Extractor node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-user-extractor.html)
>
>   * [Certificate Validation node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-validation.html)
>
> * Account lockout nodes
>
>   * [Account Active Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/account-active-decision.html)
>
>   * [Account Lockout node](https://docs.pingidentity.com/auth-node-ref/8.1/account-lockout.html)
>
> * PingOne Protect nodes
>
>   * [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/8.1/pingone/pingone-protect-evaluation.html)
>
>   * [PingOne Protect Initialize node](https://docs.pingidentity.com/auth-node-ref/8.1/pingone/pingone-protect-initialize.html)
>
>   * [PingOne Protect Result node](https://docs.pingidentity.com/auth-node-ref/8.1/pingone/pingone-protect-result.html)

## Run custom scripts

The Scripted module let you include custom scripts in your authentication process.

In trees, you can use the [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/scripted-decision.html) to run server-side scripts in an authentication journey.

Find information on the inputs available to your scripts in the [Scripted decision node API](../am-scripting/scripting-api-node.html).

## RADIUS authentication

The RADIUS module let AM act as a RADIUS client.

In trees, you can use the following nodes to achieve the same functionality:

* [RADIUS Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/radius-decision.html)

* [RADIUS Challenge Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/radius-challenge-collector.html)

Learn more in [RADIUS authentication](radius-authentication.html).

## Set session properties

With chains, setting session properties required a custom post-authentication plugin.

With trees, you can use the [Set Session Properties node](https://docs.pingidentity.com/auth-node-ref/8.1/set-session-properties.html) to add properties as `key-value` pairs directly in your journey, with no custom code required.

## Send logout notifications

With chains, sending logout notifications required a custom post-authentication plugin.

In trees, logout notifications are handled using a [webhook](auth-tree-webhooks.html). Create a webhook and then include a [Register Logout Webhook node](https://docs.pingidentity.com/auth-node-ref/8.1/register-logout-webhook.html) in your journey to trigger the webhook when a user's session ends.

## Set redirection URLs

With chains, you set redirection URLs in the chain itself.

With trees, you can use the [Success URL](https://docs.pingidentity.com/auth-node-ref/8.1/success-url.html) and [Failure URL](https://docs.pingidentity.com/auth-node-ref/8.1/failure-url.html) nodes to define URLs to redirect users to on success or failure.

Learn more in [Success and failure redirection URLs](redirection-url-precedence.html).