Map module and chain functionality to trees

With chains, you enforced MFA by ordering a sequence of modules, such as the LDAP module followed by the OATH module. The logic was linear and defined by the order in the chain.

With trees, you have more flexibility when designing an MFA journey because trees allow branching, loops, and decision points. For example, users can register a device for both push and OATH at the same time using the Combined MFA Registration node. The Push Sender node can then send a push notification, which the user can respond to or choose to enter a one-time password instead. Depending on the user’s choice, either the Push Result Verifier node can validate the user’s response to the push notification or the OATH Token Verifier node can accept the user’s OTP.

AM supports the following multi-factor authentication protocols:

Learn more about creating trees for MFA in Multi-factor authentication (MFA).

With chains, account lockout was configured at the realm or global level via the authentication settings and applied to all chains.

Trees support account lockout by default and provide the following nodes to check and change a user’s status to give you more granular control:

Learn more in Account lockout for trees.

In chains, you performed step-up authentication by directing users to a separate chain with a higher authentication level.

In trees, you can use the Modify Auth Level node to increase the authentication level within the same journey.

Learn more in Authentication levels for trees and Session upgrade.

The Adaptive Risk module let AM perform risk-based authentication.

With trees, you can create flexible adaptive risk authentication journeys by using a combination of contextual nodes and risk management nodes.

For example, you can use device-related nodes, such as the Device Location Match node, or cookie-related nodes, such as the Persistent Cookie Decision node, to make risk-based decisions.

For advanced risk assessment, you can integrate with PingOne Protect by using the PingOne Protect nodes, such as the PingOne Protect Evaluation node.

The Scripted module let you include custom scripts in your authentication process.

In trees, you can use the Scripted Decision node to run server-side scripts in an authentication journey.

Find information on the inputs available to your scripts in the Scripted decision node API.

With chains, setting session properties required a custom post-authentication plugin.

With trees, you can use the Set Session Properties node to add properties as key-value pairs directly in your journey, with no custom code required.

With chains, sending logout notifications required a custom post-authentication plugin.

In trees, logout notifications are handled using a webhook. Create a webhook and then include a Register Logout Webhook node in your journey to trigger the webhook when a user’s session ends.

With chains, you set redirection URLs in the chain itself.

With trees, you can use the Success URL and Failure URL nodes to define URLs to redirect users to on success or failure.

Learn more in Success and failure redirection URLs.