PingOne

Resolvers

Resolvers define where attributes pull information from.

An attribute can have one or more resolvers, and each resolver can be conditional. You can also add a processor to a resolver to modify the attribute value.

PingOne Authorize resolves an attribute when the attribute value is used in a decision evaluation. If an attribute has multiple resolvers, they execute in order of appearance in the attribute definition until one returns a value. You can drag collapsed resolvers to change their order. If a resolver fails to resolve successfully, PingOne Authorize continues to the next resolver.

Learn more in Adding resolvers to an attribute.

Resolver types

You can use the following types of resolvers:

Resolver type Description

Attribute

Resolves an attribute from other attributes. This enables you to extract a child attribute or subset from an attribute that contains multiple pieces of information.

For example, consider a Customer.Name attribute that returns the following JSON representation:

{
  "firstname": "Andrew",
  "middlename": "James",
  "surname": "Martin"
}

You can use an Attribute resolver to extract the surname. Create a Customer.Name.Surname attribute that resolves against the Customer.Name attribute. Then, add a JSON Path processor to extract the Surname property of the JSON using the expression $.fullname[0].surname.

  • When an attribute has a defined JSON schema, you can generate attributes from schema properties.

  • When an attribute has a parent, you can click Add Parent Resolver to resolve the child attribute from its parent.

Constant

Takes a constant value defined on the resolver itself. The type and value of the constant are required.

Constants undergo any value processing defined for the attribute.

Current Repetition Value

Resolves an attribute from a repetition source attribute. The source attribute’s value setting must be Collection. You can use this resolver in attributes that have repetition settings.

PingOne User

Resolves the attribute from the user ID provided in the decision request and returns the entire user object. This resolver uses the built-in PingOne User attribute without requiring any additional configuration.

When you run test scenarios for the attribute on the Test tab, use the PingOne User field to simulate a request from any user in the current environment.

PingOne User ID

Resolves the attribute from the user ID provided in the decision request and returns the ID. This resolver uses the built-in PingOne User ID attribute without requiring any additional configuration.

When you run test scenarios for the attribute on the Test tab, use the PingOne User field to simulate a request from any user in the current environment.

Request Parameter

Inspects the decision request to determine whether the attribute has been provided by the caller. Specify the full name of the attribute, including any parents, in the request.

Service

Resolves the attribute by using a Trust Framework authorization service to invoke the service at runtime. The service might rely on other supplied attributes to invoke the service.

System

Uses the following standard system attributes without the need for any additional configuration:

Current DateTime

Returns the current system datetime according to the data type defined in the attribute’s value settings.

Current DateTime reflects local time for your organization’s geographic region, which might differ from the user’s geographic region. To determine local time for the user’s geographic region:

  1. Add an attribute that retrieves the user’s timezone.

  2. Add an attribute for the current date-time that uses the Current DateTime system resolver.

  3. Add an attribute for local date-time with a Spring Expression Language (SpEL) value processor that uses the toDateTimeInTimezone function to transform the current date-time. Learn more about this function in Date and time library.

Learn more in Example: Determining a user’s local time.
Null

Returns no value. For example, you can use Null to compare the value of an attribute to an empty string. To check against a null value, create an attribute with a System resolver and a value of Null.

Screen capture showing a System attribute resolver with value of Null.

Conditional resolvers

Resolvers can have conditional logic that invokes the resolver only under defined conditions. As with other conditions in PingOne Authorize, you can add comparisons or named conditions, combine multiple conditions using All, Any, or None, and add subgroups.

Learn how to add conditions to resolvers in Adding an authorization attribute.

In the following example of a conditional resolver, the game player’s email address is resolved only when the User is over 18 attribute has a value of true.

Screen capture showing an attribute resolver with a condition that resolves the game player’s email address only when the user is over 18.

Value processing for a resolver

Resolvers can have value processors that extract details and modify data when the attribute value is being resolved. As with other processors, value processors for resolvers are processed in order, with each processor receiving the output of the previous processor.

Learn how to add processors to resolvers in Adding value processors to an attribute.

Example: Removing an account prefix

Consider an account ID that has a standard prefix that you want to remove. In this example, a condition and a processor work together to identify and remove the prefix. A second resolver with no processing resolves account IDs that don’t have the prefix.

Screen capture showing an attribute resolver with a condition that identifies Account IDs that begin with a 512 prefix and a processor that removes the prefix.

Example: Determining a user’s local time

If a user is in a different geographic region than your system, you can use the Current DateTime system resolver and a SpEL processor to determine the user’s local time.

  1. Add an attribute that retrieves the user’s timezone.

    For example, you can use a resolver and a processor to extract the Timezone property from the built-in PingOne User attribute, if the timezone is specified in the user’s PingOne user profile.

    Screen capture showing an attribute with a processor that extracts the user’s timezone from the PingOne User attribute.

  2. Add an attribute for the current date-time that uses the Current DateTime system resolver.

    Make sure the attribute’s value setting type is Zoned Date Time.
    Screen capture showing an attribute with a Current DateTime system resolver.

  3. Add an attribute for local date-time with a SpEL value processor that uses the toDateTimeInTimezone function to transform the current date-time.

    Learn more about the toDateTimeInTimezone function in Date and time library.

    The following attribute resolves against the Current DateTime attribute, then uses a SpEL processor to convert the time to the user’s local time with the following SpEL expression. The expression includes the timezone attribute that you added in step 1.

    #datetime.toDateTimeInTimezone(#this.value, {{PingOne.User.timezone}}, 'yyyy-MM-dd HH:mm:ss')
    Screen capture showing an attribute with an attribute resolver and a SpEL value processor.

Example: Adding processors directly to resolvers

Adding value processors directly to resolvers, rather than to the attribute itself, can be useful when pulling data from distinct sources that require different formatting.

For example, consider a bank that retrieves user information from either a modern system or a legacy system to authorize transactions. These systems are represented by the Account Details System and Legacy Account Details System HTTP services, respectively. With the following resolver configuration, the decision service calls the Account Details System if the user ID is above 10000 (indicating a new user), or the Legacy Account Details System if the user ID is less than or equal to 10000 (indicating a legacy user):

Screen capture of the Account Details resolver with a condition comparing the Request.User ID attribute to 10000, a Service resolver type calling to the Account Details System, and a final value processor.
Screen capture of the Legacy Account Details resolver with a condition comparing the Request.User ID attribute to 10000, a Service resolver type calling to the Legacy Account Details System, and a final value processor.

Data collected from the Account Details System service is formatted as JSON and requires a JSON Path processor defined on the Account Details resolver to extract a new user’s total balance:

Screen capture of the Extract total balance JSON processor defined on the Account Details resolver, with a JSON Path processor and value type of Number.

Data collected from the Legacy Account Details System service is formatted as XML and requires an XPath processor defined on the Legacy Account Details resolver to extract a legacy user’s total balance:

Screen capture of the Extract total balance XML processor defined on the Legacy Account Details resolver, with an XPath processor and value type of Number.

After the decision service retrieves user data from either service, value processing might still be required. For example, suppose a bank requires a 500 USD minimum balance to keep an account active, and any amount above that is available for transfers. The following SpEL processor subtracts 500 from the resolver’s output to compute the user’s transferable balance:

Screen capture of the Obtain User’s Available Balance for Transfers value processor defined on the User.Available Balance attribute, with a SpEL processor for enforcing a 500 USD account minimum and a value type of Number.