PingOne Advanced Identity Cloud

Login with self-service

The Ping Identity Platform login flow is set up to use self-service, as in the sample Login journey. This journey lets end users log in using their PingOne Advanced Identity Cloud credentials and increment a login counter. A separate retry-limit counter tracks failed authentications and locks the user account if the number of retries exceeds a specified limit. End users who successfully authenticate are sent through a separate progressive profile journey. The login journey can be expanded to include other features, such as support for identity providers. Learn more in Social authentication.

Example login journey

The following nodes are associated with login journeys:

Platform Username node

The Platform Username node is used in both login and registration journeys. It collects the username of the end user.

Platform Password node

The Platform Password node is used in both login and registration journeys. It collects the password of the end user.

Identity Store Decision node

The Identity Store Decision node takes a username and password and validates they match an existing user in the configured data store (in this case, an IDM user identity).

Retry Limit Decision node

The Retry Limit Decision node tracks failed authentications. If the number of failed authentications is below a specified Retry Limit, the end user can attempt authentication again. Otherwise, the node forwards to the Account Lockout node to lock the user account.

node retry limit decision configuration
Account Lockout node

The Account Lockout node sets the lock state of the user account. In this case, it is configured to lock the user account. The node can also be used in a separate unlock journey to unlock the user account.

node account lockout configuration

Configure social identity providers

To include social identity providers as a method of authentication, configure the Social Identity Provider Service in AM to include either some form of social registration or social account claiming. For more information, refer to Social authentication. Once this is set up, add social identity provider support to your login journey.

  1. To get started with social logins, you can create a new journey, modify the existing login journey, or duplicate the login journey and modify that.

    This example uses the following nodes:

  2. Connect the starting node to the Page node.

  3. Connect the Social Authentication output on the Page node to the Social Provider Handler node.

  4. On the Social Provider Handler node, connect the Account Exists output to the Increment Login Count node. Connect the No Account Exists output to the Failure node.

  5. On the Page node, connect the Local Authentication node to the Data Store Decision node.

  6. On the Data Store Decision node, connect the True output to the Increment Login Count node. Connect the False output to the Failure node.

  7. Connect the Increment Login Count node to the Inner Tree Evaluator node node.

  8. The Inner Tree Evaluator node node points to another journey, letting you chain multiple journeys together.

    By default, this is set to point to the ProgressiveProfile journey. For more information about progressive profiles, refer to Progressive profile.

    Connect the Inner Tree Evaluator node node to the Success node.

The resulting login journey will look something like this:

Example login journey with social identity providers enabled

Example login REST output

When calling a login self-service endpoint, you will receive a JSON object back, containing callbacks for each of the nodes included in the login journey.

Sample JSON callbacks 
{
  "authId": "<omitted for length>",
  "callbacks": [
    {
      "type": "ValidatedCreateUsernameCallback",
      "output": [
        {
          "name": "policies",
          "value": {}
        },
        {
          "name": "failedPolicies",
          "value": []
        },
        {
          "name": "validateOnly",
          "value": false
        },
        {
          "name": "prompt",
          "value": "Username"
        }
      ],
      "input": [
        {
          "name": "IDToken1",
          "value": ""
        },
        {
          "name": "IDToken1validateOnly",
          "value": false
        }
      ],
      "_id": 0
    },
    {
      "type": "ValidatedCreatePasswordCallback",
      "output": [
        {
          "name": "echoOn",
          "value": false
        },
        {
          "name": "policies",
          "value": {}
        },
        {
          "name": "failedPolicies",
          "value": []
        },
        {
          "name": "validateOnly",
          "value": false
        },
        {
          "name": "prompt",
          "value": "Password"
        }
      ],
      "input": [
        {
          "name": "IDToken2",
          "value": ""
        },
        {
          "name": "IDToken2validateOnly",
          "value": false
        }
      ],
      "_id": 1
    }
  ],
  "header": "Sign In",
  "description": "New here? <a href=\"#/service/Registration\">Create an account</a><br><a href=\"#/service/ForgottenUsername\">Forgot username?</a> <a href=\"#/service/ResetPassword\">Forgot password?</a>"
}