---
title: Sign-on (login)
description: The PingOne Advanced Identity Cloud sign-on flow is designed for self-service, as demonstrated in the Login journey template. This journey lets end users sign on using their Advanced Identity Cloud credentials and increments the login counter. A separate retry-limit counter tracks failed authentications and locks the end-user account if the number of retries exceeds a specified limit. End users who successfully authenticate are sent through a separate progressive profile journey.
component: pingoneaic
page_id: pingoneaic:self-service:login
canonical_url: https://docs.pingidentity.com/pingoneaic/self-service/login.html
keywords: ["Journeys", "Nodes & Trees", "Social Authentication"]
section_ids:
  social-login: Configure social identity providers
  example_social_sign_on_journey: Example social sign-on journey
  login-rest-sample: Example login REST output
---

# Sign-on (login)

The PingOne Advanced Identity Cloud sign-on flow is designed for self-service, as demonstrated in the **Login** journey template. This journey lets end users sign on using their Advanced Identity Cloud credentials and increments the login counter. A separate retry-limit counter tracks failed authentications and locks the end-user account if the number of retries exceeds a specified limit. End users who successfully authenticate are sent through a separate [progressive profile journey](progressive-profile.html).

|   |                                                                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The **Login** journey template can be extended to include other features, such as support for identity providers. Learn more in [Social authentication](social-registration.html). |

![Example sign-on journey](_images/idcloud-login-journey.png)

The following nodes are associated with sign-on journeys:

* [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html)

  The [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html) is used in both sign-on and registration journeys. It collects the end user's username.

* [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html)

  The [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html) is used in both sign-on and registration journeys. It collects the end user's password.

* [Identity Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/cloud/identity-store-decision.html)

  The [Identity Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/cloud/identity-store-decision.html) takes a username and password and validates they match an existing end user in the identity store.

* [Retry Limit Decision node](https://docs.pingidentity.com/auth-node-ref/latest/retry-limit-decision.html)

  The [Retry Limit Decision node](https://docs.pingidentity.com/auth-node-ref/latest/retry-limit-decision.html) tracks failed authentications. If the number of failed authentications is below a specified Retry Limit, the end user can attempt authentication again. Otherwise, the node forwards to the [Account Lockout node](https://docs.pingidentity.com/auth-node-ref/latest/account-lockout.html) to lock the end-user account.

  ![node retry limit decision configuration](_images/node-retry-limit-decision-configuration.png)

* [Account Lockout node](https://docs.pingidentity.com/auth-node-ref/latest/account-lockout.html)

  The [Account Lockout node](https://docs.pingidentity.com/auth-node-ref/latest/account-lockout.html) sets the lock state of the end-user account. In this case, it is configured to lock the account. The node can also be used in a separate unlock journey to unlock the end-user account.

  ![node account lockout configuration](_images/node-account-lockout-configuration.png)

## Configure social identity providers

To include social identity providers as a method of authentication, configure the Social Identity Provider service to include some form of social registration or social account claiming. Learn more in [Social authentication](social-registration.html). After this is set up, add social identity provider support to your sign-on journey.

To get started with social sign ons, you can create a new journey, modify an existing sign-on journey, or duplicate the **Login** journey template and modify that.

### Example social sign-on journey

This example uses the following nodes:

* A [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) containing:

  * A [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html).

  * A [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html).

  * A [Select Identity Provider node](https://docs.pingidentity.com/auth-node-ref/latest/select-identity-provider.html).

* A [Social Provider Handler node](https://docs.pingidentity.com/auth-node-ref/latest/social-provider-handler.html).

* A [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html).

* An [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html).

* An [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html).

To create the journey:

1. Connect the starting node to the [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html).

2. Connect the Social Authentication output on the [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) to the [Social Provider Handler node](https://docs.pingidentity.com/auth-node-ref/latest/social-provider-handler.html).

3. On the [Social Provider Handler node](https://docs.pingidentity.com/auth-node-ref/latest/social-provider-handler.html), connect the Account Exists output to the [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html). Connect the No Account Exists output to the Failure node.

4. On the [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html), connect the Local Authentication node to the [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html).

5. On the [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html), connect the True output to the [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html). Connect the False output to the Failure node.

6. Connect the [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html) to the [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html) node.

7. The [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html) points to another journey, letting you chain multiple journeys together.

   By default, this is set to point to the `ProgressiveProfile` journey. Learn more about progressive profiles in [Progressive profile](progressive-profile.html).

   Connect the [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html) node to the Success node.

The resulting journey looks similar to this:

![Example login journey with social identity providers enabled](_images/social-login.png)

## Example login REST output

Calling a login self-service endpoint returns a JSON object containing callbacks for each of the nodes included in the journey.

> **Collapse: Sample JSON callbacks**
>
> ```json
> {
>   "authId": "<omitted for length>",
>   "callbacks": [
>     {
>       "type": "ValidatedCreateUsernameCallback",
>       "output": [
>         {
>           "name": "policies",
>           "value": {}
>         },
>         {
>           "name": "failedPolicies",
>           "value": []
>         },
>         {
>           "name": "validateOnly",
>           "value": false
>         },
>         {
>           "name": "prompt",
>           "value": "Username"
>         }
>       ],
>       "input": [
>         {
>           "name": "IDToken1",
>           "value": ""
>         },
>         {
>           "name": "IDToken1validateOnly",
>           "value": false
>         }
>       ],
>       "_id": 0
>     },
>     {
>       "type": "ValidatedCreatePasswordCallback",
>       "output": [
>         {
>           "name": "echoOn",
>           "value": false
>         },
>         {
>           "name": "policies",
>           "value": {}
>         },
>         {
>           "name": "failedPolicies",
>           "value": []
>         },
>         {
>           "name": "validateOnly",
>           "value": false
>         },
>         {
>           "name": "prompt",
>           "value": "Password"
>         }
>       ],
>       "input": [
>         {
>           "name": "IDToken2",
>           "value": ""
>         },
>         {
>           "name": "IDToken2validateOnly",
>           "value": false
>         }
>       ],
>       "_id": 1
>     }
>   ],
>   "header": "Sign In",
>   "description": "New here? <a href=\"#/service/Registration\">Create an account</a><br><a href=\"#/service/ForgottenUsername\">Forgot username?</a> <a href=\"#/service/ResetPassword\">Forgot password?</a>"
> }
> ```