--- title: Setting up Verified Trust for help desk account recovery using PingOne Advanced Identity Cloud description: Learn how to implement the Verified Trust for Workforce Help Desk Solution with PingOne Advanced Identity Cloud to secure your help desk operations and prevent account takeover. component: solution-guides page_id: solution-guides:verified-trust:verified-trust-helpdesk-aic canonical_url: https://docs.pingidentity.com/solution-guides/verified-trust/verified-trust-helpdesk-aic.html keywords: ["verified trust", "identity verification", "help desk", "password reset", "end user", "Advanced Identity Cloud", "journeys", "backchannel", "PingOne Verify"] section_ids: goals: Goals what-youll-do: What you'll do before-you-begin: Before you begin tasks: Tasks task_1_prerequisites: "Task 1: Setting up prerequisites" task_1a_esv: "Step 1a: Configuring ESVs for the PingOne Worker Service" steps: Steps result: Result task_1b_worker: "Step 1b: Configuring the PingOne Worker Service" steps-2: Steps result-2: Result task_1c_email_templates: "Step 1c: Importing email templates" steps-3: Steps result-3: Result task_1d_custom_nodes: "Step 1d: Importing custom nodes" steps-4: Steps result-4: Result task_1e_custom_attributes: "Step 1e: Creating custom user attributes" steps-5: Steps result-5: Result task_2_import_journeys: "Task 2: Importing the journeys" phase-1-importing-backchannel-and-inner-journeys: "Phase 1: Importing backchannel and inner journeys" steps-6: Steps result-6: Result phase-2-importing-the-main-and-profile-management-journeys: "Phase 2: Importing the main and profile management journeys" steps-7: Steps result-7: Result task_3_configure_post_import: "Task 3: Configuring post-import journey settings" task_3a_journey_settings: "Step 3a: Updating journey settings" steps-8: Steps result-8: Result task_3b_send_verification_link: "Step 3b: Configuring the Send ID Verification Link journey" steps-9: Steps result-9: Result task_3c_user_profile_management: "Step 3c: Configuring the User Profile Management journey" steps-10: Steps result-10: Result task_3d_backchannel_verify: "Step 3d: Configuring the User ID Verification Backchannel journey" steps-11: Steps result-11: Result task_4_configure_worker_service: "Task 4: Extending the journey timeout (optional)" steps-12: Steps result-12: Result task_5_configure_agent_access: "Task 5: Configuring help desk agent access" steps-13: Steps result-13: Result task_6_configure_end_user: "Task 6: Create an end-user account" steps-14: Steps result-14: Result vt_helpdesk_aic_validation: Validation before-you-begin-2: Before you begin steps-15: Steps troubleshooting: Troubleshooting whats-next: What's next explore-further: Explore further helpdesk-aic-concepts: Concepts --- # Setting up Verified Trust for help desk account recovery using PingOne Advanced Identity Cloud The Verified Trust for Workforce Help Desk Solution provides a way to confirm a user's identity before performing sensitive account actions, such as password resets and multi-factor authentication (MFA) device resets. This solution lets authorized help desk agents look up a workforce employee, send them a verification link, and monitor the verification status in real time. After the employee verifies their identity using a government-issued ID and a liveness selfie, the agent can securely reset their password or MFA device. This implementation uses a set of pre-built PingOne Advanced Identity Cloud journeys that work together through PingOne Advanced Identity Cloud's backchannel authentication mechanism. The main agent-facing journey coordinates identity verification and account recovery through a set of inner and backchannel journeys. To implement this solution in your environment, you'll import these journeys and configure them with your PingOne Worker Service and PingOne Verify policy. ## Goals After completing this use case, you'll know how to: * Execute a guided journey where a help desk agent verifies a workforce employee's identity in real time to securely authorize account recovery * Configure PingOne Verify to validate government-issued IDs and liveness (selfies) as part of an identity verification policy. * Configure the PingOne Advanced Identity Cloud journey nodes to communicate with PingOne using the PingOne Worker Service. ## What you'll do In this use case, you'll learn how to implement the Verified Trust for Workforce Help Desk Solution by doing the following in PingOne Advanced Identity Cloud: * Set up prerequisites: email templates, custom nodes, and custom user attributes. * Import the pre-built journeys in two phases. * Configure post-import journey settings and node connections. * Configure help desk agent access using a HelpDesk group. The following map provides a high-level overview of the implementation workflow. You can refer back to this map as you work through the steps. ![A map showing the workflow for the Verified Trust for Workforce Help Desk solution on PingOne Advanced Identity Cloud. The map starts by preparing prerequisites, then moves to importing the pre-built journeys and configuring the solution. The map ends with validation steps and troubleshooting tips.](_images/docs-metro-map-vt-helpdesk-aic.png) ## Before you begin Ensure you have: * A basic understanding of [key PingOne Advanced Identity Cloud concepts](https://docs.pingidentity.com/pingoneaic/getting-started/getting-started-concepts.html) including tenants and realms. * A basic understanding of [PingOne Verify in PingOne Advanced Identity Cloud](https://docs.pingidentity.com/pingoneaic/integrations/pingone-verify.html). * Familiarity with: * [PingOne Advanced Identity Cloud journeys and nodes](https://docs.pingidentity.com/pingoneaic/journeys/journeys.html). * [Setting up PingOne workers as PingOne Advanced Identity Cloud services](https://docs.pingidentity.com/pingoneaic/integrations/pingone-set-up-oidc-clients.html). * [Environment secrets and variables (ESVs)](https://docs.pingidentity.com/pingoneaic/tenants/esvs.html). * A PingOne Advanced Identity Cloud development tenant with the following configured: * A PingOne environment mapped to the tenant, with the PingOne Verify service configured * A PingOne Worker App configured in PingOne * The PingOne Worker App client ID, client secret, and environment ID * A configured [PingOne Verify policy](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_start.html) in your mapped PingOne environment. * The PingOne Verify policy ID to use when configuring scripts in PingOne Advanced Identity Cloud. * Access to the PingOne Advanced Identity Cloud admin console with administrator permissions. * Access to the PingOne admin console with the [Environment Admin](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_manage_admin_roles.html) role assigned. * Your mobile device and government-issued identity document to validate the solution. Learn more about the concepts and components used in this solution in the [Concepts](#helpdesk-aic-concepts) section. ## Tasks * [Task 1: Setting up prerequisites](#task_1_prerequisites) * [Task 2: Importing the journeys](#task_2_import_journeys) * [Task 3: Configuring post-import journey settings](#task_3_configure_post_import) * [Task 4: Extending the journey timeout (optional)](#task_4_configure_worker_service) * [Task 5: Configuring help desk agent access](#task_5_configure_agent_access) * [Task 6: Create an end-user account](#task_6_configure_end_user) ### Task 1: Setting up prerequisites Learn how to set up the email templates, custom nodes, and custom user attributes required before importing the journeys. #### Step 1a: Configuring ESVs for the PingOne Worker Service The journeys use a PingOne Worker Service to communicate with PingOne. You must create ESVs in your PingOne Advanced Identity Cloud tenant to hold the credentials for the worker application. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, go to **Tenant Settings > Environment Secrets & Variables**. 2. Create the following ESV secret: | Name | Description | | ------------------------------------- | -------------------------------------------- | | `esv-hd-pingone-worker-client-secret` | The client secret of your PingOne Worker App | 3. Create the following ESV variables: | Name | Description | | --------------------------------- | ----------------------------------------------------- | | `esv-hd-pingone-environment-id` | The environment ID of your mapped PingOne environment | | `esv-hd-pingone-worker-client-id` | The client ID of your PingOne Worker App | 4. Apply the ESV updates. ##### Result The ESVs are created and available for use in your PingOne Worker Service configuration. #### Step 1b: Configuring the PingOne Worker Service The journeys reference a PingOne Worker Service named `HelpDesk PingOne Worker`. You must create this service before importing the journeys. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, go to **Native Consoles > Access Management**. 2. In the AM admin UI, go to **Services > PingOne Worker Service**. 3. Create a new PingOne Worker Service secondary configuration using the following hints, replacing the URL values with those for your PingOne region: | Field | Value | | ------------------------------ | ---------------------------------------------------------------------- | | Name | `HelpDesk PingOne Worker` | | Environment ID | `esv-hd-pingone-environment-id` (the ESV you created) | | Client ID | `esv-hd-pingone-worker-client-id` (the ESV you created) | | Client Secret Label Identifier | `pingoneworkhelpdesk` | | PingOne API Server | For example, `https://api.pingone.eu/v1` (use the URL for your region) | | PingOne Auth Server | For example, `https://auth.pingone.eu` (use the URL for your region) | 4. In the AM admin UI, go to **Secret Stores > ESV > Mappings** and map `am.services.pingone.worker.pingoneworkhelpdesk.clientsecret` to `esv-hd-pingone-worker-client-secret` (the ESV you created). 5. Go back to the PingOne Worker Service configuration and use **Save and Test Connection** to verify the connection to PingOne. ##### Result The PingOne Worker Service is configured in your PingOne Advanced Identity Cloud tenant and available for the journey nodes to use. #### Step 1c: Importing email templates The journeys send backchannel links to end users by email. Three email templates are required. ##### Steps 1. Download the [Verified Trust for Workforce — Helpdesk Solution](https://marketplace.pingone.com/item/verified-trust-for-workforce-helpdesk-solution) package from the Ping Identity Marketplace. The package includes a `Prerequisites` folder with the email templates and custom nodes. 2. In the PingOne Advanced Identity Cloud admin console, go to **Email Templates**. 3. Import or create each of the following templates using the HTML files in the `Prerequisites/Email Templates` folder: | Template name | File | | ------------------------------------------- | --------------------------------------------------------- | | `Help Desk BackChannel Verification Link` | `Help Desk BackChannel Verification Link Template.html` | | `Help Desk BackChannel Password Reset Link` | `Help Desk BackChannel Password Reset Link Template.html` | | `Help Desk BackChannel MFA Reset Link` | `Help Desk BackChannel MFA Reset Link Template.html` | | | | | - | ----------------------------------------------------------------------------------------------- | | | The template names must match exactly as shown. The journeys reference these templates by name. | ##### Result The three email templates are available in your PingOne Advanced Identity Cloud tenant and will be used by the journeys to deliver backchannel links to end users. #### Step 1d: Importing custom nodes The journeys use custom nodes that must be imported before the journeys themselves. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, go to **Journeys > Custom Nodes**. 2. Click **Import** and upload the `Prerequisites/Custom Nodes/Custom Nodes.json` file from the downloaded package. ![A screenshot of the Custom Nodes import dialog in the PingOne Advanced Identity Cloud admin console.](_images/aic-hd-custom-node-import.png) 3. Confirm that the following custom nodes are listed after import: * User Message to Display * Select MFA Method * Remove MFA Device * Get IDM User Attributes * Display Node State Variables ##### Result The custom nodes are available in your PingOne Advanced Identity Cloud tenant and can be used by the imported journeys. #### Step 1e: Creating custom user attributes The journeys use custom attributes on user profiles to track verification state. You must create these attributes before importing the journeys. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, go to **Identities > Configure > Alpha realm - user > Properties**. 2. Create the following custom attributes: | Name | Type | Purpose | | ------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `custom_backChannelVerifyLinkExpired` | String | Tracks whether the backchannel verification link has already been used or has expired. | | `custom_lastVerifyTransactionID` | String | Stores the last PingOne Verify transaction ID to detect whether a new transaction has started. | | `custom_backChannelTransactionId` | String | Stores the current backchannel transaction ID. | | `custom_DOB` | String | Stores the user's date of birth. Set the readable title to `DOB (YYYY-MM-DD)` to specify the required format.If it's required for advanced data matching by the PingOne Verify policy, set the field to the end-user date-of-birth. PingOne Advanced Identity Cloud provides the value to PingOne Verify for comparison with the date-of-birth on the end-user identification document. | ##### Result The custom attributes are created and available on user profiles in the alpha realm. ### Task 2: Importing the journeys Learn how to import the pre-built PingOne Advanced Identity Cloud journeys into your development environment. The journeys are split across two import files that must be imported in order. #### Phase 1: Importing backchannel and inner journeys The first import file contains the supporting backchannel and MFA registration journeys that the main journey depends on. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, select your development environment and the **alpha** realm. 2. In the sidebar click **Journeys**. 3. Click **Import**, and then select **Import journeys from file**. 4. Upload the `Help_Desk_Import_Phase_1_Dependencies.json` file from the downloaded package. ![A screenshot of the Import journeys dialog showing the Phase 1 journeys listed for import.](_images/aic-hd-journey-import-1.png) 5. Confirm that the import dialog lists the following journeys: * `Help_Desk-OATH_MFA_Method_Registration_Inner_Journey` * `Help_Desk-Push_MFA_Method_Registration_Inner_Journey` * `Help_Desk-WebAuthn_MFA_Method_Registration_Inner_Journey` * `Help_Desk-Reset_Password_Backchannel_Journey` * `Help_Desk-MFA_Device_Reset_Backchannel_Journey` * `Help_Desk-User_ID_Verification_Backchannel_Journey` 6. Click **Start Import**. ##### Result The Phase 1 journeys are imported into your development environment. #### Phase 2: Importing the main and profile management journeys The second import file contains the main agent-facing journey, the user profile management journey, and the ID verification link journey. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | Wait a few minutes before importing the second journeys file in PingOne Advanced Identity Cloud to make sure phase 1 fully completed. | ##### Steps 1. Click **Import**, and then select **Import journeys from file**. 2. Upload the `Help_Desk_Import_Phase_2_Profile_Send_Main.json` file from the downloaded package. ![A screenshot of the Import journeys dialog showing the Phase 2 journeys listed for import.](_images/aic-hd-journey-import-2.png) 3. Confirm that the import dialog lists the following journeys: * `Help_Desk-Send_ID_Verification_Link_Inner_Journey` * `Help_Desk-User_Profile_Management_Inner_Journey` * `Help_Desk-Agent_Login_and_End_User_ID_Verification_Main_Journey` 4. Click **Start Import**. ##### Result All nine journeys are now imported and appear in the **Journeys** list. Find the `Help Desk` scripts included in the journeys under **Scripts > Auth Scripts**. ### Task 3: Configuring post-import journey settings After importing both phases, you must update the journey settings and configure several nodes that require manual setup. #### Step 3a: Updating journey settings Some journeys require specific runtime settings to operate correctly. ##### Steps 1. In the PingOne Advanced Identity Cloud admin console, select your development environment and the **alpha** realm, then go to **Journeys**. 2. Edit the following journeys to use **Run journey for all users regardless of current session** and **No Session**: * `Help_Desk-Agent_Login_and_End_User_ID_Verification_Main_Journey` * `Help_Desk-User_ID_Verification_Backchannel_Journey` 3. Edit the following journeys to **Run journey for all users regardless of current session** only: * `Help_Desk-MFA_Device_Reset_Backchannel_Journey` * `Help_Desk-Reset_Password_Backchannel_Journey` ##### Result The journey settings are configured correctly. #### Step 3b: Configuring the Send ID Verification Link journey The `Help_Desk-Send_ID_Verification_Link_Inner_Journey` requires you to configure the backchannel node, select scripts for two Verify nodes, and assign the PingOne Worker Service. ##### Steps 1. Open the `Help_Desk-Send_ID_Verification_Link_Inner_Journey` journey. 2. Click the Backchannel Initialize node and set the following: | Field | Value | | ------------------ | ---------------------------------------------------------- | | Journey | `Help_Desk-User_ID_Verification_Backchannel_Journey` | | Subject Name Key | `backchannelUser` | | Data Object Key | `backchannelData` | | Max Time (Seconds) | `600` (or longer if needed to allow time for verification) | | Allow Retry | Not enabled | 3. Click the Read Previous Verification Transaction node, enable **Use a script to process Verify transactions**, and select the script `Help Desk - Read Previous Verification`. 4. Click the Get Transaction Data and Verified Data node, enable **Use a script to process Verify transactions**, and select the script `Help Desk - Get Transaction Data and Verified Data`. 5. On the following nodes, set the **PingOne Worker Service** to `HelpDesk PingOne Worker`: * PingOne Verify Completion Decision * PingOne Create User * PingOne Identity Match 6. Click **Save** on the journey. ##### Result The Send ID Verification Link journey is configured to trigger the user-facing backchannel journey and use the correct PingOne Verify scripts and worker service. #### Step 3c: Configuring the User Profile Management journey The `Help_Desk-User_Profile_Management_Inner_Journey` contains two Backchannel Initialize nodes that connect to the password reset and MFA reset backchannel journeys. ##### Steps 1. Open the `Help_Desk-User_Profile_Management_Inner_Journey` journey. 2. Click the Backchannel Initialize node connected to the **Reset Password** path and set the following: | Field | Value | | ------------------ | ---------------------------------------------- | | Journey | `Help_Desk-Reset_Password_Backchannel_Journey` | | Subject Name Key | `backchannelUser` | | Data Object Key | `backchannelData` | | Max Time (Seconds) | `600` (or as required for your users) | 3. Click the Backchannel Initialize node connected to the **Reset MFA Device** path and set the following: | Field | Value | | ------------------ | ------------------------------------------------ | | Journey | `Help_Desk-MFA_Device_Reset_Backchannel_Journey` | | Subject Name Key | `backchannelUser` | | Data Object Key | `backchannelData` | | Max Time (Seconds) | `600` (or as required for your users) | 4. Click **Save** on the journey. ##### Result The User Profile Management journey is configured to trigger the correct backchannel journeys for password reset and MFA device reset. #### Step 3d: Configuring the User ID Verification Backchannel journey The `Help_Desk-User_ID_Verification_Backchannel_Journey` contains the PingOne Verify evaluation configuration and requires you to specify the Verify Policy ID and PingOne Worker Service. ##### Steps 1. In the PingOne admin console, [open the PingOne Verify policy for editing](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_managing_a_verify_policy.html) and copy the policy ID at the top of the configuration panel. 2. In the PingOne Advanced Identity Cloud admin console, open the `Help_Desk-User_ID_Verification_Backchannel_Journey` journey. 3. Click the Verify Evaluation node. 4. In the node's configuration script (the Provider node script), set the following values: | Field | Value | | ---------------- | ------------------------------------------------------------------ | | `pingOneWorker` | `HelpDesk PingOne Worker` (the name of the PingOne Worker Service) | | `verifyPolicyId` | The ID of your PingOne Verify policy from your PingOne environment | 5. On the following nodes, set the **PingOne Worker Service** to `HelpDesk PingOne Worker`: * PingOne Create User * PingOne Identity Match 6. Click **Save** on the journey. ##### Result The backchannel verification journey is configured to use your PingOne Verify policy and worker service. ### Task 4: Extending the journey timeout (optional) By default, PingOne Advanced Identity Cloud journeys time out after 5 minutes. For end users who need more time to complete identity verification, you can extend this timeout. #### Steps 1. In the PingOne Advanced Identity Cloud admin console, go to **Native Consoles > Access Management**. 2. In the AM admin UI, go to **Authentication > Settings > Trees**. 3. Set **Max duration (minutes)** to `15`. 4. Click **Save Changes**. #### Result Journeys now allow up to the configured duration before timing out. ### Task 5: Configuring help desk agent access Learn how to authorize help desk agents to perform account resets. The `Help_Desk-Agent_Login_and_End_User_ID_Verification_Main_Journey` uses a Set Admin Group node to check that the authenticated agent belongs to the `HelpDesk` group (specifically, that `adminGroup: HelpDesk` is present in the node state). You must create this group and add your help desk agents to it. #### Steps 1. In the PingOne Advanced Identity Cloud admin console, select your development environment and the **alpha** realm. 2. In the sidebar, go to **Identities > Groups**, then create a new group named `HelpDesk`. 3. In the sidebar, go to **Identities > Manage**, then select **Alpha realm - Users**. 4. Click a help desk agent's user account to open their profile, then add them to the `HelpDesk` group. 5. Repeat for each help desk agent who should be authorized to perform account resets. #### Result Help desk agents in the `HelpDesk` group can sign on to the main journey and proceed to the end-user lookup and verification steps. ### Task 6: Create an end-user account Prepare an end-user account to validate your work. #### Steps 1. In the PingOne Advanced Identity Cloud admin console, select your development environment and the **alpha** realm. 2. In the sidebar, go to **Identities > Manage**, then select **Alpha realm - Users**. 3. Create an end user account based on these hints: | Field | Value | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------- | | `First Name` | The given and middle names on your identification document | | `Last Name` | The surname on your identification document | | `Email Address` | A valid email address where PingOne Advanced Identity Cloud can send you messages with links for the validation process | | `Address` | (Optional) If required for advanced data matching in the PingOne Verify policy, include the address on your identification document | | `DOB` | (Optional) If required for advanced data matching in the PingOne Verify policy, include the birthdate on your identification document | #### Result The end-user account is ready for the verification steps. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You've now completed the configuration for the Verified Trust for Workforce Help Desk Solution on PingOne Advanced Identity Cloud. Learn how to test the solution in the [Validation](#vt_helpdesk_aic_validation) section. | ## Validation Now that you've imported the journeys, configured the PingOne Worker Service, specified a PingOne Verify policy, and prepared a help desk agent and end-user account, you're ready to test the solution. ### Before you begin Ensure you have the following: * The username and password of a help desk agent whose account belongs to the `HelpDesk` group. * The username of an end user in the alpha realm whose account has a valid email address you can access. * A mobile device that can access the test end user's email and has a working camera. * A valid government-issued ID that you can use for testing purposes. Learn more in [PingOne Verify types of verification](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_types_of_verification.html). ### Steps 1. Open the agent journey in an incognito browser window by navigating to the following URL, replacing `` with your PingOne Advanced Identity Cloud tenant domain: ```text https:///am/XUI/?realm=alpha&authIndexType=service&authIndexValue=Help_Desk-Agent_Login_and_End_User_ID_Verification_Main_Journey ``` 2. Sign on as the help desk agent: 1. Enter the help desk agent's username and click **Next**. 2. Enter the help desk agent's password and click **Sign On**. 3. Look up the end user: 1. When prompted, search for the end user by username or email address, then select the user's account. The journey verifies that the agent belongs to the `HelpDesk` group and retrieves the end user's profile. 4. Send the verification request: The journey sends a verification link to the end user's email address and displays a status-monitoring screen while waiting for the end user to respond. 5. Verify the end user's identity: 1. As the end user, open a separate incognito browser window and access the verification link from the email. 2. As the help desk agent, get the code shown on the end-user mobile device and enter it in your browser to get updates about the end user's progress. 3. As the end user, click **Begin Verification** and follow the on-screen prompts to scan your government-issued ID and take a selfie. After completing verification, the screen confirms that identity verification was successful. ![A screenshot confirming that identity verification was successful.](_images/aic-hd-verification-success.png) 6. As the help desk agent, update the status in the agent window. When verification succeeds, choose to either reset the end user's password or reset their MFA devices: ![A screenshot of the agent's screen showing the option to reset the end user's password or MFA devices after successful verification.](_images/aic-hd-post-verification-choice.png) 7. Complete the account recovery: PingOne Advanced Identity Cloud sends the end user another email with a link to complete the reset. As the end user, open the link and follow the prompts. For a password reset, enter and confirm a new password: ![A screenshot of the Reset Password screen.](_images/aic-hd-reset-password.png) On success, the end user is signed on and the end-user profile page is displayed, confirming that account access has been restored. ## Troubleshooting This section provides troubleshooting tips for common issues with the Verified Trust for Workforce Help Desk Solution on PingOne Advanced Identity Cloud. * The help desk agent can't sign on When you enter the help desk agent's credentials, the journey returns an error or failure page. Confirm the following: * The agent's user account exists in the alpha realm of your PingOne Advanced Identity Cloud development environment. * The journey is enabled. In the PingOne Advanced Identity Cloud admin console, go to **Journeys** and confirm that **Help\_Desk-Agent\_Login\_and\_End\_User\_ID\_Verification\_Main\_Journey** is toggled on. * The help desk agent is not authorized After signing on, the journey exits with a failure rather than proceeding to the end-user lookup step. Confirm that the agent's user account belongs to the `HelpDesk` group as described in [Task 5](#task_5_configure_agent_access). * The end user lookup fails The journey exits with a failure after you search for the end user. Confirm that: * The end user account exists in the alpha realm. * The end user account has a valid email address (required for backchannel link delivery). * The PingOne Worker Service connection fails A node in the verification or backchannel journeys fails with a connection or authentication error. Confirm the following: * The `HelpDesk PingOne Worker` service in your PingOne Advanced Identity Cloud development environment is correctly configured with valid ESV values for the client ID, client secret, and environment ID from your mapped PingOne environment. Learn more in [Set up PingOne workers and configure them as PingOne Advanced Identity Cloud services](https://docs.pingidentity.com/pingoneaic/integrations/pingone-set-up-oidc-clients.html). * All nodes that reference `HelpDesk PingOne Worker` in the `Help_Desk-Send_ID_Verification_Link_Inner_Journey` and `Help_Desk-User_ID_Verification_Backchannel_Journey` are configured with the correct service name. * The verification link has expired or the backchannel timed out The backchannel journey's **Max Time (Seconds)** has elapsed before the end user completed verification. The agent's status screen reflects the failure. The agent can restart the main journey to send a new verification request. Consider increasing the **Max Time** value in the Backchannel Initialize node and extending the journey timeout as described in [Task 4](#task_4_configure_worker_service). * The PingOne Verify evaluation timed out The end user didn't complete the ID and liveness steps within the PingOne Verify evaluation window. The agent can restart the main journey to initiate a new verification session. ## What's next As you integrate and promote this solution to higher environments, consider the following: * Customizing the `HelpDesk` group name and the Set Admin Group node's group check to align with your organization's group naming conventions. * Adding extension points to the journey to integrate with external ticketing systems. For example, creating a Jira ticket or ServiceNow incident when an end user fails identity verification. * Configuring a custom PingOne Verify policy appropriate for your organization before deploying to production. The default policy is sufficient for testing but might not meet your production requirements. ## Explore further ### Concepts Learn more about the concepts used in the Verified Trust for Workforce Help Desk Solution in the following table: | Concept | Description | | --------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [PingOne Advanced Identity Cloud journeys](https://docs.pingidentity.com/pingoneaic/journeys/journeys.html) | A journey is a visual, node-based workflow that defines how users or agents authenticate, verify their identity, or perform account management tasks. In this solution, a main agent-facing journey coordinates identity verification and account recovery through a set of inner and backchannel journeys. | | [Backchannel authentication](https://docs.pingidentity.com/pingoneaic/am-authentication/backchannel-authentication.html) | Backchannel authentication lets a journey start a separate, asynchronous journey for a different subject — in this case, the end user — while the originating journey monitors the outcome. The main journey uses Backchannel Initialize nodes to trigger user-facing journeys and polls for their results using Backchannel Status nodes. | | [PingOne Worker Service](https://docs.pingidentity.com/pingoneaic/integrations/pingone-set-up-oidc-clients.html) | The PingOne Worker Service is a service configuration in PingOne Advanced Identity Cloud that gives journey nodes the credentials they need to call PingOne APIs. It acts as the bridge between PingOne Advanced Identity Cloud journey nodes (such as PingOne Verify Evaluation) and your connected PingOne environment. Each node that communicates with PingOne must reference a configured worker service instance. | | [ESVs](https://docs.pingidentity.com/pingoneaic/tenants/esvs.html) | ESVs let you store sensitive configuration values, such as API credentials, outside of journey configuration. This solution uses ESVs to store the PingOne Worker App's client ID, client secret, and environment ID, which the PingOne Worker Service reads at runtime. | | [Backchannel Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-initialize.html) | The Backchannel Initialize node starts an asynchronous journey for a different subject. It takes the end user's ID from shared state, generates a magic link URL to the target journey, and writes the backchannel transaction ID to shared state so the Backchannel Status node can track the outcome. | | [Backchannel Status node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-status.html) | The Backchannel Status node checks the current status of an active backchannel transaction. Together with the Polling Wait node, it repeatedly polls the transaction until the end user completes (or fails) the target journey. | | [PingOne Verify Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-verify-evaluation.html) | The PingOne Verify Evaluation node starts or resumes a PingOne Verify evaluation transaction. In this solution, it is configured with a policy ID that defines the verification requirements (government ID, liveness detection, and facial comparison). On success, the journey proceeds to the account recovery step. | | [PingOne Identity Match node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-identity-match.html) | The PingOne Identity Match node checks whether the PingOne Advanced Identity Cloud user has a corresponding user account in PingOne. If no match is found, the journey creates one using the PingOne Create User node. This step is required before PingOne Verify can target the correct user for a verification transaction. | | [PingOne Verify](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_start.html) | The PingOne Verify service lets you enable secure user verification based on a government-issued document and a live face capture (a selfie). In this solution, PingOne Verify is triggered within the ID verification backchannel journey after the help desk agent initiates the request. |