Use Cases

Setting up verified trust for help desk account recovery using PingOne

The Verified Trust for Workforce Help Desk Solution provides a robust approach for confirming a user’s identity before performing sensitive account actions, such as password resets. This solution lets authorized help desk agents initiate real-time verification requests using government IDs and liveness-checked selfies. This ensures that agents can perform account recovery services with high confidence that the end user is who they say they are.

To implement this solution in your environment, you’ll take our pre-built PingOne DaVinci flow and configure the PingOne Verify connector with your environment and policy information. You’ll also determine what next steps to take in the account reset journey.

Goals

After completing this use case, you’ll know how to do the following:

  • Execute a guided journey where an agent verifies a workforce employee’s identity in real time to securely authorize account recovery.

  • Configure PingOne Verify to validate government-issued IDs and liveness (selfies) as part of an identity verification policy.

  • Configure the DaVinci orchestration flow to manage the interaction between the help desk agent’s portal and the end user’s verification experience.

What you’ll do

In this use case, you’ll learn how to implement the Verified Trust for Workforce Help Desk Solution by doing the following in DaVinci:

  • Import the pre-built flow.

  • Configure the PingOne Verify connector.

  • Specify a PingOne Verify policy to use.

  • Specify a PingOne group authorized to perform an account reset.

  • Review key optional configurations.

The following diagram provides a high-level overview of the implementation workflow. You can refer back to this map as you work through the steps.

A diagram showing the workflow for the Verified Trust for Workforce Help Desk solution. The map starts with a review of prerequisites, then moves to importing the pre-built DaVinci flow and configuring the PingOne Verify connector. An optional path extends the solution to include additional functionality for external IdPs and recording verification failures. The map ends with validation steps, troubleshooting tips, and next steps for further customization.

Before you begin

Ensure you have the following:

If you want to extend the solution’s functionality for external identity providers (IdPs) and optional services, as described in Task 4, you’ll need the following additional prerequisites:

  • A configured external IdP in PingOne

  • A ServiceNow license and administrator access to your account

  • A Jira license and the ability to generate a bearer authorization token

Learn more about the concepts and components used in this solution in the Concepts section.

Tasks

Task 1: Importing the DaVinci flow

Learn how to import the pre-built DaVinci flow into your test environment.

The DaVinci flow authenticates a help desk agent and confirms their authorization to reset accounts. The agent then specifies an end user and sends them a verification request. The end user verifies their identity and performs a liveness check, which the agent monitors from a real-time dashboard.

Steps

  1. Download the Verified Trust for Workforce Help Desk Solution from the Ping Identity Marketplace.

  2. In your DaVinci test environment, on the Flows tab, click Add Flow and select Import Flow.

  3. Upload the verified-trust-for-workforce-helpdesk-solution.json flow and confirm that the Import Flow modal displays the following:

    • In the Main Workflow field: Help Desk Agent Login and End User Verification

    • In the Subflows field: Help Desk Verify Evaluation

      A screenshot of the Import Flow modal with a main workflow of Help Desk Agent Login and End User Verification and a subflow of Help Desk Verify Evaluation.

  4. Click Import.

Result

The DaVinci canvas now displays the Help Desk Agent Login and End User Verification flow. This is the parent flow for the solution and contains a call to the Help Desk Verify Evaluation subflow. You can find both flows listed on the Flows page.

Task 2: Configuring PingOne Verify components to verify end users

Learn how to specify which PingOne Verify policy to use and how to configure the PingOne Verify connector to communicate with your PingOne test environment.

Steps

  1. In the PingOne admin console, go to your test environment, and then go to Applications > Applications.

  2. Click the PingOne DaVinci Connection application to open the details panel. The Overview tab contains values for Environment ID, Client ID, and Client Secret.

    You’ll use these to configure the PingOne Verify connector, so keep this panel open.

    A screenshot of the PingOne DaVinci Connection application details panel highlighting the Environment ID, Client ID, and Client Secret.

    PingOne automatically creates the PingOne DaVinci Connection application when you deploy the DaVinci service. The application enables PingOne and DaVinci to communicate with each other.

  3. To open DaVinci, click DaVinci.

  4. On the Connectors tab, click PingOne Verify in the list of connectors to open the PingOne Verify Details modal.

    A screenshot of the PingOne Verify Details modal with the PingOne Environment tab selected.

  5. Go back to your PingOne test environment. In the PingOne DaVinci Connection details panel, click the Copy icon to copy the Environment ID value.

  6. Paste the value of Environment ID into the Environment ID field of the PingOne Verify Details modal in DaVinci.

  7. Repeat the previous two steps for Client ID and Client Secret.

  8. In the PingOne Verify Details modal, click Apply.

    You’ve now successfully configured the PingOne Verify connector.

  9. In the PingOne admin console, go to your test environment, and then go to Identity Verification > Verify Policies.

  10. Click Default Verify Policy to open the policy details panel.

  11. Copy the ID value at the top of the panel. This is the PingOne Verify policy ID.

    A screenshot of the Default Verify Policy details panel with the ID field highlighted.

    The default policy is sufficient for testing purposes, but might not be appropriate for production environments.

    You should configure a custom PingOne Verify policy appropriate for use in your organization’s production environments before deploying this solution outside of a test environment. Learn more in Identity verification using PingOne Verify.

  12. In DaVinci, click the Variables tab.

  13. Locate the cv-VerifyPolicyId variable and click Edit to open the Update Variable modal.

    A screenshot of the Update Variable modal for the cv-VerifyPolicyId variable with the Value field highlighted.

  14. Paste the value of ID (from the Default Verify Policy) into the Value field and click Update.

    You’ve now configured the PingOne Verify policy that the flow will use to verify end users.

Task 3: Configuring the admin group for account recovery

Learn how to authorize help desk agents to perform account resets by specifying an admin group in the Help Desk Agent Login and End User Verification flow.

Steps

  1. In the PingOne admin console, create a group in your test environment and add a user that is allowed to perform account resets. Learn more in Create a group.

  2. Copy the group name. You’ll use this name to configure a Functions connector named Group Check.

  3. To open DaVinci, click DaVinci.

  4. On the Flows tab, select Help Desk Agent Login and End User Verification.

  5. In the DaVinci flow canvas, go to the Verification Experience section and click the Functions connector named Group Check.

    A screenshot of the DaVinci canvas with the Group Check connector highlighted in the Verification Experience section.

  6. On the General tab of the Functions configuration panel, enter the PingOne group name in the Value field for Input Variable 1. Click Apply.

    A screenshot of the Functions configuration panel with the Value field for Input Variable 1 highlighted.

  7. At the top of the DaVinci canvas, click Deploy to deploy the configured flow in your test environment.

Result

You’ve now configured the PingOne group authorized to perform account recovery.

You’ve now completed the standard configuration for the Verified Trust for Workforce Help Desk Solution. The following task extends the solution’s functionality for external IdPs and additional services. If you’re not extending the solution, skip to the Validation section.

(Optional) Task 4: Enabling optional nodes for expanded functionality

The provided DaVinci flow and subflow contain optional nodes that you can enable and configure. However, you can still take full advantage of the Verified Trust for Workforce Help Desk Solution without performing these steps.

Adding an external IdP

You can add an external IdP to authenticate the end user whose account is being verified for recovery. The help desk agent will continue to authenticate using PingOne.

Steps

  1. In the PingOne admin console, go to your test environment, and then go to Integrations > External IdPs. Copy the ID number listed below the name of your external IdP.

  2. In DaVinci, open the Help Desk Agent Login and End User Verification flow and navigate to the Verification Experience section of the canvas.

  3. Right-click the PingOne connector named Find User and select Disable. The node should become grayed out.

    A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Find User connector. The Disable option is highlighted.

  4. Right-click the grayed-out PingOne Authentication connector named Sign On with External Identity Provider and select Enable.

    A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Sign On with External Identity Provider connector. The Enable option is highlighted.

  5. Click the Sign On with External Identity Provider connector.

  6. In the PingOne External Identity Provider list, select your external IdP. Alternatively, you can enter the ID number of the external IdP in the PingOne External Identity Provider ID field. Click Apply.

    A screenshot of the configuration panel for the Sign On with External Identity Provider connector. The PingOne External Identity Provider list is open, with an example external IdP highlighted.

  7. Click the Flow connector named Start Verify for Help Desk.

  8. On the General tab, do the following:

    1. Configure the p1UserId field:

      1. Clear the existing value.

      2. Click {}, and then click to enable the Show all nodes toggle.

        A screenshot of the configuration panel for the Start Verify for Help Desk connector. The Show all nodes toggle is highlighted and enabled.

      3. In the Choose Connector list, select the PingOne Authentication node named Sign On With External IDP.

        A screenshot of the options for the Choose Connector list for the p1UserId field. The PingOne Authentication - Sign On With External IDP node is highlighted.

        A list of available objects and variables displays below the p1UserId field.

        A screenshot of the available objects and variables that can be used to populate the p1UserId field.

      4. In the list, go to output > user and select id.

        A screenshot of the available objects and variables that can be used to populate the p1UserId field. The id variable is highlighted.

        This populates an id attribute in the p1UserId field. Click above the field to close the list.

        Verify that you selected the id attribute for user and not for identityProvider.

    2. Update all of the remaining user fields, from userName to userReferencePhoto, with the corresponding user attribute names from your external IdP. This step maps your user attributes to the PingOne schema, enabling the solution to correctly verify your users.

    3. Clear any user fields that don’t apply for your users.

    4. Click Apply.

  9. At the top of the DaVinci canvas, click Deploy to redeploy the updated flow in your test environment.

Result

You’ve now enabled and configured the DaVinci flow for end-user authentication with an external IdP.

Recording end-user verification failures

You can create a Jira ticket or a ServiceNow incident to record any end-user verification failures for further action.

You can choose to enable and configure one or both of these services.
Steps to enable Jira

  1. On the DaVinci Connectors tab, from the list of connectors, select Jira Service Desk.

  2. In the Jira Service Desk Details modal, configure the required fields according to the Jira connector documentation and click Apply.

    A screenshot of the Jira Service Desk Details modal.

  3. On the Flows tab, select the Help Desk Verify Evaluation flow and go to the Verification Failure section of the canvas.

  4. Right-click the grayed-out Create Jira Ticket connector and select Enable.

    A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Create Jira Ticket connector. The Enable option is highlighted.

  5. To configure the Jira Service Desk connector, click Create Jira Ticket.

  6. If you haven’t already done so, in the Jira Service Desk modal, enter the required JSON code in the Raw JSON for creating new JIRA service desk request field.

    A screenshot of the configuration panel for the Jira Service Desk connector with the Raw JSON for creating new JIRA service desk request field highlighted.

  7. Enter any other desired configuration values and click Apply.

  8. At the top of the DaVinci canvas, click Deploy to redeploy the updated flow in your test environment.

Result

You’ve now enabled and configured the DaVinci flow to create Jira tickets to record any end-user verification failures.

Steps to enable ServiceNow

  1. On the DaVinci Connectors tab, from the list of connectors, select ServiceNow.

  2. In the ServiceNow Details modal, configure the required fields according to the ServiceNow Connector documentation and click Apply.

    A screenshot of the ServiceNow Details modal.

  3. On the Flows tab, select the Help Desk Verify Evaluation flow and go to the Verification Failure section of the canvas.

  4. Right-click the grayed-out Service Now Incident connector and select Enable.

    A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the ServiceNow Incident connector. The Enable option is highlighted.

  5. To configure the ServiceNow connector, click Service Now Incident.

  6. In the ServiceNow modal, enter the desired configuration values and click Apply.

    A screenshot of the configuration panel for the ServiceNow connector.

  7. At the top of the DaVinci canvas, click Deploy to redeploy the updated flow in your test environment.

Result

You’ve now enabled and configured the DaVinci flow to create ServiceNow incidents to record any end-user verification failures.

Validation

Now that you’ve imported the DaVinci flows, configured your PingOne Verify connection, and specified an authorized group for account recovery, you’re ready to test the solution.

Before you begin

Ensure you have the following:

  • Access to the username and password for a help desk agent who’s a member of the PingOne group authorized for account recovery.

  • The email or username of an end user in your PingOne test environment. At minimum, their account should be connected to an email address that you can access to perform verification.

  • A mobile device that can access the test end user’s email and that has a working camera.

  • A valid ID that you can use for testing purposes. Learn more in PingOne Verify types of verification.

Steps

  1. Sign on as the help desk agent:

    1. In the PingOne admin console, go to your test environment, and then go to Applications > Applications.

    2. Click the PingOne DaVinci Connection application to open the details panel.

    3. On the Overview tab, click the Copy icon to copy the Signon URL value.

    4. Open a web browser and enter the value of Signon URL. The Help Desk Verification page displays.

      A screenshot of the Help Desk Verification page with a Continue button.

    5. Click Click Here to Continue.

    6. Enter the username of your help desk agent and click Submit.

    7. Enter the help desk agent’s password and click Submit.

  2. Initiate the end-user verification:

    1. On the Help Desk page, enter the end user’s email address or username and click Continue.

      A screenshot of the Help Desk page with an email address field and a Continue button.

    2. Click Email as the verification method. This sends an email to the end user you specified in the previous step.

      A screenshot of the End User Verification page with the Email verification method highlighted.

    3. Click Skip on the Confirm Verify Transaction Code page to proceed to the Call Center Verification page, which displays a status chip of Requested. You are now ready to monitor the end-user verification from the help desk agent’s perspective.

      A screenshot of the Confirm Verify Transaction Code page with the Skip option highlighted.
      A screenshot of the Call Center Verification page with a status chip showing Requested.

      In the end-user experience, on the Verification Requested page, there is a verification code that the help desk agent can enter to confirm that the agent and end user are participating in the same PingOne Verify transaction. In most cases, it’s unnecessary to use this code, because the agent typically initiates the PingOne Verify transaction and sends it to the end user during a live phone conversation.

  3. Verify the end-user ID:

    1. Access the test end user’s email account from your mobile device. Look for an email from PingOne with the subject line "Finish your ID verification."

    2. Tap the verification link in the email to load the Verification Requested page on your mobile device, and then tap Begin Verification.

      A screenshot of the Verification Requested page on a mobile device with a Begin Verification button.

    3. The Scan Your ID page displays. Tap Continue.

      A screenshot of the Scan Your ID page on a mobile device with a Continue button.

    4. When prompted, allow apps.pingone.com and your mobile browser to use your camera.

    5. Scan the front of your ID and follow the on-screen prompts until you see a checkmark.

    6. When prompted, flip your ID over and scan the back of it.

    7. The mobile device displays a results page with pictures of the front and back of your ID. Tap Yes, Continue.

      The help desk agent’s Call Center Verification page now updates with the status of the ID check. If the verification was successful, you should see a Success status chip next to Government ID in the Verification Requirements section.

      A screenshot of the Call Center Verification page with a Success status chip next to Government ID in the Verification Requirements section.

  4. Verify user liveness and compare with the ID:

    1. On the mobile device, you should see the Take a Selfie page. Tap Continue.

      A screenshot of the Take a Selfie page on a mobile device with a Continue button.

    2. Follow the prompts on your mobile device. After the picture is taken, tap Continue.

      The mobile device now displays a Complete page. The end user’s portion is completed successfully.

      A screenshot of the Complete page on a mobile device.

  5. Complete the verification:

    The help desk agent’s Call Center Verification page now displays the status of the verification. If the verification passes, the page displays a Success status chip for the overall status, as well as Success chips for User Liveness and Facial and Document Comparison.

    A screenshot of the Call Center Verification page with a Success status chip for the overall status, as well as Success chips for User Liveness and Facial and Document Comparison in the Verification Requirements section.

    At this point, the help desk agent is ready to reset the end user’s account. If you click Continue to accept the verification, the DaVinci flow proceeds to a success response and displays the SAML Response page.

    You need to configure the flow to determine the next logical steps to take, including where to redirect the help desk agent’s browser, depending on the outcome of the end-user verification.

    When customizing the solution, you must preserve the required inputs and outputs. Learn more in the Reference section.

Troubleshooting

This section provides troubleshooting tips for common issues related to the Verified Trust for Workforce Help Desk Solution.

The Try Flow button doesn’t work

This solution is built to be launched from PingOne. You’ll need to go to the sign-on URL of the PingOne DaVinci Connection application, as described in the Validation steps.

The help desk agent can’t sign on

When you enter the help desk agent’s credentials on the Help Desk Verification page, you receive an error message. Confirm the following:

The help desk agent isn’t authorized

After you sign on as the help desk agent, the flow displays the Unauthorized page with the message You are not authorized for this action.

This happens because the help desk agent you specified isn’t a member of the appropriate administrator group. You either need to add this agent to the group or specify a different agent who is already a group member. Refer back to the steps in Configuring the admin group for account recovery for more information.

The end user can’t access the verification link

If the end user doesn’t have access to the email addresses or phone numbers configured in their PingOne user account, you can select No Methods Available on the help desk agent’s End User Verification page. The Provide Details page then displays, and you can enter an alternate phone number or email address to send the link to.

A screenshot of the End User Verification page with the No Methods Available option highlighted.
The verification timed out

If the help desk agent’s Call Center Verification page displays a message that the verification has timed out, that means the end user didn’t perform the verification steps quickly enough. You can click Retry to start a new verification transaction and send a new link to the end user. Clicking Cancel ends the verification process.

I want to manually approve a failed verification

If the end user verification wasn’t successful, the help desk agent’s Call Center Verification page displays a Fail status chip. To complete the transaction and record the verification as a failure, click Continue with Failed Transaction.

Alternatively, you can proceed as if the verification didn’t fail. To manually approve the verification, click Bypass Failed Transaction, and then click Continue when asked to confirm.

As configured, the solution doesn’t reset end user accounts, whether verifications succeed, fail, or are manually bypassed.

What’s next

In the Help Desk Agent Login and End User Verification flow, locate the Sign On Success and Sign On Fail nodes at the bottom of the canvas. These Teleport connectors lead to the only two outcomes for this solution, returning either a success or error response to the PingOne DaVinci Connection application. As configured, the flow displays these responses on a SAML Response page.

As you integrate and promote this solution into higher environments, you should configure your PingOne application to handle these responses according to your desired workflow.

Explore further

Concepts

Learn more about the concepts used in the Verified Trust for Workforce Help Desk Solution in the following table:

Concept Description

DaVinci applications

An application acts as a gateway between your site and the flows you’ve created in DaVinci.

The application contains settings to determine how external sites can send requests for flows, what flows can be requested, and how users and resources from other sites are managed. External sites can only run flows that are made available through an application.

DaVinci connectors

Connectors form the building blocks for flows. They connect DaVinci with third parties, HTML pages, and other tools.

Each connector enables one or more capabilities that you can use as nodes in a flow. When you add a connector, you gain the ability to use its capabilities in your flows.

DaVinci flows

A flow is a user journey, such as authentication or verification, built from a set of capabilities and logical operators.

Every flow consists of one or more nodes joined together by logical operators. Each node performs a specific task, using one of the capabilities of your connectors. After the task is complete, the logical operators determine which task or tasks are performed next.

DaVinci flows in applications

Integrating a flow into an application lets your users launch the flow from that application.

Choose an integration method based on the type of flow and the desired user experience.

PingOne applications

Add applications to your PingOne environment to manage access to those applications. PingOne supports multiple application types, including SAML, OpenID Connect (OIDC), native, and single-page applications (SPAs).

PingOne environments

In PingOne, tenants are called environments. Environments define separate working domains within an organization and contain assets such as your PingOne services and Ping Identity products, application connections, and user identities.

PingOne external IdPs

Using an external IdP allows linked users to authenticate using the credentials provided by the external IdP.

PingOne groups

Using groups to organize a collection of user identities makes it easier to manage access to applications.

You can create groups within an environment or within a population.

PingOne SSO

Using PingOne SSO, users can sign on to all their applications and services with a single set of credentials.

PingOne SSO uses identity standards like SAML, OAuth, and OIDC, which allow for encrypted tokens to be transmitted securely between the server and the apps.

PingOne Verify

The PingOne Verify service lets you enable secure user verification based on a government-issued document and live face capture (a selfie).

Reference material

If you customize the Help Desk Verify Evaluation subflow, you’ll need to make sure to preserve the following flow input and output variables to ensure that the flow operates correctly.

Inputs

Variable name Data type Example value Description

verifyPolicyId

String

a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6

The PingOne Verify policy ID that specifies your verification requirements.

allowedVerificationMethods

Array

[“QR”, “SMS”, "EMAIL"]

The delivery methods you allow for sending a verification transaction link to the end user.

isHelpDesk

Boolean

true

Set this value to true if this flow is being invoked by a help desk agent assisting a user.

isAdvancedBioRequired

Boolean

false

Set this value to true to enable advanced logic that compares the available end user data in the directory against the verified ID data.

p1UserId

String

z9y8x7w6-v5u4-t3s2-r1q0-p9o8n7m6l5k4

The generic user ID from PingOne.

userEmail

String

john.doe@example.com

The end user’s email (for delivery or matching).

userPhone

String

+15551234567

The end user’s phone number (for delivery or matching).

userFirstName

String

John

The end user’s first name.

userLastName

String

Doe

The end user’s last name.

userDOB

String

1900-12-06

The end user’s date of birth.

cv-navBarHeader

String

Ping Identity ID Verification Portal

The text to display in the navigation bar of the help desk agent’s UI.

Outputs

Variable name Data type Description

verifyEvaluationId

String

The unique ID of the completed PingOne Verify transaction.

verifyEvaluationOutcome

String

The final status of the verification.

selfie

String

A base64 encoded string of the end user’s selfie with the background replaced.

errorMessage

String

If the flow fails, this variable contains a description of the error.

flowInteractionId

String

The unique identifier for this specific flow execution instance.