--- title: Setting up verified trust for help desk account recovery using PingOne description: Learn how to implement the verified trust for workforce help desk solution using PingOne to secure your help desk operations and prevent account takeover. component: solution-guides page_id: solution-guides:verified-trust:verified-trust-helpdesk-pingone canonical_url: https://docs.pingidentity.com/solution-guides/verified-trust/verified-trust-helpdesk-pingone.html keywords: ["verified trust", "identity verification", "help desk", "password reset", "end user", "PingOne", "DaVinci", "Verify"] section_ids: goals: Goals what-youll-do: What you'll do before-you-begin: Before you begin tasks: Tasks task_1_import_flows: "Task 1: Importing the DaVinci flow" steps: Steps result: Result task_2_configure_p1verify: "Task 2: Configuring PingOne Verify components to verify end users" steps-2: Steps task_3_configure_admin_group: "Task 3: Configuring the admin group for account recovery" steps-3: Steps result-2: Result task_4_optional_nodes: "(Optional) Task 4: Enabling optional nodes for expanded functionality" vt_helpdesk_ext_idp: Adding an external IdP steps-4: Steps result-3: Result vt_helpdesk_record_failures: Recording end-user verification failures steps-to-enable-jira: Steps to enable Jira result-4: Result steps-to-enable-servicenow: Steps to enable ServiceNow result-5: Result vt_helpdesk_p1_validation: Validation before-you-begin-2: Before you begin steps-5: Steps troubleshooting: Troubleshooting whats-next: What's next explore-further: Explore further helpdesk_solution_concepts: Concepts helpdesk_solution_reference: Reference material inputs: Inputs outputs: Outputs --- # Setting up verified trust for help desk account recovery using PingOne The Verified Trust for Workforce Help Desk Solution provides a robust approach for confirming a user's identity before performing sensitive account actions, such as password resets. This solution lets authorized help desk agents initiate real-time verification requests using government IDs and liveness-checked selfies. This ensures that agents can perform account recovery services with high confidence that the end user is who they say they are. To implement this solution in your environment, you'll take our pre-built PingOne DaVinci flow and configure the PingOne Verify connector with your environment and policy information. You'll also determine what next steps to take in the account reset journey. ## Goals After completing this use case, you'll know how to do the following: * Execute a guided journey where an agent verifies a workforce employee's identity in real time to securely authorize account recovery. * Configure PingOne Verify to validate government-issued IDs and liveness (selfies) as part of an identity verification policy. * Configure the DaVinci orchestration flow to manage the interaction between the help desk agent's portal and the end user's verification experience. ## What you'll do In this use case, you'll learn how to implement the Verified Trust for Workforce Help Desk Solution by doing the following in DaVinci: * Import the pre-built flow. * Configure the PingOne Verify connector. * Specify a PingOne Verify policy to use. * Specify a PingOne group authorized to perform an account reset. * Review key optional configurations. The following diagram provides a high-level overview of the implementation workflow. You can refer back to this map as you work through the steps. ![A diagram showing the workflow for the Verified Trust for Workforce Help Desk solution. The map starts with a review of prerequisites, then moves to importing the pre-built DaVinci flow and configuring the solution. An optional path extends the solution to include functionality for external IdPs and recording verification failures. The map ends with validation steps, troubleshooting tips, and next steps for further customization.](_images/docs-metro-map-vt-helpdesk-p1.png) ## Before you begin Ensure you have the following: * A basic understanding of [PingOne Verify](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_start.html) * Proficiency in: * [PingOne SSO](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html) * [PingOne applications](https://docs.pingidentity.com/pingone/applications/p1_application_types.html) * [Using DaVinci flows in applications](https://docs.pingidentity.com/davinci/integrating_flows_into_applications/davinci_how_to_implement_a_flow.html) * A PingOne test environment with the following [services](https://docs.pingidentity.com/pingone/settings/p1_add_a_service.html): * PingOne SSO * Already configured for authentication with DaVinci * Populated with test user data * DaVinci * PingOne Verify * Access to your PingOne test environment with the Environment Admin [role assigned](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_manage_admin_roles.html) If you want to extend the solution's functionality for external identity providers (IdPs) and optional services, as described in [Task 4](#task_4_optional_nodes), you'll need the following additional prerequisites: * A configured [external IdP](https://docs.pingidentity.com/pingone/integrations/p1_external_idps.html) in PingOne * A ServiceNow license and administrator access to your account * A Jira license and the ability to generate a bearer authorization token Learn more about the concepts and components used in this solution in the [Concepts](#helpdesk_solution_concepts) section. ## Tasks * [Task 1: Importing the DaVinci flow](#task_1_import_flows) * [Task 2: Configuring PingOne Verify components to verify end users](#task_2_configure_p1verify) * [Task 3: Configuring the admin group for account recovery](#task_3_configure_admin_group) * [(Optional) Task 4: Enabling optional nodes for expanded functionality](#task_4_optional_nodes) ### Task 1: Importing the DaVinci flow Learn how to import the pre-built DaVinci flow into your test environment. The DaVinci flow authenticates a help desk agent and confirms their authorization to reset accounts. The agent then specifies an end user and sends them a verification request. The end user verifies their identity and performs a liveness check, which the agent monitors from a real-time dashboard. #### Steps 1. Download the [Verified Trust for Workforce Help Desk Solution](https://marketplace.pingone.com/item/verified-trust-for-workforce-helpdesk-solution) from the Ping Identity Marketplace. 2. In your DaVinci test environment, on the **Flows** tab, click **Add Flow** and select **Import Flow**. 3. Upload the `verified-trust-for-workforce-helpdesk-solution.json` flow and confirm that the **Import Flow** modal displays the following: * In the **Main Workflow** field: `Help Desk Agent Login and End User Verification` * In the **Subflows** field: `Help Desk Verify Evaluation` ![A screenshot of the Import Flow modal with a main workflow of Help Desk Agent Login and End User Verification and a subflow of Help Desk Verify Evaluation.](_images/import-verified-trust-flows.png) 4. Click **Import**. #### Result The DaVinci canvas now displays the Help Desk Agent Login and End User Verification flow. This is the parent flow for the solution and contains a call to the Help Desk Verify Evaluation subflow. You can find both flows listed on the **Flows** page. ### Task 2: Configuring PingOne Verify components to verify end users Learn how to specify which PingOne Verify policy to use and how to configure the PingOne Verify connector to communicate with your PingOne test environment. #### Steps 1. In the PingOne admin console, go to your test environment, and then go to **Applications > Applications**. 2. Click the **PingOne DaVinci Connection** application to open the details panel. The **Overview** tab contains values for **Environment ID**, **Client ID**, and **Client Secret**. You'll use these to configure the PingOne Verify connector, so keep this panel open. ![A screenshot of the PingOne DaVinci Connection application details panel highlighting the Environment ID, Client ID, and Client Secret.](_images/davinci-app-info.png) | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne automatically creates the **PingOne DaVinci Connection** application when you deploy the DaVinci service. The application enables PingOne and DaVinci to communicate with each other. | 3. To open DaVinci, click **DaVinci**. 4. On the **Connectors** tab, click **PingOne Verify** in the list of connectors to open the **PingOne Verify Details** modal. ![A screenshot of the PingOne Verify Details modal with the PingOne Environment tab selected.](_images/pingone-verify-details-modal.png) 5. Go back to your PingOne test environment. In the **PingOne DaVinci Connection** details panel, click the **Copy** icon to copy the **Environment ID** value. 6. Paste the value of **Environment ID** into the **Environment ID** field of the **PingOne Verify Details** modal in DaVinci. 7. Repeat the previous two steps for **Client ID** and **Client Secret**. 8. In the **PingOne Verify Details** modal, click **Apply**. You've now successfully configured the PingOne Verify connector. 9. In the PingOne admin console, go to your test environment, and then go to **Identity Verification > Verify Policies**. 10. Click **Default Verify Policy** to open the policy details panel. 11. Copy the **ID** value at the top of the panel. This is the PingOne Verify policy ID. ![A screenshot of the Default Verify Policy details panel with the ID field highlighted.](_images/pingone-verify-default-policy.png) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The default policy is sufficient for testing purposes, but might not be appropriate for production environments.You should configure a custom PingOne Verify policy appropriate for use in your organization's production environments before deploying this solution outside of a test environment. Learn more in [Identity verification using PingOne Verify](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_start.html). | 12. In DaVinci, click the **Variables** tab. 13. Locate the **cv-VerifyPolicyId** variable and click **Edit** to open the **Update Variable** modal. ![A screenshot of the Update Variable modal for the cv-VerifyPolicyId variable with the Value field highlighted.](_images/davinci-update-variable-modal.png) 14. Paste the value of **ID** (from the **Default Verify Policy**) into the **Value** field and click **Update**. You've now configured the PingOne Verify policy that the flow will use to verify end users. ### Task 3: Configuring the admin group for account recovery Learn how to authorize help desk agents to perform account resets by specifying an admin group in the Help Desk Agent Login and End User Verification flow. #### Steps 1. In the PingOne admin console, create a group in your test environment and add a user that is allowed to perform account resets. Learn more in [Create a group](https://docs.pingidentity.com/pingone/pingone_tutorials/p1_p1tutorial_create_a_group.html). 2. Copy the group name. You'll use this name to configure a Functions connector named **Group Check**. 3. To open DaVinci, click **DaVinci**. 4. On the **Flows** tab, select **Help Desk Agent Login and End User Verification**. 5. In the DaVinci flow canvas, go to the **Verification Experience** section and click the Functions connector named **Group Check**. ![A screenshot of the DaVinci canvas with the Group Check connector highlighted in the Verification Experience section.](_images/group-check-node-location.png) 6. On the **General** tab of the **Functions** configuration panel, enter the PingOne group name in the **Value** field for **Input Variable 1**. Click **Apply**. ![A screenshot of the Functions configuration panel with the Value field for Input Variable 1 highlighted.](_images/group-input-variable.png) 7. At the top of the DaVinci canvas, click **Deploy** to deploy the configured flow in your test environment. #### Result You've now configured the PingOne group authorized to perform account recovery. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You've now completed the standard configuration for the Verified Trust for Workforce Help Desk Solution. The following task extends the solution's functionality for external IdPs and additional services. If you're not extending the solution, skip to the [Validation](#vt_helpdesk_p1_validation) section. | ### (Optional) Task 4: Enabling optional nodes for expanded functionality The provided DaVinci flow and subflow contain optional nodes that you can enable and configure. However, you can still take full advantage of the Verified Trust for Workforce Help Desk Solution without performing these steps. * [Adding an external IdP](#vt_helpdesk_ext_idp) * [Recording end-user verification failures](#vt_helpdesk_record_failures) #### Adding an external IdP You can add an external IdP to authenticate the end user whose account is being verified for recovery. The help desk agent will continue to authenticate using PingOne. ##### Steps 1. In the PingOne admin console, go to your test environment, and then go to **Integrations > External IdPs**. Copy the ID number listed below the name of your external IdP. 2. In DaVinci, open the Help Desk Agent Login and End User Verification flow and navigate to the **Verification Experience** section of the canvas. 3. Right-click the PingOne connector named **Find User** and select **Disable**. The node should become grayed out. ![A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Find User connector. The Disable option is highlighted.](_images/disable-find-user.png) 4. Right-click the grayed-out PingOne Authentication connector named **Sign On with External Identity Provider** and select **Enable**. ![A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Sign On with External Identity Provider connector. The Enable option is highlighted.](_images/enable-ext-id-provider.png) 5. Click the **Sign On with External Identity Provider** connector. 6. In the **PingOne External Identity Provider** list, select your external IdP. Alternatively, you can enter the ID number of the external IdP in the **PingOne External Identity Provider ID** field. Click **Apply**. ![A screenshot of the configuration panel for the Sign On with External Identity Provider connector. The PingOne External Identity Provider list is open, with an example external IdP highlighted.](_images/select-ext-idp.png) 7. Click the Flow connector named **Start Verify for Help Desk**. 8. On the **General** tab, do the following: 1. Configure the **p1UserId** field: 1. Clear the existing value. 2. Click **{}**, and then click to enable the **Show all nodes** toggle. ![A screenshot of the configuration panel for the Start Verify for Help Desk connector. The Show all nodes toggle is highlighted and enabled.](_images/show-all-nodes-toggle.png) 3. In the **Choose Connector** list, select the **PingOne Authentication** node named **Sign On With External IDP**. ![A screenshot of the options for the Choose Connector list for the p1UserId field. The PingOne Authentication - Sign On With External IDP node is highlighted.](_images/select-pingone-authentication.png) A list of available objects and variables displays below the **p1UserId** field. ![A screenshot of the available objects and variables that can be used to populate the p1UserId field.](_images/available-pingone-objects.png) 4. In the list, go to **output > user** and select **id**. ![A screenshot of the available objects and variables that can be used to populate the p1UserId field. The id variable is highlighted.](_images/select-external-user-id.png) This populates an **id** attribute in the **p1UserId** field. Click above the field to close the list. | | | | - | -------------------------------------------------------------------------------------------- | | | Verify that you selected the **id** attribute for **user** and not for **identityProvider**. | 2. Update all of the remaining user fields, from **userName** to **userReferencePhoto**, with the corresponding user attribute names from your external IdP. This step maps your user attributes to the PingOne schema, enabling the solution to correctly verify your users. 3. Clear any user fields that don't apply for your users. 4. Click **Apply**. 9. At the top of the DaVinci canvas, click **Deploy** to redeploy the updated flow in your test environment. ##### Result You've now enabled and configured the DaVinci flow for end-user authentication with an external IdP. #### Recording end-user verification failures You can create a Jira ticket or a ServiceNow incident to record any end-user verification failures for further action. | | | | - | --------------------------------------------------------------------- | | | You can choose to enable and configure one or both of these services. | * [Jira](#steps-to-enable-jira) * [ServiceNow](#steps-to-enable-servicenow) ##### Steps to enable Jira 1. On the DaVinci **Connectors** tab, from the list of connectors, select **Jira Service Desk**. 2. In the **Jira Service Desk Details** modal, configure the required fields according to the [Jira connector](https://docs.pingidentity.com/connectors/jira_connector.html) documentation and click **Apply**. ![A screenshot of the Jira Service Desk Details modal.](_images/jira-connector-details.png) 3. On the **Flows** tab, select the **Help Desk Verify Evaluation** flow and go to the **Verification Failure** section of the canvas. 4. Right-click the grayed-out **Create Jira Ticket** connector and select **Enable**. ![A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the Create Jira Ticket connector. The Enable option is highlighted.](_images/enable-optional-services.png) 5. To configure the Jira Service Desk connector, click **Create Jira Ticket**. 6. If you haven't already done so, in the **Jira Service Desk** modal, enter the required JSON code in the **Raw JSON for creating new JIRA service desk request** field. ![A screenshot of the configuration panel for the Jira Service Desk connector with the Raw JSON for creating new JIRA service desk request field highlighted.](_images/jira-connector-config.png) 7. Enter any other desired configuration values and click **Apply**. 8. At the top of the DaVinci canvas, click **Deploy** to redeploy the updated flow in your test environment. ##### Result You've now enabled and configured the DaVinci flow to create Jira tickets to record any end-user verification failures. ##### Steps to enable ServiceNow 1. On the DaVinci **Connectors** tab, from the list of connectors, select **ServiceNow**. 2. In the **ServiceNow Details** modal, configure the required fields according to the [ServiceNow Connector](https://docs.pingidentity.com/connectors/servicenow_connector.html) documentation and click **Apply**. ![A screenshot of the ServiceNow Details modal.](_images/servicenow-connector-details.png) 3. On the **Flows** tab, select the **Help Desk Verify Evaluation** flow and go to the **Verification Failure** section of the canvas. 4. Right-click the grayed-out **Service Now Incident** connector and select **Enable**. ![A screenshot of the DaVinci canvas with the context-sensitive menu displayed for the ServiceNow Incident connector. The Enable option is highlighted.](_images/enable-optional-services.png) 5. To configure the ServiceNow connector, click **Service Now Incident**. 6. In the **ServiceNow** modal, enter the desired configuration values and click **Apply**. ![A screenshot of the configuration panel for the ServiceNow connector.](_images/servicenow-connector-config.png) 7. At the top of the DaVinci canvas, click **Deploy** to redeploy the updated flow in your test environment. ##### Result You've now enabled and configured the DaVinci flow to create ServiceNow incidents to record any end-user verification failures. ## Validation Now that you've imported the DaVinci flows, configured your PingOne Verify connection, and specified an authorized group for account recovery, you're ready to test the solution. ### Before you begin Ensure you have the following: * Access to the username and password for a help desk agent who's a member of the PingOne group authorized for account recovery. * The email or username of an end user in your PingOne test environment. At minimum, their account should be connected to an email address that you can access to perform verification. * A mobile device that can access the test end user's email and that has a working camera. * A valid ID that you can use for testing purposes. Learn more in [PingOne Verify types of verification](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_types_of_verification.html). ### Steps 1. Sign on as the help desk agent: 1. In the PingOne admin console, go to your test environment, and then go to **Applications > Applications**. 2. Click the **PingOne DaVinci Connection** application to open the details panel. 3. On the **Overview** tab, click the **Copy** icon to copy the **Signon URL** value. 4. Open a web browser and enter the value of **Signon URL**. The **Help Desk Verification** page displays. ![A screenshot of the Help Desk Verification page with a Continue button.](_images/help-desk-splash.png) 5. Click **Click Here to Continue**. 6. Enter the username of your help desk agent and click **Submit**. 7. Enter the help desk agent's password and click **Submit**. 2. Initiate the end-user verification: 1. On the **Help Desk** page, enter the end user's email address or username and click **Continue**. ![A screenshot of the Help Desk page with an email address field and a Continue button.](_images/help-desk-username.png) 2. Click **Email** as the verification method. This sends an email to the end user you specified in the previous step. ![A screenshot of the End User Verification page with the Email verification method highlighted.](_images/helpdesk-email-verification-method.png) 3. Click **Skip** on the **Confirm Verify Transaction Code** page to proceed to the **Call Center Verification** page, which displays a status chip of **Requested**. You are now ready to monitor the end-user verification from the help desk agent's perspective. ![A screenshot of the Confirm Verify Transaction Code page with the Skip option highlighted.](_images/helpdesk-skip-code.png)![A screenshot of the Call Center Verification page with a status chip showing Requested.](_images/helpdesk-ready-to-verify.png) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In the end-user experience, on the **Verification Requested** screen, there is a verification code that the help desk agent can enter to confirm that the agent and end user are participating in the same PingOne Verify transaction. In most cases, it's unnecessary to use this code, because the agent typically initiates the PingOne Verify transaction and sends it to the end user during a live phone conversation. | 3. Verify the end-user ID: 1. Access the test end user's email account from your mobile device. Look for an email from PingOne with the subject line "Finish your ID verification." 2. Tap the verification link in the email to load the **Verification Requested** screen on your mobile device, and then tap **Begin Verification**. ![A screenshot of the Verification Requested screen on a mobile device with a Begin Verification button.](_images/mobile-verification-requested.png) 3. On the **Scan Your ID** screen, tap **Continue**. ![A screenshot of the Scan Your ID screen on a mobile device with a Continue button.](_images/mobile-scan-id.png) 4. When prompted, allow apps.pingone.com and your mobile browser to use your camera. 5. Scan the front of your ID and follow the on-screen prompts until you see a checkmark. 6. When prompted, flip your ID over and scan the back of it. 7. On the results screen that shows pictures of both sides of your ID, tap **Yes, Continue**. The help desk agent's **Call Center Verification** page now updates with the status of the ID check. If the verification was successful, you should see a **Success** status chip next to **Government ID** in the **Verification Requirements** section. ![A screenshot of the Call Center Verification page with a Success status chip next to Government ID in the Verification Requirements section.](_images/helpdesk-status-id-verified.png) 4. Verify user liveness and compare with the ID: 1. On the mobile device, on the **Take a Selfie** screen, tap **Continue**. ![A screenshot of the Take a Selfie screen on a mobile device with a Continue button.](_images/mobile-take-selfie.png) 2. Follow the prompts on your mobile device. After you take the selfie, tap **Continue**. The mobile device now displays a **Complete** screen. The end user's portion is completed successfully. ![A screenshot of the Complete screen on a mobile device.](_images/mobile-complete.png) 5. Complete the verification: The help desk agent's **Call Center Verification** page now displays the status of the verification. If the verification passes, the page displays a **Success** status chip for the overall status, as well as **Success** chips for **User Liveness** and **Facial and Document Comparison**. ![A screenshot of the Call Center Verification page with a Success status chip for the overall status, as well as Success chips for User Liveness and Facial and Document Comparison in the Verification Requirements section.](_images/helpdesk-status-success-complete.png) At this point, the help desk agent is ready to reset the end user's account. If you click **Continue** to accept the verification, the DaVinci flow proceeds to a success response and displays the **SAML Response** page. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You need to configure the flow to determine the next logical steps to take, including where to redirect the help desk agent's browser, depending on the outcome of the end-user verification.When customizing the solution, you must preserve the required inputs and outputs. Learn more in the [Reference](#helpdesk_solution_reference) section. | ## Troubleshooting This section provides troubleshooting tips for common issues related to the Verified Trust for Workforce Help Desk Solution. * The **Try Flow** button doesn't work This solution is built to be launched from PingOne. You'll need to go to the sign-on URL of the **PingOne DaVinci Connection** application, as described in the [Validation](#vt_helpdesk_p1_validation) steps. * The help desk agent can't sign on When you enter the help desk agent's credentials on the **Help Desk Verification** page, you receive an error message. Confirm the following: * Your PingOne SSO authentication flow is properly configured, as described in [PingOne SSO](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html) and [Integrating flows into applications](https://docs.pingidentity.com/davinci/integrating_flows_into_applications/davinci_how_to_implement_a_flow.html). * Your PingOne connector is configured with the correct application information. For this solution, we used the **PingOne DaVinci Connection** application. Learn more in [Viewing application details](https://docs.pingidentity.com/pingone/applications/p1_viewapplications.html) and [Editing a connector](https://docs.pingidentity.com/davinci/connectors/davinci_editing_a_connection.html). * Your two solution flows are properly saved and deployed. Learn more in [Getting started with DaVinci](https://docs.pingidentity.com/davinci/flows/davinci_getting_started.html#testing-early-and-often). * The help desk agent isn't authorized After you sign on as the help desk agent, the flow displays the **Unauthorized** page with the message **You are not authorized for this action**. This happens because the help desk agent you specified isn't a member of the appropriate administrator group. You either need to add this agent to the group or specify a different agent who is already a group member. Refer back to the steps in [Configuring the admin group for account recovery](#task_3_configure_admin_group) for more information. * The end user can't access the verification link If the end user doesn't have access to the email addresses or phone numbers configured in their PingOne user account, you can select **No Methods Available** on the help desk agent's **End User Verification** page. The **Provide Details** page then displays, and you can enter an alternate phone number or email address to send the link to. ![A screenshot of the End User Verification page with the No Methods Available option highlighted.](_images/helpdesk-troubleshooting-no-methods.png) * The verification timed out If the help desk agent's **Call Center Verification** page displays a message that the verification has timed out, that means the end user didn't perform the verification steps quickly enough. You can click **Retry** to start a new verification transaction and send a new link to the end user. Clicking **Cancel** ends the verification process. * I want to manually approve a failed verification If the end user verification wasn't successful, the help desk agent's **Call Center Verification** page displays a **Fail** status chip. To complete the transaction and record the verification as a failure, click **Continue with Failed Transaction**. Alternatively, you can proceed as if the verification didn't fail. To manually approve the verification, click **Bypass Failed Transaction**, and then click **Continue** when asked to confirm. | | | | - | --------------------------------------------------------------------------------------------------------------------------- | | | As configured, the solution doesn't reset end user accounts, whether verifications succeed, fail, or are manually bypassed. | ## What's next In the **Help Desk Agent Login and End User Verification** flow, locate the **Sign On Success** and **Sign On Fail** nodes at the bottom of the canvas. These [Teleport connectors](https://docs.pingidentity.com/connectors/teleport_connector.html) lead to the only two outcomes for this solution, returning either a success or error response to the PingOne DaVinci Connection application. As configured, the flow displays these responses on a **SAML Response** page. As you integrate and promote this solution into higher environments, you should configure your PingOne application to handle these responses according to your desired workflow. ## Explore further ### Concepts Learn more about the concepts used in the Verified Trust for Workforce Help Desk Solution in the following table: | Concept | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [DaVinci applications](https://docs.pingidentity.com/davinci/applications/davinci_applications.html) | An application acts as a gateway between your site and the flows you've created in DaVinci.The application contains settings to determine how external sites can send requests for flows, what flows can be requested, and how users and resources from other sites are managed. External sites can only run flows that are made available through an application. | | [DaVinci connectors](https://docs.pingidentity.com/davinci/connectors/davinci_connections.html) | Connectors form the building blocks for flows. They connect DaVinci with third parties, HTML pages, and other tools.Each connector enables one or more capabilities that you can use as nodes in a flow. When you add a connector, you gain the ability to use its capabilities in your flows. | | [DaVinci flows](https://docs.pingidentity.com/davinci/flows/davinci_flows.html) | A flow is a user journey, such as authentication or verification, built from a set of capabilities and logical operators.Every flow consists of one or more nodes joined together by logical operators. Each node performs a specific task, using one of the capabilities of your connectors. After the task is complete, the logical operators determine which task or tasks are performed next. | | [DaVinci flows in applications](https://docs.pingidentity.com/davinci/integrating_flows_into_applications/davinci_how_to_implement_a_flow.html) | Integrating a flow into an application lets your users launch the flow from that application.Choose an integration method based on the type of flow and the desired user experience. | | [PingOne applications](https://docs.pingidentity.com/pingone/applications/p1_application_types.html) | Add applications to your PingOne environment to manage access to those applications. PingOne supports multiple application types, including SAML, OpenID Connect (OIDC), native, and single-page applications (SPAs). | | [PingOne environments](https://docs.pingidentity.com/pingone/introduction_to_pingone/p1_introduction.html#p1-environments-intro) | In PingOne, tenants are called environments. Environments define separate working domains within an organization and contain assets such as your PingOne services and Ping Identity products, application connections, and user identities. | | [PingOne external IdPs](https://docs.pingidentity.com/pingone/integrations/p1_external_idps.html) | Using an external IdP allows linked users to authenticate using the credentials provided by the external IdP. | | [PingOne groups](https://docs.pingidentity.com/pingone/directory/p1_groups.html) | Using groups to organize a collection of user identities makes it easier to manage access to applications.You can create groups within an environment or within a population. | | [PingOne SSO](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_p1sso_start.html) | Using PingOne SSO, users can sign on to all their applications and services with a single set of credentials.PingOne SSO uses identity standards like SAML, OAuth, and OIDC, which allow for encrypted tokens to be transmitted securely between the server and the apps. | | [PingOne Verify](https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_start.html) | The PingOne Verify service lets you enable secure user verification based on a government-issued document and live face capture (a selfie). | ### Reference material If you customize the Help Desk Verify Evaluation subflow, you'll need to make sure to preserve the following flow input and output variables to ensure that the flow operates correctly. #### Inputs | Variable name | Data type | Example value | Description | | ---------------------------- | --------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | `verifyPolicyId` | String | `a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6` | The PingOne Verify policy ID that specifies your verification requirements. | | `allowedVerificationMethods` | Array | `["QR", "SMS", "EMAIL"]` | The delivery methods you allow for sending a verification transaction link to the end user. | | `isHelpDesk` | Boolean | `true` | Set this value to `true` if this flow is being invoked by a help desk agent assisting a user. | | `isAdvancedBioRequired` | Boolean | `false` | Set this value to `true` to enable advanced logic that compares the available end user data in the directory against the verified ID data. | | `p1UserId` | String | `z9y8x7w6-v5u4-t3s2-r1q0-p9o8n7m6l5k4` | The generic user ID from PingOne. | | `userEmail` | String | `john.doe@example.com` | The end user's email (for delivery or matching). | | `userPhone` | String | `+15551234567` | The end user's phone number (for delivery or matching). | | `userFirstName` | String | `John` | The end user's first name. | | `userLastName` | String | `Doe` | The end user's last name. | | `userDOB` | String | `1900-12-06` | The end user's date of birth. | | `cv-navBarHeader` | String | `Ping Identity ID Verification Portal` | The text to display in the navigation bar of the help desk agent's UI. | #### Outputs | Variable name | Data type | Description | | ------------------------- | --------- | ------------------------------------------------------------------------------ | | `verifyEvaluationId` | String | The unique ID of the completed PingOne Verify transaction. | | `verifyEvaluationOutcome` | String | The final status of the verification. | | `selfie` | String | A base64 encoded string of the end user's selfie with the background replaced. | | `errorMessage` | String | If the flow fails, this variable contains a description of the error. | | `flowInteractionId` | String | The unique identifier for this specific flow execution instance. |