PingOne Advanced Identity Cloud

Money transfer journey

The Ping Identity Marketplace includes a prebuilt money transfer journey. The journey provides secure financial transactions by applying dynamic, context-aware multi-factor authentication (MFA). By evaluating the risk of each money transfer in real time, the journey can step up security when needed, preventing fraud while maintaining a smooth user experience.

The journey is intended as a template. Review and adapt it to meet your organization’s specific security policies and business requirements before deploying to a production environment.

Journey download
Journey name Version Download

Money transfer

1.0

Download from Marketplace

About the money transfer journey

This solution uses a main journey and inner journeys to evaluate the risk level of a user’s sign-on attempt. Authenticated users can make secure money transfers between their savings and checking accounts.

Example use case

A bank wants to secure money transfer transactions and prevent fraud without creating unnecessary friction for customers. To do this, they want a journey that provides adaptive security by evaluating risk signals in real time across various end-user actions, from sign-on to financial transactions. The solution would allow routine, low-value money transfers from a known device to proceed seamlessly, while automatically triggering MFA for high-value transfers or suspicious activity to verify the user’s identity.

Journey components

The money transfer journey includes one main journey and four inner journeys.

Journey Description Configuration required?

Money Transfer - Main Journey

Orchestrates a secure money transfer by managing user authentication, performing risk analysis, and stepping up security when necessary.

Show details

This journey starts by checking if the user has an active session. If not, it directs them through a sign-on process by calling the Money Transfer SignOn - Inner Journey. It then identifies the user and confirms their account is active.

The journey then performs the following steps:

  • Threat detection: Calls the Money Transfer - Threat Detection - Inner Journey to evaluate the real-time risk of the sign-on attempt using PingOne Protect.

    The threat detection journey sets the authentication level based on the detected risk level. A medium to high risk level increases the authentication level.

  • Authentication step-up: The Auth Level Decision node evaluates the user’s current authentication level. A higher authentication level is interpreted as higher risk for subsequent steps, which triggers MFA.

    Switching the True and False outputs of the Auth Level Decision node means a higher current authentication level is interpreted as lower risk, and MFA won’t be triggered. This isn’t recommended for this journey.

  • Money transfer: After all security checks are successfully passed, the journey proceeds to the core money transfer process by calling the Money Transfer - Inner Journey.

  • Finalization: The journey concludes by logging the success or failure of the PingOne Protect evaluation.

Yes

Money Transfer - Threat Detection - Inner Journey

Performs real-time threat detection using PingOne Protect to assess session risk.

Show details

Gathers behavioral data from the user’s session and determines a risk level. Depending on the assessed risk, the journey takes different paths:

  • Low risk: The journey proceeds, but also checks for indicators such as a new device or other suspicious parameters.

  • Medium to high risk: Increases the required authentication level, asking for stronger user verification before continuing.

  • Specific threats (for example, bots or man-in-the-middle): Checks if the user’s account is active. If it is, the account is disabled, and an alert email is sent to the user.

  • Failure: If any part of the risk evaluation fails, the journey logs the failure and terminates.

Yes

Money Transfer - Inner Journey

Manages the money transfer process for an authenticated user.

Show details

The journey starts by identifying the user. After successful identification, the user can proceed to enter the details of the money transfer.

The journey validates the input using the PingOne Authorize node to assess the transaction risk.

  • If the transaction is permitted (low risk), the journey checks if the user has a sufficient balance, updates the balance, and displays a success message.

  • If the transaction requires approval (higher risk), an approval email is sent to the user. After the user approves the transfer through the email link, the journey proceeds as if it were a permitted transaction.

  • If the transaction is denied, the user is shown a transfer failed page.

The journey includes paths to handle various errors, such as invalid input or insufficient balance, which typically redirect the user back to the transfer page to make corrections.

Yes

Money Transfer - MFA Authentication - Inner Journey

Orchestrates the MFA process. It prompts the user to select an MFA method (such as OTP, push, or WebAuthn) and handles the subsequent verification flow.

Show details

The journey starts by identifying an existing user and then prompts them to select an authentication method.

The journey proceeds with one of the following MFA flows:

  • Email: Generates a one-time passcode (OTP) and sends it to the user’s email address for verification.

  • SMS / Voice: Uses Twilio to send a verification code to the user’s registered phone number through SMS or a voice call.

  • FIDO2 (WebAuthn): Initiates authentication using a security key or biometrics.

  • OATH: Asks the user to enter a verification code from an authenticator app.

  • Push: Sends a push notification to a registered device for approval.

  • Magic Link: Emails a unique link that the user clicks to sign on.

For most methods, if the user fails to authenticate, they’re given a limited number of retry attempts before the journey fails. The journey also includes paths for users to authenticate using a recovery code if other methods are unavailable.

Yes

Money Transfer SignOn - Inner Journey

Manages the initial user sign-on, including credential validation, email verification, and security checks.

Show details

The journey performs the following checks:

  • Threat analysis: Determines if a threat analysis is required. If so, it initiates PingOne Protect for risk evaluation by calling the Money Transfer - Threat Detection - Inner Journey.

    The threat detection journey sets the authentication level based on the detected risk level. A medium to high risk level increases the authentication level.

  • User authentication: Presents a sign-on page for the user to enter their username and password.

  • Account status check: Checks if the user’s email address has been verified. If not, it sends an email with a link to complete the verification before allowing the user to proceed.

  • Authentication step-up: The Auth Level Decision node evaluates the user’s current authentication level. A higher authentication level is interpreted as higher risk for subsequent steps, which triggers MFA.

    Switching the True and False outputs of the Auth Level Decision node means a higher current authentication level is interpreted as lower risk, and MFA won’t be triggered. This isn’t recommended for this journey.

  • Accept terms and conditions: Checks if the user has accepted the latest terms and conditions. If they haven’t, they’re prompted to accept them.

After all checks complete successfully, the journey concludes, and the user is granted access.

No
Show the Money Transfer journey (main journey)
Money transfer main journey

  • a A Scripted Decision node containing the initialize variables used in the authentication flow.

  • b The first call to the PingOne Protect Money Transfer -Threat Detection - Inner Journey

  • c The second call to the PingOne Protect Money Transfer -Threat Detection - Inner Journey for risk evaluation

  • d A call to the Money Transfer - MFA Authentication - Inner Journey

  • e A call to the Money Transfer SignOn - Inner Journey

Before you begin

To implement the sample money transfer journey, you must have these prerequisites:

Task 1: Prepare your tenant environment

To get the journey working, you must first perform some setup tasks in your Advanced Identity Cloud tenant environment.

Add custom attributes to the alpha_user managed object

Several additional user attributes are required by the money transfer journey.

Add the following custom attributes to the alpha_user managed object. Learn more in Customize user identities using custom attributes.

When adding new attributes, use the advanced options to specify view and edit permissions:

  • User Editable: Select this option if you want end users to be able to edit the property value in their profile.

  • Viewable: Clear this option to hide the property from the user’s profile. However, this hides the property from both end users and tenant administrators.
Name Label Type Description

custom_emailVerified

Email verified

String

Confirms the user has verified their email address.

custom_protectActivityCity

PingOne Protect activity city

String

The city from which the user attempts to authenticate. This attribute is used in the Account Disabled and Suspicious Activity email templates.

custom_protectActivityState

PingOne Protect activity state

String

The state from which the user attempts to authenticate. This attribute is used in the Account Disabled and Suspicious Activity email templates.

custom_protectDeviceOS

PingOne Protect device OS

String

The OS of the device from which the user attempts to authenticate.

custom_mfaDevices

MFA devices

Array

Stores the user’s registered MFA devices.

custom_latestMFADevice

Latest used MFA device

String

The most recently used registered MFA device.

custom_savingsBalance

Latest savings balance

Number

The user’s savings account balance after money transfer.

custom_checkingBalance

Latest checking balance

Number

The user’s checking account balance after money transfer.

custom_currency

Custom currency

String

The user’s preferred currency.

Select User Editable to allow end users to change this value.

(Optional) Set an ESV variable for PingOne Protect analysis

The Prerequisites & Init Variables node in the parent journey contains a script that uses the protectAnalysisRequired variable to determine if PingOne Protect analysis is enabled. By default, this variable is set to true in the script. To override this variable and control how PingOne Protect analysis is performed in different environments, you can set an Environment Secret & Variable (ESV) variable.

  1. In the Advanced Identity Cloud admin console, go to Tenant Settings > Global Settings > Environment Secrets & Variables.

  2. On the Variables tab, click + Add Variable.

  3. In the Add a Variable modal, enter the following information:

    Name

    p1-protect-analysis-required

    Type

    string

    Description (optional)

    PingOne Protect analysis required

    Value

    true

  4. Click Save to create the variable.

  5. Restart Advanced Identity Cloud services by applying updates in the Advanced Identity Cloud admin console.

Create the email templates

You’ll need to create the following email templates, which are used by Scripted Decision nodes to send emails at various points in the money transfer journey.

Email template Description Example email body

accountDisabled

Email sent when PingOne Protect detects critical risk associated with the account.
Show example 
<div style="display:block;width:400px;margin:0 auto;font-family:sans-serif;border:1px solid #c5c5c5;padding:30px 20px;text-align:center">
<img src="https://assets.pingone.com/ux/ui-library/5.0.2/images/logo-pingidentity.png" alt="Company Logo" style="height:65px;margin-bottom:10px" />
<div style="display:block">
<div style="display:inline-block;width:40px;height:40px;border-radius:50%;background-color:red;color:white;font-size:24px;line-height:40px;text-align:center">!</div>
<h2 style="margin-top:10px;margin-bottom:10px">Sign-in Attempt was blocked</h2>
<p>{{object.mail}}</p>
<hr style="width:100%;margin-top:20px;margin-bottom:25px;border:none;border-top:1px solid #c5c5c5" />
</div>
<div style="text-align:left">
<p id="alertText">Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. We have disabled the account for your security. If this was you, please contact support.</p>
<p>Thanks,
      <br />The ${Brand Name} team
    </p>
  </div>
</div>

newDeviceDetected

Email sent when PingOne Protect detects a sign-on from a new device.
Show example 
<div style="display:block;width:400px;margin:0 auto;font-family:sans-serif;border:1px solid #c5c5c5;padding:30px 20px;text-align:center">
  <img src="https://assets.pingone.com/ux/ui-library/5.0.2/images/logo-pingidentity.png" alt="Company Logo" style="height:65px;margin-bottom:10px" />
  <div style="display:block">
    <div style="display:inline-block;width:40px;height:40px;border-radius:50%;background-color:red;color:white;font-size:24px;line-height:40px;text-align:center">!</div>
    <h2 style="margin-top:10px;margin-bottom:10px">Sign-in attempt detected</h2>
    <p>{{object.mail}}</p>
    <hr style="width:100%;margin-top:20px;margin-bottom:25px;border:none;border-top:1px solid #c5c5c5" />
  </div>
  <div style="text-align:left">
    <p id="alertText">Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. If this was not you, please consider resetting your password or contact support. Otherwise, ignore.</p>
    <p>Thanks,
      <br />The ${Brand Name} team
    </p>
  </div>
</div>

suspiciousActivity

Email sent when PingOne Protect detects suspicious activity associated with the account.
Show example 
<div style="display:block;width:400px;margin:0 auto;font-family:sans-serif;border:1px solid #c5c5c5;padding:30px 20px;text-align:center">
  <img src="https://assets.pingone.com/ux/ui-library/5.0.2/images/logo-pingidentity.png" alt="Company Logo" style="height:65px;margin-bottom:10px" />
  <div style="display:block">
    <div style="display:inline-block;width:40px;height:40px;border-radius:50%;background-color:red;color:white;font-size:24px;line-height:40px;text-align:center">!</div>
    <h2 style="margin-top:10px;margin-bottom:10px">Sign-in attempt detected</h2>
    <p>{{object.mail}}</p>
    <hr style="width:100%;margin-top:20px;margin-bottom:25px;border:none;border-top:1px solid #c5c5c5" />
  </div>
  <div style="text-align:left">
    <p id="alertText">Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. If this was not you, please consider resetting your password or contact support. Otherwise, ignore.</p>
    <p>Thanks,
      <br />The ${Brand Name} team
    </p>
  </div>
</div>

welcome

Email sent when a new user account is created.
Show example 
<html>
  <head></head>
  <body style="background-color: #324054; color: #5e6d82; padding: 60px; text-align: center;">
    <p>Welcome. Your username is '{{object.userName}}'.</p>
  </body>
</html>

otp

Email containing the user’s one-time passcode (OTP).
Show example 
<html>
  <head></head>
  <body style="background-color: #324054; color: #455469; padding: 60px; text-align: center;">
    <div class="content" style="background-color: #fff; border-radius: 4px; margin: 0 auto; padding: 48px; width: 235px;">
      <p>
        <img src="https://www.pingidentity.com/content/dam/picr/nav/Ping-Logo-2.svg" alt="Ping Identity logo">
        </p>
        <p>Hi {{object.givenName}}</p>
        <p>Here is your One Time Password. Please enter it into the login browser window:</p>
        <h1 id="objectotp">{{object.otp}}</h1>
        <p>PingOne Advanced Identity Cloud</p>
      </div>
    </body>
  </html>

Learn more about creating email templates in Email templates.

Task 2: Create a PingOne Authorize policy

To perform risk-based authorization for transfers, you’ll need to create an authorization policy in PingOne Authorize. This policy evaluates a payment’s amount against the user’s transaction limits.

Define the amount attribute

  1. In the PingOne admin console, go to Authorization > Trust Framework.

  2. On the Attributes tab, click + Add new Attribute and configure it as follows.

    Attribute name Value type

    amount

    Number

  3. Click Save Changes.

Create the payment check policy

  1. In the PingOne admin console, go to Authorization > Policies.

  2. Click the Plus icon (add) and select Add Policy.

  3. In the Name field, enter Payment checks.

  4. Add the following rules to the policy in order.

    Rule 1: Deny payments over the threshold

    • Name: Deny payments over 10,000

    • Applies When: amount Greater Than 10000

    • Effect: Deny

    Rule 2: Permit payments under the threshold

    • Name: Permit payment less than 1,000

    • Applies When: amount Less Than 1000

    • Effect: Permit

    Rule 3: Require approval between thresholds

    • Name: Payments more than 1,000 but less than 10,000

    • Applies When:

      • amount Greater Than Or Equal 1000

      • amount Less Than Or Equal 10000

    • Effect: Permit

    • Statements: Add a statement with the following values:

      • Name: Approval required when amount is in this range

      • Code: APPROVAL_REQ

  5. Click Save Changes.

Task 3: Download and import the journey

Download the journey

  1. Go to Money Transfer journey on the Ping Identity Marketplace.

  2. Click Download Integration to download the Money Transfer - Main Journey.json file. This JSON file contains the parent journey and inner journeys, scripts, and email templates required for the authentication flow.

Import the journey

  1. In the Advanced Identity Cloud admin console, go to Journeys, and click Import.

  2. Click either Download Backup or Skip Backup. Learn more in Import journeys.

  3. On the Import Journeys page, browse to and select Money Transfer - Main Journey.json.

  4. Select Alpha realm users because the journey is configured for the alpha realm.

  5. In the Conflict Resolution section, choose how the system resolves import conflicts:

    • Overwrite all conflicts (default)

    • Manually pick conflict resolution

  6. Click Next.

  7. Click Start Import.

  8. On the Import Complete page, click Done.

  9. On the left panel of the Journeys page, click Money Transfer (5) to view the money transfer journeys and inner journeys.

Task 4: Configure the journey components

Configure the money transfer main journey

  1. On the Journeys page, click Money Transfer - Main Journey and click Edit.

  2. In the journey editor, configure the journey as follows:

  3. Click Save.

To save your progress, periodically click Save in the top right of the journey editor. If you don’t save, you’ll lose your work if the page reloads or if you lose your network connection.

Review and set the initialize variables

The Money Transfer - Main Journey includes a Scripted Decision node containing the initialize variables used later in the authentication flow. This script lets you:

  • Set the allowed MFA types: FIDO2, OATH, PUSH, EMAIL, SMS, VOICE.

  • Enable or disable PingOne Protect analysis.

  • Enable or disable magic link.

To review and set the initial variables:

  1. Click the Prerequisites & Init Variables node.

  2. In the Script field, click the Pencil icon () to open the Money Transfer - Initialize Variables script.

  3. Review the script and make changes if needed.

  4. Click Save and Close.

You don’t need to update the values in the Script Outputs field of the Prerequisites & Init Variables node.

Configure the money transfer URL

  1. Click the Redirect To Money Transfer (Success URL) node.

  2. Enter the preview URL of the Money Transfer Inner Journey. For example, https://<tenant-env-fqdn>/am/XUI/?realm=alpha&authIndexType=service&authIndexValue=MoneyTransfer-InnerJourney.

  3. Click Save.

Set the journey to run for all users regardless of current session

  1. In the upper right of the journey editor, click the Ellipsis icon () and select Edit Details.

  2. Select Run journey for all users regardless of current session.

  3. Click Save.

Configure the Threat Detection - Inner Journey

  1. On the Journeys page click Money Transfer - Threat Detection - Inner Journey and click Edit.

  2. In the journey editor, configure the journey as follows:

    1. Click the PingOne Protect Initialize node.

    2. In the PingOne Worker Service ID field, select the ID of the PingOne Worker Service for connecting to PingOne. Learn more in PingOne Protect Initialize node.

    3. Click the Auth: PingOne Protect Evaluation node and enter the following:

      • PingOne Worker Service ID: Select the ID of the PingOne Worker Service for connecting to PingOne.

      • (Optional) Risk Policy Set ID: Enter the ID of the risk policy in PingOne. Learn more in PingOne Protect Evaluation node

    4. Click the Reg: PingOne Protect Evaluation node and enter the following:

      • PingOne Worker Service ID: Enter the ID of the PingOne Worker Service for connecting to PingOne.

      • (Optional) Risk Policy Set ID: Enter the ID of the risk policy in PingOne. Learn more in PingOne Protect Result node.

  3. Click Save.

Configure the Money Transfer - Inner Journey

  1. On the Journeys page, click Money Transfer - Inner Journey and click Edit.

  2. In the journey editor, configure the journey as follows:

    1. Click the PingOne Authorize node and enter the following:.

      • PingOne Worker Service ID: Select the ID of the PingOne Worker Service for connecting to PingOne.

      • Decision Endpoint ID: Enter the decision endpoint ID from the service in PingOne Authorize.

      • attributelist: Enter amount.

      • Statement Codes: Enter APPROVAL_REQ.

  3. Click Save field.

    1. In the Decision Endpoint ID field, enter the decision endpoint ID from the service in PingOne Authorize

    Learn more about the PingOne Authorize node

  4. Click Save.

Configure the MFA Authentication - Inner Journey

This configuration is required if SMS, or VOICE are opted in the allowedMFATypes array in the Money Transfer - Initialize Variables script in the Prerequisites & Init Variables node in the parent journey.

  1. On the Journeys page, click MFA Authentication - Inner Journey and click Edit.

  2. In the journey editor, update the required fields in the following nodes:

  3. Click Save.

Task 5: Validate the journey

After configuring the journey, validate the different paths to ensure the risk-based security policies work as expected. The following steps demonstrate a low-risk transfer and a higher-risk transfer that requires approval.

To trigger different risk evaluations, you may need to adjust your risk policies in PingOne Protect for sign-on, or your PingOne Authorize policies for the transaction itself. You can also simulate higher risk by signing in from a new device or a VPN.

Before you begin, ensure you have a test user in the alpha realm with a starting balance. For example, set the custom_savingsBalance attribute to 10000.

Test a low-risk transfer

This test validates the user experience when a transfer is evaluated as low risk.

  1. In the Advanced Identity Cloud admin console, go to Journeys.

  2. Click Money Transfer - Main Journey.

  3. In the Preview URL field, click the copy icon (copy) and paste the URL into an incognito browser window.

    The Advanced Identity Cloud end-user UI displays the Sign In screen.

  4. Enter the test user’s username and password and click Next.

    Because the sign-on is evaluated as low risk, the user is authenticated and redirected to the Money Transfer page.

    Make a transfer

  5. Enter a small amount (for example, 100) and click Make Transfer.

    Make a transfer

    Expected result: The transfer is successful. The page confirms the transaction was completed, and the user’s account balance is updated.

Test a higher-risk transfer

This test validates that the journey requires additional user approval for a transfer that the PingOne Authorize policy evaluates as higher risk.

  1. If you’re not already signed on, follow steps 1 - 4 in Test a low-risk transfer to sign on as your test user.

  2. Enter a large amount that exceeds your policy’s approval threshold (for example, 5000).

  3. Click Make Transfer.

    Expected result: An email is sent to the user asking for approval. After the transfer is approved using the link in the email, the transaction is processed. This confirms that the step-up approval path is triggered for higher-risk transactions.

Best practices

This sample journey provides a strong foundation for a money transfer journey. When preparing to use it in a production environment, consider the following best practices:

  • Treat as a template: Remember that this is a sample journey. Always adapt and harden it to meet your specific security policies and business requirements before deploying to production.

  • Use ESVs: Avoid hardcoding sensitive information like API keys and IDs directly in your journey scripts. Use ESVs to manage these values securely.

  • Test extensively: Validate all possible user paths, including low, medium, and high-risk scenarios, as different MFA registration and authentication flows. Ensure the user experience is smooth and the security responses are correct for each case.

  • Review PingOne Protect policies: Fine-tune your risk policies in PingOne Protect to align with your organization’s risk tolerance.