Google Chrome Device Trust node

Use the Google Chrome Device Trust node to establish device trust with Chrome Enterprise.

Compatibility

Product	Compatible?
Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node reads the challengeresponse property from the journey state. This property is populated by a Scripted Decision node script that retrieves the value from PingGateway.

Dependencies

PingGateway must be installed and configured.
The node requires a Scripted Decision node earlier in the journey. The Scripted Decision script redirects the end user to PingGateway to generate and retrieve the challengeresponse.

Example of a Scripted Decision node redirect script.

try {
  var redirectMethod = "GET";
  var redirectUrl = "https://ig.example.com:9443/pinggateway-route-name";
  if (!requestParameters.get("challengeresponse")) {
    callbacksBuilder.redirectCallback(redirectUrl, {}, redirectMethod, {}, true);
  } else {
    var challenge = requestParameters.get("challengeresponse");
    nodeState.putShared("x-verified-access-challenge", challenge);
    action.goTo("Success");
  }
} catch (error) {
  nodeState.putShared("errorMessage", error.toString());
  action.goTo("Failure");
}

The challengeresponse parameter must be in the redirect to PingOne Advanced Identity Cloud as a query parameter from PingGateway.
The Google Chrome Device Trust node retrieves the challengeresponse value from the request parameters.

PingGateway Setup

Install PingGateway as indicated in the Quick Install Guide.
Configure the admin.json file to run PingGateway on ports 9090 / 9443. Learn more about starting up PingGateway with custom settings.

If 9443 is for HTTPS, then readers need to configure PingGateway for server-side HTTPS. Learn more in Configure PingGateway for TLS.
Store the JSON route files in your routes directory, for example:
- $HOME/.openig/config/routes (on Mac or Linux) or
- %appdata%\OpenIG\config\routes (on Windows).
Store the Groovy scripts in your groovy directory, for example:
- $HOME/.openig/scripts/groovy (on Mac or Linux), or
- %appdata%\OpenIG\scripts\groovy (on Windows).
  
  If you do not have a groovy directory, create one.

PingGateway routes

The generate_challenge.json route executes the getChallenge.groovy Groovy script to perform these tasks:
1. Make an HTTP POST request to the Google Chrome Verified Access API to generate the challenge.
2. Get the challenge from the API response.
3. Set the challenge as the value of the x-verified-access-challenge custom HTTP response header.
  
  Google Chrome recognizes the custom HTTP response header and uses the challenge value to calculate a challenge-response.
  
  Finally, Google Chrome creates a new custom HTTP request header, X-Verified-Access-Challenge-Response, and sets the challenge-response as the header value.
The generate_challenge.json route redirects the user to the challengeresponse.json route, which performs these tasks:
1. Get the challenge-response from the request headers.
2. Set the challenge-response value in the query parameter of the redirect URL as the challengeresponse key.
3. Redirect back to PingOne Advanced Identity Cloud.

Required JSON and Groovy files can be downloaded from:

Configuration

Property	Usage
API Key	The Google Cloud API key.
Private Key	Google Cloud administrator credential’s private key.
Key ID	The credential used to verify the authenticity and integrity of the JWT.
Credentials Client Email	The email ID of the client with Google Cloud administrator credentials.

Property

Usage

API Key

The Google Cloud API key.

Private Key

Google Cloud administrator credential’s private key.

Key ID

The credential used to verify the authenticity and integrity of the JWT.

Credentials Client Email

The email ID of the client with Google Cloud administrator credentials.

Outputs

The node writes the Chrome Device Trust signals to transient state.

Outcomes

Continue: Successfully authenticated the user.
Error: The journey follows this outcome path if the node is unable to obtain the device trust signals.

Troubleshooting

If this node logged an error, review the log messages for the transaction to find the reason for the error.

Example

The example journey shows the following:

A user logs in.
The Chrome Device Trust Headers node, a Scripted Decision node, redirects to PingGateway to handle the Google Chrome challenge-response process.
PingGateway generates the challenge, retrieves the challenge response, and sets it as a request parameter before redirecting back to the journey.
The Google Chrome Device Trust node uses the challenge response to retrieve Chrome Device Trust Signals, storing them in transient state.
The CrowdStrike node evaluates these trust signals to determine if the user’s device is managed, and makes an informed access decision.

PingOne Advanced Identity Cloud