PingOne Advanced Identity Cloud

Sign-on (login)

The PingOne Advanced Identity Cloud sign-on flow is designed for self-service, as demonstrated in the Login journey template. This journey lets end users sign on using their Advanced Identity Cloud credentials and increments the login counter. A separate retry-limit counter tracks failed authentications and locks the end-user account if the number of retries exceeds a specified limit. End users who successfully authenticate are sent through a separate progressive profile journey.

The Login journey template can be extended to include other features, such as support for identity providers. Learn more in Social authentication.
Example sign-on journey

The following nodes are associated with sign-on journeys:

Platform Username node

The Platform Username node is used in both sign-on and registration journeys. It collects the end user’s username.

Platform Password node

The Platform Password node is used in both sign-on and registration journeys. It collects the end user’s password.

Identity Store Decision node

The Identity Store Decision node takes a username and password and validates they match an existing end user in the identity store.

Retry Limit Decision node

The Retry Limit Decision node tracks failed authentications. If the number of failed authentications is below a specified Retry Limit, the end user can attempt authentication again. Otherwise, the node forwards to the Account Lockout node to lock the end-user account.

node retry limit decision configuration
Account Lockout node

The Account Lockout node sets the lock state of the end-user account. In this case, it is configured to lock the account. The node can also be used in a separate unlock journey to unlock the end-user account.

node account lockout configuration

Configure social identity providers

To include social identity providers as a method of authentication, configure the Social Identity Provider service to include some form of social registration or social account claiming. Learn more in Social authentication. After this is set up, add social identity provider support to your sign-on journey.

To get started with social sign ons, you can create a new journey, modify an existing sign-on journey, or duplicate the Login journey template and modify that.

Example social sign-on journey

This example uses the following nodes:

To create the journey:

  1. Connect the starting node to the Page node.

  2. Connect the Social Authentication output on the Page node to the Social Provider Handler node.

  3. On the Social Provider Handler node, connect the Account Exists output to the Increment Login Count node. Connect the No Account Exists output to the Failure node.

  4. On the Page node, connect the Local Authentication node to the Data Store Decision node.

  5. On the Data Store Decision node, connect the True output to the Increment Login Count node. Connect the False output to the Failure node.

  6. Connect the Increment Login Count node to the Inner Tree Evaluator node node.

  7. The Inner Tree Evaluator node points to another journey, letting you chain multiple journeys together.

    By default, this is set to point to the ProgressiveProfile journey. Learn more about progressive profiles in Progressive profile.

    Connect the Inner Tree Evaluator node node to the Success node.

The resulting journey looks similar to this:

Example login journey with social identity providers enabled

Example login REST output

Calling a login self-service endpoint returns a JSON object containing callbacks for each of the nodes included in the journey.

Sample JSON callbacks 
{
  "authId": "<omitted for length>",
  "callbacks": [
    {
      "type": "ValidatedCreateUsernameCallback",
      "output": [
        {
          "name": "policies",
          "value": {}
        },
        {
          "name": "failedPolicies",
          "value": []
        },
        {
          "name": "validateOnly",
          "value": false
        },
        {
          "name": "prompt",
          "value": "Username"
        }
      ],
      "input": [
        {
          "name": "IDToken1",
          "value": ""
        },
        {
          "name": "IDToken1validateOnly",
          "value": false
        }
      ],
      "_id": 0
    },
    {
      "type": "ValidatedCreatePasswordCallback",
      "output": [
        {
          "name": "echoOn",
          "value": false
        },
        {
          "name": "policies",
          "value": {}
        },
        {
          "name": "failedPolicies",
          "value": []
        },
        {
          "name": "validateOnly",
          "value": false
        },
        {
          "name": "prompt",
          "value": "Password"
        }
      ],
      "input": [
        {
          "name": "IDToken2",
          "value": ""
        },
        {
          "name": "IDToken2validateOnly",
          "value": false
        }
      ],
      "_id": 1
    }
  ],
  "header": "Sign In",
  "description": "New here? <a href=\"#/service/Registration\">Create an account</a><br><a href=\"#/service/ForgottenUsername\">Forgot username?</a> <a href=\"#/service/ResetPassword\">Forgot password?</a>"
}