Identity Cloud

Data Store Decision node

The Data Store Decision node checks that the credentials provided during authentication match the ones stored in the configured data store for the realm.


Product Compatible?

ForgeRock Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



This node requires the realm, username, and password properties in the incoming node state.

You can implement the following nodes as inputs to the Data Store Decision node:


The Data Store Decision node is a basic node used in many types of authentication application types, such as basic, push, OAuth 2.0, and social provider authentication applications.


This node has no configurable properties.


This node copies shared and transient state into the outgoing node state.


Returns a boolean outcome:


The credentials match those found in the data store.


The credentials do not match those found in the data store.


The following Data Store Decision node warnings and errors can appear in the logs:

  • "invalid password error"

  • "invalid username error"

  • "Exception in data store decision node"


Review any errors and warnings this node logged.

  • If this node logged a warning, fix the credentials and try again.

  • If this node logged an error, review the log messages for the transaction to find the reason for the exception.


Example 1: Simple username and password collector nodes with Data Store Decision node

data store decision login

This example illustrates a simple login process. The journey involves a Page node that contains two embedded nodes: Platform Username node and Platform Password node. To enhance user experience, the Page node lets users input their username and password on a single page, instead of splitting them across two different pages.

The Data Store Decision node has two outcomes: True or False. When the outcome is True, it triggers a Login Count Decision node. The Increment Login Count node then moves to an Inner Tree Evaluator node, which performs additional login processes. The False outcome connects directly to a failure node, indicating a failed state where the username and/or password provided by the user did not match the information stored in the data store.

Example 2: Grant the user several attempts to enter their credentials correctly

data store decision with retry

In the following example, when an authentication attempt fails at the Data Store Decision node, you can direct it to a Retry Limit Decision node. The Retry Limit Decision node determines the number of retries allowed and either retries the login attempt or rejects it. If the journey rejects the login attempt after reaching the configured limit, for example three attempts, the operation results in an account lockout.

Additional information

The following are alternate nodes that you can use in your journeys depending on your specific use cases:

  • The LDAP Decision node supports LDAP Behera Password Policies with separate outcomes for accounts that are locked and passwords that have expired.

  • In Identity Cloud applications, the Identity Store Decision node is an enhanced node with additional outcomes. Use this node if your authentication journey needs more functionality than a simple True or False outcome.

Copyright © 2010-2024 ForgeRock, all rights reserved.