PingOne Verify Authentication node

The PingOne Verify Authentication node lets you integrate PingOne Verify biometric authentication functionality in your journey. The biometric authentication is achieved by comparing a stored picture to a live selfie.

Compatibility

Product	Compatible?
Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node reads these inputs from shared state:

The node reads the username from shared state.

To provide the username in shared state earlier in the journey, configure a node such as the Platform Username node.

Additionally, the node first looks in the shared state for the attribute containing the PingOne UserID and the reference picture attribute, which contains a Base64-encoded reference self-image in JPEG format. If these two attributes are not found in the shared state, the node looks up the user in the local datastore to retrieve the PingOne UserID and the reference picture.

If the PingOne UserID is not found in the local datastore or the shared store, a new user is created in PingOne to perform facial-biometric authentication.

Dependencies

You must configure PingOne Verify service before using this node.

Configuration

Property Usage

Property	Usage
PingOne Service	The ID of the PingOne Worker service for connecting to PingOne.
PingOne Verify Policy ID	The policy ID PingOne Verify node to use. The policy is expected to have the following details set: ID Verification is set to `DISABLED`. Facial Comparison is set to `REQUIRED`. Liveness is set to `REQUIRED`.
Verify URL delivery mode	QR code to display or E-mail/SMS for direct delivery.
Let user choose the delivery method	If selected, the user is prompted for a delivery method.
Delivery message choice	The message to display and allow user to select the delivery route (QR, SMS, eMail). The verify code displays along with the message.
Reference Picture Attribute	The attribute key for retrieving the local reference picture. The node first looks in the shared state for the attribute containing the PingOne UserID and the reference picture attribute, which contains a Base64-encoded reference selfie in JPEG format. If these two attributes are not found in the shared state, the node looks up the user in the local datastore to retrieve the PingOne UserID and the reference picture. If `Let user choose the delivery method` is enabled or `Verify URL delivery mode` is set to use QR code, then you should store the reference picture in the shared state. If the reference picture is in the shared state, `Let user choose the delivery method` is not enabled, and `Verify URL delivery mode` is not set to use QR code, then you should store the reference picture in the transient state.
Attribute containing the PingOne UserID	Local attribute name that contains the PingOne UserID.
Submission timeout	Verification submission timeout value in seconds. The value must be within the authentication session validity time.
Waiting message	The message to display while waiting for the user to complete the authentication with PingOne Verify.
Save verification metadata from PingOne Verify to Transient State	Save verification explanation data from PingOne Verify to Transient State with a key of `VerifyMetadataResult`.
Leave access token in transientState	If seleted, the PingOne access token is preserved in the transient state.
Leave PingOne Verify transaction id in transientState	If selected, the PingOne access token is preserved in the transient state, with a key of `VerifyAT`.
Save verification metadata from PingOne Verify to Transient State	Save verification explanation data from PingOne Verify to Transient State with a key of `VerifyMetadataResult`.
Leave access token in transientState	If selected, the PingOne access token is preserved in the transient state, with a key of `VerifyAT`.
Leave PingOne Verify transaction id in transientState	If checked, PingOne transaction ID is preserved in transient state with a key of `VerifyTransactionID`.
Demo mode	When checked, the node always returns `SUCCESS` outcome.

PingOne Service

The ID of the PingOne Worker service for connecting to PingOne.

PingOne Verify Policy ID

The policy ID PingOne Verify node to use. The policy is expected to have the following details set:

ID Verification is set to DISABLED.
Facial Comparison is set to REQUIRED.
Liveness is set to REQUIRED.

Verify URL delivery mode

QR code to display or E-mail/SMS for direct delivery.

Let user choose the delivery method

If selected, the user is prompted for a delivery method.

Delivery message choice

The message to display and allow user to select the delivery route (QR, SMS, eMail). The verify code displays along with the message.

Reference Picture Attribute

The attribute key for retrieving the local reference picture. The node first looks in the shared state for the attribute containing the PingOne UserID and the reference picture attribute, which contains a Base64-encoded reference selfie in JPEG format. If these two attributes are not found in the shared state, the node looks up the user in the local datastore to retrieve the PingOne UserID and the reference picture.

If Let user choose the delivery method is enabled or Verify URL delivery mode is set to use QR code, then you should store the reference picture in the shared state.

If the reference picture is in the shared state, Let user choose the delivery method is not enabled, and Verify URL delivery mode is not set to use QR code, then you should store the reference picture in the transient state.

Attribute containing the PingOne UserID

Local attribute name that contains the PingOne UserID.

Submission timeout

Verification submission timeout value in seconds. The value must be within the authentication session validity time.

Waiting message

The message to display while waiting for the user to complete the authentication with PingOne Verify.

Save verification metadata from PingOne Verify to Transient State

Save verification explanation data from PingOne Verify to Transient State with a key of VerifyMetadataResult.

Leave access token in transientState

If seleted, the PingOne access token is preserved in the transient state.

Leave PingOne Verify transaction id in transientState

If selected, the PingOne access token is preserved in the transient state, with a key of VerifyAT.

Save verification metadata from PingOne Verify to Transient State

Save verification explanation data from PingOne Verify to Transient State with a key of VerifyMetadataResult.

Leave access token in transientState

If selected, the PingOne access token is preserved in the transient state, with a key of VerifyAT.

Leave PingOne Verify transaction id in transientState

If checked, PingOne transaction ID is preserved in transient state with a key of VerifyTransactionID.

Demo mode

When checked, the node always returns SUCCESS outcome.

Outputs

If the outcome is Success (Patch ID) or Fail (Patch ID), the Attribute containing the PingOne UserID key is placed in shared state and in the objectAttribute object so the local user can be patched with the new user GUID that was created in PingOne for the verification. Save the returned GUID to the local user so the node doesn’t need to create a new PingOne user on the next use.

Outcomes

Success: Successfully authenticated the user’s stored selfie and live selfie.
Success (Patch ID): Successfully authenticated the user’s stored picture and live selfie. Additionally, if the stored GUID on the local user was invalid or did not exist, the node created a new PingOne user to perform the verification. The node stored the new user’s PingOne GUID in the shared state and in the objectAttribute, so the GUID can be used for future verification.
Fail: Failed to authenticate the user’s stored picture and live selfie.
Fail (Patch ID): Failed to authenticate the user’s stored picture and live selfie.
Error: There was an error during the authentication process.

Troubleshooting

If this node logs an error, review the log messages to find the reason for the error and address the issue appropriately.

PingOne Advanced Identity Cloud