PingOne Verify Proofing

The PingOne Verify Proofing node lets administrators integrate PingOne Verify verification functionality using Government ID, Facial Comparison, and Liveness in a journey.

Compatibility

Product	Compatible?
ForgeRock Identity Cloud	Yes
ForgeRock Access Management (self-managed)	Yes
ForgeRock Identity Platform (self-managed)	Yes

Product

Compatible?

ForgeRock Identity Cloud

Yes

ForgeRock Access Management (self-managed)

Yes

ForgeRock Identity Platform (self-managed)

Yes

Inputs

The node reads the username from shared state.

To provide the username in shared state for earlier in the journey, configure a node such as the Platform Username node.

Additionally, the node first looks for the attribute containing the PingOne UserID in the shared state. If that information is not found in the journey state, the node looks up the user in the local datastore to retrieve the PingOne UserID.

If the PingOne UserID does not exist in the local datastore, or does not exist in the PingOne datastore, a new user is created in PingOne to perform the verification.

Dependencies

You must configure PingOne Verify service before using this node.

Configuration

Property Usage

Property	Usage
PingOne Service	Service for PingOne, PingOne DaVinci API, PingOne Protect, and PingOne Verify nodes.
PingOne Verify Policy ID	PingOne Verify Policy ID to use. The policy is expected to have the following details set: ID Verification is set REQUIRED. Facial Comparison is set REQUIRED. Liveness is set REQUIRED.
Verify URL delivery mode	QR code to display, or e-mail or SMS for direct delivery.
Let user choose the delivery method	If checked, the user is prompted for the delivery method.
Delivery message choice	The message to display and allow user to select the delivery route (QR, SMS, or eMail). If QR delivery route is selected, the verify code displays along with the message.
Document type required	For any valid government ID leave ANY, otherwise specify the document type to enforce.
PingOne UserID Attribute	Local attribute name to retrieve the PingOne UserID from. Will look in journey state first, then the local datastore.
Age threshold	If specified (years), the node extracts the date of birth from the claims and validates if age is equal or greater than the specified threshold. (Set 0 to disable age check).
Attribute map	Map PingOne Verify Claims to `objectAttributes` on shared state. The KEY is `objectAttribute` and the VALUE is the `Verify Claim Key`. Use IDM keys for claim mapping. Refer to user mapping details for claim mapping keys.
Attribute match confidence map	Optionally, send the attributes entered by the user during registration to verify with imprecise matching in PingOne Verify. Value represents minimum confidence level to mark verification successful (LOW/MEDIUM/HIGH/EXACT).
Fail expired documents	For documents that contain expiration date, fail if out of date.
Submission timeout	Verification submission timeout in seconds. Value must be under authentication session validity time.
Waiting message	The message to display while waiting for the user to complete the authentication with PingOne Verify.
Save verified claims from PingOne Verify to Transient State	To save verified claims from PingOne Verify API response to transient state with a key of `VerifyClaimResult`.
Save verification metadata from PingOne Verify to Transient State	Save verification explanation data from PingOne Verify to transient state with a key of `VerifyMetadataResult`.
Leave access token in transientState	If checked, PingOne access token is preserved in transient state, with a key of `VerifyAT`.
Leave PingOne Verify transaction id in transientState	If checked, PingOne transaction ID is preserved in transient state with a key of `VerifyTransactionID`.
Demo mode	When selected, the journey continues along the `Success` outcome path.

PingOne Service

Service for PingOne, PingOne DaVinci API, PingOne Protect, and PingOne Verify nodes.

PingOne Verify Policy ID

PingOne Verify Policy ID to use. The policy is expected to have the following details set:

ID Verification is set REQUIRED.
Facial Comparison is set REQUIRED.
Liveness is set REQUIRED.

Verify URL delivery mode

QR code to display, or e-mail or SMS for direct delivery.

Let user choose the delivery method

If checked, the user is prompted for the delivery method.

Delivery message choice

The message to display and allow user to select the delivery route (QR, SMS, or eMail). If QR delivery route is selected, the verify code displays along with the message.

Document type required

For any valid government ID leave ANY, otherwise specify the document type to enforce.

PingOne UserID Attribute

Local attribute name to retrieve the PingOne UserID from. Will look in journey state first, then the local datastore.

Age threshold

If specified (years), the node extracts the date of birth from the claims and validates if age is equal or greater than the specified threshold. (Set 0 to disable age check).

Attribute map

Map PingOne Verify Claims to objectAttributes on shared state. The KEY is objectAttribute and the VALUE is the Verify Claim Key. Use IDM keys for claim mapping. Refer to user mapping details for claim mapping keys.

Attribute match confidence map

Optionally, send the attributes entered by the user during registration to verify with imprecise matching in PingOne Verify. Value represents minimum confidence level to mark verification successful (LOW/MEDIUM/HIGH/EXACT).

Fail expired documents

For documents that contain expiration date, fail if out of date.

Submission timeout

Verification submission timeout in seconds. Value must be under authentication session validity time.

Waiting message

The message to display while waiting for the user to complete the authentication with PingOne Verify.

Save verified claims from PingOne Verify to Transient State

To save verified claims from PingOne Verify API response to transient state with a key of VerifyClaimResult.

Save verification metadata from PingOne Verify to Transient State

Save verification explanation data from PingOne Verify to transient state with a key of VerifyMetadataResult.

Leave access token in transientState

If checked, PingOne access token is preserved in transient state, with a key of VerifyAT.

Leave PingOne Verify transaction id in transientState

If checked, PingOne transaction ID is preserved in transient state with a key of VerifyTransactionID.

Demo mode

When selected, the journey continues along the Success outcome path.

Outputs

VerifyNeedPatch - The new PingOne User’s GUID VerifyClaimResult - Verified Claims VerifyMetadataResult - The verification metadata VerifyAT - The Access Token used to perform the PingOne Verify VerifyTransactionID - The PingOne Verify transaction ID VerifyNeedPatch - The new PingOne GUID if a new PingOne user was created VerifiedFailedReason - If a failure occurs, summary detail of reason

Outcomes

Success

All configured checks passed.

Success (Patch ID)

All configured checks passed. Additionally, the node needed to create a new PingOne user in PingOne to perform the Verification. This is because the stored GUID on the local user was invalid or didn’t exist. The node stored the new users PingOne GUID in the shared state on the PingOne UserID Attribute key and on the objectAttribute, so the GUID can be saved to the local users account and used for future verifications.

Fail

One of the configured checks failed.

Fail (Patch ID)

One of the configured checks failed. Additionally, the node needed to create a new PingOne user in PingOne to perform the Verification. This is because the stored GUID on the local user was invalid or did exist. The node stored the new users PingOne GUID in the shared state on the PingOne UserID Attribute key and on the objectAttribute, so the GUID can be saved to the local users account and used for future verifications.

Error There was an error during the authentication process.

Troubleshooting

If this node logs an error, review the log messages to find the reason for the error and address the issue appropriately.