Advanced Identity Cloud

Identity Store Decision node

The Identity Store Decision node attempts to match the provided username and password with the credentials stored in the identity store.

If the credentials exist, the node checks the following:

  • Is the profile locked?

  • Has the provided password expired?

  • Has the user cancelled a password reset?

Compatibility

Product Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

No

Ping Identity Platform (self-managed)

No

Inputs

The node reads the username and password fields from the node state.

The journey can provide these credentials in a number of ways, for example, with a combination of the Platform Username node and Platform Password node, or by using the Zero Page Login Collector node.

Dependencies

None

Configuration

Property Usage

Minimum Password Length

For password change requests, the node rejects passwords that are shorter than this value. If you set this value to 0, the node doesn’t check the password length.

Default: 8

Username as Universal Identifier

If you enable this property, the username property is set to the value of the uuid. For example, "username": "c636b756-ba6b-481d-ab4a-ab8c064cb24b".

If this property is false, the value of the username property remains unchanged. For example, "username": "bjensen".

Default: false

Use mixed case for password change messages

Return password change messages in mixed (sentence) case.

By default password reset and password change messages are transformed to upper case. Enable this option to return messages in sentence case.

Default: Disabled

Outputs

This node copies shared and transient state into the outgoing node state.

Outcomes

True

The credentials match those found in the identity store.

False

The credentials don’t match those found in the identity store.

Locked

The profile associated with the provided credentials is locked.

Cancelled

The user cancelled a password change request. The example provides a detailed explanation of this outcome.

Expired

The credentials match those found in the identity store, but the password has expired.

Example

The Identity Store Decision node in context

This example illustrates a simple login process.

  • A Page node with the embedded nodes (Platform Username node and Platform Password node) prompts the user for their credentials.

  • The Identity Store Decision node assesses the credentials:

    • If it finds the credentials in the data store and the credentials are valid, the journey follows the True outcome. An Increment Login Count node increments the login count and the user is authenticated.

    • If the credentials don’t exist in the data store, the journey follows the False outcome and authentication fails.

    • If the credentials exist in the data store but the account is locked, the journey follows the Locked outcome. A Message node displays a custom lockout message and authentication fails.

    • If the credentials exist in the data store but the user must change their password, the node prompts the user to change their password. If the user cancels this change request, the journey follows the Cancelled outcome. A Message node displays a custom message and authentication fails.

    • If the credentials exist in the data store but the password has expired, the node follows the Expired outcome. The user is routed to an inner tree journey that contains the password reset logic and then routes the user to the start of the journey to authenticate again.

Alternative nodes

  • The Data Store Decision node is a simpler node with only two outcomes, True and False. Use this node if the flow only requires these outcomes.

Copyright © 2010-2024 ForgeRock, all rights reserved.