Authentication Response Enrichment in PingOne Advanced Identity Cloud

Setup
, , ,
1

By Darinder Shokar
Originally posted on Darinder Shokar – Medium

Introduction

The new year brings exciting, game-changing capabilities to PingOne Advanced Identity Cloud (P1AIC). Among them is the powerful new feature; authentication response enrichment. In this blog, we’ll explore the challenges it addresses and showcase a live demo of how it works.

AI image courtesy of Canva.com
AI image courtesy of Canva.com1236×1234 203 KB

AI image courtesy of Canva.com

Problem Space

Customers often want to enhance the authentication experience by embedding additional context and signals into the response message for both success and failure scenarios. These enriched insights can then be consumed by UIs, backend systems and other components to elevate and optimise the user experience.

Set Success and Failure Details Nodes

To meet these requirements two new nodes have been developed; the Set Success Details and Set Failure Details nodes. Each can be dropped into the authentication Journey canvas to enrich both success and failure response scenarios.

Each node offers the flexibility to enrich the response with static data, data extracted from the session or dynamic data such as the response from an API or signals from the user-agent — or even a combination of all three!

Value Delivered

Both nodes provide lots of value but here’s a few key ones:

  • Experience — The ability to return API friendly contextual data in either the success or failure scenario to enhance the user experience and/or improve system performance.

  • Optimisation: Customers often need to make multiple calls to the authorisation server to retrieve additional context and data. Now, this information can be included directly in the response, reducing the need for extra round trips and delivering significant performance improvements. For example, session properties that previously required an additional call post-authentication can now be seamlessly provided in a single step through an enriched response.

  • In the failure scenario, the response can be enriched with static or dynamic data to support more meaningful error handling.

Demo

Let’s now bring things to life with a demo showcasing these new capabilities.

Deployment

  1. Go ahead and download the journey export JSON file from here

  2. From the P1AIC Platform Admin Console, navigate to Journeys on the left panel and hit Import

  3. If need be take a backup

  4. Click Browse, locate the downloaded journey export JSON file, hit Next and finally Start Import

Once complete you will have a new journey called ExtendAuthN which will look like this:

ExtendAuthN Journey Export
ExtendAuthN Journey Export1400×522 54 KB

ExtendAuthN Journey Export

Test Script

Now the journey is deployed, lets test it and see how it behaves.

  1. Go ahead and grab the test script from here and modify the REALM, AM_HOST, USERNAME and PASSWORD variables to match your environment.

Default AuthN Response

  1. Execute the script using ./success_failure_details_test_script.sh

  2. The initial state of the journey has been configured to not make use of the new nodes, so the default response will be returned:

Getting cookie name
CookieName is: e1a71980fe49133
*********************
Authenticating darinder user to generate SSO token
AuthN Response is:
{
  "tokenId": "kOzk4b...*",
  "successUrl": "/enduser/?realm=/alpha",
  "realm": "/alpha"
}

*********************

Enrich AuthN Response with Static content and Session Properties

  1. Lets now make use of these new nodes! Open to the ExtendAuthN journey and connect the Increment Login Count node to the Set Success Details node as below:

Modified journey to make use of the Set Success Details node
Modified journey to make use of the Set Success Details node1400×523 56.8 KB

Modified journey to make use of the Set Success Details node
  1. Click the Set Success Details node and we’ll see the following configured:

  • A static value imaginatively called staticValue will be injected into the AuthN response with a value of static_value

  • Two session properties will be injected; the universalId of the user (universalIdSessionProperty) and the Authentication Level of the user (authLevelSessionProperty)

Set Success Details Node Config
Set Success Details Node Config1400×1043 126 KB

Set Success Details Node Config
  1. Execute the script again ./success_failure_details_test_script.sh This time we see the AuthN response enriched with this additional data:
Getting cookie name
CookieName is: e1a71980fe49133
*********************
Authenticating darinder user to generate SSO token
AuthN Response is:
{
  "tokenId": "uyMgn...*",
  "successUrl": "/enduser/?realm=/alpha",
  "realm": "/alpha",
New -->"universalIdSessionProperty": "id=fc53d77d-8a31-4e0f-ad55-dcaf78e002c2,ou=user,o=alpha,ou=services,ou=am-config",
New --> "authLevelSessionProperty": 10,
New -->  "staticValue": "static_value"
}

*********************

Enrich AuthN Response with Dynamic Content

The real power of this capability is the ability to enrich the response with dynamic content. In this case we’ll demo via an API response

  1. Head back to the journey and connect the Increment Login Count node to the Set Success Config Provider node as below:

imageModified journey to make use of the Set Success Config Provider node
imageModified journey to make use of the Set Success Config Provider node1400×517 53.8 KB

Modified journey to make use of the Set Success Config Provider node

  1. Select the Set Success Config Provider Node and open the script by clicking the pen icon next to the ds-set-success-config-provider-script

  2. In the script modify sampleAPI to match your tenant address

  3. Execute the script again ./success_failure_details_test_script.sh This time we see the AuthN response enriched with all of the above plus additional dynamic data returned from the API:

Getting cookie name
CookieName is: e1a71980fe49133
*********************
Authenticating darinder user to generate SSO token
AuthN Response is:
{
  "tokenId": "Ttp5KaO7PX692CEfAd5Sdrno1Bs.*AAJTSQACMDIAAlNLABx0YjBBeU83c1l5Y2pnbG9MZjQ2MDVFVmp1NjA9AAR0eXBlAANDVFMAAlMxAAIwMQ..*",
  "successUrl": "/enduser/?realm=/alpha",
  "realm": "/alpha",
  "AuthLevelSessionProperty": 10,
  "universalIdSessionProperty": "id=fc53d77d-8a31-4e0f-ad55-dcaf78e002c2,ou=user,o=alpha,ou=services,ou=am-config",
  "staticValue": "static_value",
New --> "dynamicValueFromAPI": {
          "status": "OK"
        }
}

*********************

Enrich Failure AuthN Responses

The last scenario is enrichment for failure scenarios.

  1. Head back to the journey and connect the Increment Login Count node to the Set Failure Detailsnode as below:

Modified journey to make use of the Set Failure Details node
Modified journey to make use of the Set Failure Details node1400×524 53.5 KB

Modified journey to make use of the Set Failure Details node
  1. Click the Set Failure Details node and we’ll see the following configured:

  • A message of Error will be injected

  • A details block containing an error code of 1305 with a message of Config Provider Node Configuration Error will be injected

Set Failure Details Node
Set Failure Details Node1224×1174 105 KB

Set Failure Details Node
  1. Execute the script again ./success_failure_details_test_script.sh This time we see a HTTP 401 AuthN response enriched with error messaging a UI could use to improve the user experience:
Getting cookie name
CookieName is: e1a71980fe49133
*********************
Authenticating darinder user to generate SSO token
AuthN Response is:
{
  "code": 401,
  "reason": "Unauthorized",
New -->  "message": "Error",
New -->  "detail": {
    "Error_1305": "Config Provider Node Configuration Error"
  }
}

*********************

Conclusion

In conclusion, one of the most requested features — static and dynamic enrichment of authentication responses is now available in P1AIC. This advancement paves the way for innovation to enhance both the customer experiences and optimise system performance.

Thanks for reading!