In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context—such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals—this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation, PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like theDevice Profile CollectororBrowser Capabilitiesnodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifiesShared Node State(Option B) as the best practice for persisting collected contextduringthe tree process.
Session State(Option A) is only availableafterthe authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile(Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies(Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like aScripted Decision NodeorAdaptive Risk Node) can retrieve and analyze it.
