Ping Identity
Discover users, groups, applications, federation connections, OAuth/OIDC/SP settings, and **access policies** across PingOne & PingFederate. Govern non-human identities and their effective permissions across your SaaS estate.
What the connector discovers
- Applications & Connections
PingOne & PingFederate apps (OIDC/SAML), service apps, IdP/SP connections, virtual hosts, certificates and signing/encryption settings.
- OAuth/OIDC & Token Settings
Authorization servers, scopes, client grants, token lifetimes, PKCE requirements, refresh token rotations and audiences.
- Access Policies & Flows
Authentication policies, risk & step-up rules, MFA factors, policy exceptions and app overrides.
- Administrators & Roles
Admin users and role assignments (global, environment, app); delegated administration and custom roles.
- Effective Permissions
Scope-normalized view: which agent/app can do what on which resources at the moment of action.
Ping Identity powers complex enterprise identity, federation and API access. ClarioSec turns configuration into **runtime governance**: drift-aware scoring, pre-execution controls, and audit-grade narratives.
Drift-aware risk scoring
Baselines per app/agent; peer groups by function/team; detection of scope expansion, privilege creep and risky sequences (who → what → where → sensitivity).
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Auto minimization of scopes and rotation of secrets when thresholds are hit.
Audit-grade narratives
For each action, a narrative ties **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act).
Connect Ping Identity
ClarioSec supports **PingOne** (Management API) and **PingFederate** (Admin/REST APIs) with read-only scopes.
- PingOne — Register a Worker App
PingOne Admin → Connections → Worker → Create. Grant read access to Applications, Environments, Roles, Users/Groups, Policies, and Connections. Record Client ID/Secret & Environment ID.
- PingFederate — Enable Admin API
Create an OAuth client for the Admin REST API with read scopes. Provide base URL, Client ID/Secret.
- Add credentials in ClarioSec
Open the Ping Identity connector and paste the environment base URL(s) and credentials (stored per tenant).
- Rate limits
ClarioSec honors Ping rate limits and auto-batches discovery to avoid throttling.
High-value objects pulled via PingOne & PingFederate APIs:
- Applications (OIDC/SAML), SP/IdP connections, certificates
- Authorization servers, scopes, client grants
- Access policies, MFA factors, risk rules, step-up flows
- Administrators, roles, delegated administration
- Users, groups, group assignments (optional)
Endpoint family: PingOne Management API & PingFederate Admin/REST APIs.
- Over-privileged worker/service apps
Worker apps or SP connections with broad permissions and no owner review.
- Weak token & connection settings
Excessive token lifetimes, missing PKCE, permissive redirect URIs, idle refresh tokens.
- Policy gaps & exemptions
Step-up/MFA exceptions or routing rules that undermine policy for sensitive apps.
- Certificates & trust drift
Expiring signing/encryption certs; mismatched entityIDs; unpinned metadata.
- Just-in-time approvals for new client grants & connections
- Automatic scope minimization and secret rotation
- Owner attestations for apps and federation links
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Ping Identity agents at runtime?
Move from directory posture to provable behavior — identity → permission → action → narrative.