Skip to content

PingIdentity Keys

Service Name: Ping Identity

Service Description: Ping Identity is an identity and access management (IAM) platform that provides secure access to applications, APIs, and data for employees, partners, and customers. It offers solutions for single sign-on (SSO), multi-factor authentication (MFA), API security, and identity governance.

Service Address: https://www.pingidentity.com/

Validation Type: -

IP Allow list: IP restrictions can be configured at the environment level through Ping Identity's administrative console.

Secret Access Scope: Depending on the specific key type, PingIdentity keys can grant access to various Ping Identity services including PingFederate, PingAccess, PingOne, and PingDirectory. These keys may allow for API access, administrative functions, or integration with other services.

Secret Revokement URL: https://docs.pingidentity.com/r/en-us/pingone/p1_t_revokeaccesstokens

Secret Example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjEiLCJwaS5hdG0iOiJ5dlFCIn0.eyJzY29wZSI6Im9wZW5pZCIsImNsaWVudF9pZCI6IjEyMzQ1Njc4OTAiLCJpc3MiOiJodHRwczovL2F1dGgucGluZ2lkZW50aXR5LmNvbSIsImF1ZCI6IjEyMzQ1Njc4OTAiLCJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNjE3MjM0NTY3OH0.signature

Suspicious Activity Investigation Instructions:

  • Review access logs in the Ping Identity administrative console for unusual login patterns or API calls.
  • Check for unauthorized changes to identity configurations or policy settings.
  • Monitor for unexpected authentication attempts or access to protected resources.
  • Examine API usage patterns for abnormal volume or unusual endpoints being accessed.
  • Verify if there are any new applications or integrations that have been configured without proper authorization.

Mitigation Instructions:

  • Log in to the Ping Identity administrative console.
  • Navigate to the OAuth Client or API Access section.
  • Locate the compromised key or client and revoke/delete it.
  • Generate a new key if needed, with appropriate scopes and permissions.
  • Update any legitimate applications or services to use the new key.
  • Review and strengthen access policies for API keys and OAuth clients.
  • Implement shorter expiration times for access tokens.
  • Consider implementing additional security controls such as IP restrictions or certificate-based authentication.