Skip to content

andyrobbins/PingOneHound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
images
images
 
 
LICENSE
LICENSE
 
 
PingOneHound.ps1
PingOneHound.ps1
 
 
README.md
README.md
 
 

Repository files navigation

PingOneHound

PingOneHound

Brief

PingOne is an identity provider (IDP) product from the Ping Identity Corporation. PingOneHound collects the data necessary to:

  • Identity, Analyze, and Execute PingOne Attack Paths
    Discover attack paths that may degrade the security posture of a PingOne instance.

  • Easily Audit Object-Level Permissions
    Observe both the configurations and the outcomes created by PingOne RBAC mechanics and configurations.

Limitations

PingOneHound has only been tested in non-production environments. It may not scale to production environments as written. We would greatly appreciate your feeback on any performance or visibility issues you encounter while running this software.

Collector Setup & Usage

  1. Audit account creation

    • Create and configure a new PingOne worker application.
    • Enable the worker application for authentication.
    • Grant the worker application the "Configuration Read Only" role scoped to the top level organization
    • Grant the worker application the "Identity Data Read Only" role scoped to each environment
    • Note the worker application ID and secret

  2. Register PingOneHound nodes in BloodHound

    • Dot‑source the script so its functions become available: 
      . .\pingonehound.ps1
    • Execute the node registration function: 
      Register-PingOneHoundNodes `
   -BHTokenID "8bcb9998-8cd7-4900-bdb2-cb629e0f80b5" `
   -BHTokenKey "fBgwN98g4BgW2r4dbQ3NOQRuEOFd6CpxAicHc5qD8qwlc1F37XYCdQ=="

  3. Run the Collector

    • Execute the main function: 
      Invoke-PingOneHound `
   -PingOneOrganizationID     "91dfce60-99c1-4f33-8e4a-f9957198a5d0" `
   -PingOneHoundEnvironmentID "22c7790d-cc17-41fb-962d-9b814f966316" `
   -PingOneHoundClientID      "6e22e53b-f268-4cd2-b74a-70d352228dab" `
   -PingOneHoundClientSecret  "hunter2"
    • By default, this will emit a BloodHound‑compatible JSON graph named: 
      pingonehound_<environmentid>.json

  4. Load the data into BloodHound

    • Drag and drop the json file into BloodHound's file upload modal.

Schema

---
config:
  layout: elk
---
flowchart TD
    PingOneOrganization[fa:fa-globe PingOneOrganization]
    PingOneEnvironment[fa:fa-earth-americas PingOneEnvironment]
    PingOneUser[fa:fa-user PingOneUser]
    PingOneGroup[fa:fa-users PingOneGroup]
    PingOnePopulation[fa:fa-folder PingOnePopulation]
    PingOneRole[fa:fa-clipboard PingOneRole]
    PingOneRoleAssignment[fa:fa-clipboard-check PingOneRoleAssignment]
    PingOneApplication[fa:fa-window-maximize PingOneApplication]
    PingOneGateway[fa:fa-right-to-bracket PingOneGateway]
    PingOnePropagationStore[fa:fa-right-from-bracket PingOnePropagationStore]

    style PingOneOrganization fill:#16a5a5
    style PingOneEnvironment fill:#73d8ff
    style PingOneUser fill:#d33115,color:#fff
    style PingOneGroup fill:#fcdc00
    style PingOnePopulation fill:#0062b1,color:#fff
    style PingOneRole fill:#942663,color:#fff
    style PingOneRoleAssignment fill:#fda1ff
    style PingOneApplication fill:#68bc00
    style PingOneGateway fill:#aea1ff
    style PingOnePropagationStore fill:#fb9e00
    
    PingOneOrganization -.->|PingOneContains| PingOneEnvironment
    PingOneEnvironment -.->|PingOneContains| PingOneUser
    PingOneEnvironment -.->|PingOneContains| PingOneGroup
    PingOneEnvironment -.->|PingOneContains| PingOnePopulation
    PingOneEnvironment -.->|PingOneContains| PingOneRole
    PingOneEnvironment -.->|PingOneContains| PingOneRoleAssignment
    PingOneEnvironment -.->|PingOneContains| PingOneApplication
    PingOneEnvironment -.->|PingOneContains| PingOneGateway
    PingOneEnvironment -.->|PingOneContains| PingOnePropagationStore

    PingOneUser -.->|PingOneHasRoleAssignment| PingOneRoleAssignment
    PingOneGroup -.->|PingOneHasRoleAssignment| PingOneRoleAssignment
    PingOneApplication -.->|PingOneHasRoleAssignment| PingOneRoleAssignment
    PingOneGateway -.->|PingOneHasRoleAssignment| PingOneRoleAssignment

    PingOneRoleAssignment -.->|PingOneRoleAssignmentScopedTo| PingOneOrganization
    PingOneRoleAssignment -.->|PingOneRoleAssignmentScopedTo| PingOneEnvironment
    PingOneRoleAssignment -.->|PingOneRoleAssignmentScopedTo| PingOnePopulation
    PingOneRoleAssignment -.->|PingOneRoleAssignmentScopedTo| PingOneApplication

    PingOneUser -->|PingOneMemberOfGroup| PingOneGroup
    PingOneGroup -->|PingOneMemberOfGroup| PingOneGroup

    PingOneUser -.->|PingOneMemberOfPopulation| PingOnePopulation

    PingOneUser -->|PingOneApplicationOwner| PingOneApplication
    PingOneGroup -->|PingOneApplicationOwner| PingOneApplication
    PingOneApplication -->|PingOneApplicationOwner| PingOneApplication
    PingOneGateway -->|PingOneApplicationOwner| PingOneApplication

    PingOneUser -->|PingOneClientApplicationDeveloper| PingOneApplication
    PingOneGroup -->|PingOneClientApplicationDeveloper| PingOneApplication
    PingOneApplication -->|PingOneClientApplicationDeveloper| PingOneApplication
    PingOneGateway -->|PingOneClientApplicationDeveloper| PingOneApplication

    PingOneUser -->|PingOneConfigurationReadOnly| PingOneApplication
    PingOneGroup -->|PingOneConfigurationReadOnly| PingOneApplication
    PingOneApplication -->|PingOneConfigurationReadOnly| PingOneApplication
    PingOneGateway -->|PingOneConfigurationReadOnly| PingOneApplication

    PingOneUser -->|PingOneConfigurationReadOnly| PingOnePropagationStore
    PingOneGroup -->|PingOneConfigurationReadOnly| PingOnePropagationStore
    PingOneApplication -->|PingOneConfigurationReadOnly| PingOnePropagationStore
    PingOneGateway -->|PingOneConfigurationReadOnly| PingOnePropagationStore

    PingOneUser -->|PingOneEnvironmentAdmin| PingOnePropagationStore
    PingOneGroup -->|PingOneEnvironmentAdmin| PingOnePropagationStore
    PingOneApplication -->|PingOneEnvironmentAdmin| PingOnePropagationStore
    PingOneGateway -->|PingOneEnvironmentAdmin| PingOnePropagationStore

    PingOneUser -->|PingOneEnvironmentAdmin| PingOneApplication
    PingOneGroup -->|PingOneEnvironmentAdmin| PingOneApplication
    PingOneApplication -->|PingOneEnvironmentAdmin| PingOneApplication
    PingOneGateway -->|PingOneEnvironmentAdmin| PingOneApplication

    PingOneUser -->|PingOneEnvironmentAdmin| PingOneGateway
    PingOneGroup -->|PingOneEnvironmentAdmin| PingOneGateway
    PingOneApplication -->|PingOneEnvironmentAdmin| PingOneGateway
    PingOneGateway -->|PingOneEnvironmentAdmin| PingOneGateway

    PingOneUser -->|PingOneIdentityDataAdmin| PingOneGroup
    PingOneGroup -->|PingOneIdentityDataAdmin| PingOneGroup
    PingOneApplication -->|PingOneIdentityDataAdmin| PingOneGroup
    PingOneGateway -->|PingOneIdentityDataAdmin| PingOneGroup

    PingOneUser -->|PingOneIdentityDataAdmin| PingOneUser
    PingOneGroup -->|PingOneIdentityDataAdmin| PingOneUser
    PingOneApplication -->|PingOneIdentityDataAdmin| PingOneUser
    PingOneGateway -->|PingOneIdentityDataAdmin| PingOneUser
Loading

Nodes

Node classes correspond to each PingOne object type.

Node Class Description Icon Color
PingOneOrganization The top-level container for each PingOne instance globe #16a5a5
PingOneEnvironment The mid-level container for PingOne instances which contains users, groups, etc. earth-americas #73d8ff
PingOneUser A user principal that can be authenticated by PingOne user #d33115
PingOneGroup A security group that can have other principals as its members users #fcdc00
PingOnePopulation An organizational unit for PingOne users. All PingOne users must belong to a population. folder #0062b1
PingOneRole The definition object for a PingOne RBAC role clipboard-list #025e00
PingOneRoleAssignment An object that binds a principal to both a role and a scope clipboard-check #fda1ff
PingOneApplication Applications can authenticate as themselves and can have role assignments window-maximize #68bc00
PingOneGateway An "inbound" connector object that may enable initial access into a PingOne instance right-to-bracket #aea1ff
PingOnePropagationStore An "outbound" connector object that may enable initial access from PingOne into a different platform right-from-bracket #fb9e00

Edges

Edges capture each relationship; what contains what, group memberships, role assignments, etc..

Edge Type Source Target Description Traversable
PingOneContains PingOneOrganization PingOneEnvironment Organizations contain environments No
PingOneContains PingOneEnvironment PingOneUser Environments contain users No
PingOneContains PingOneEnvironment PingOneGroup Environments contain groups No
PingOneContains PingOneEnvironment PingOnePopulation Environments contain popuulations No
PingOneContains PingOneEnvironment PingOneRole Environments contain roles No
PingOneContains PingOneEnvironment PingOneRoleAssignment Environments contain role assignments No
PingOneContains PingOneEnvironment PingOneApplication Environments contain applications No
PingOneContains PingOneEnvironment PingOneGateway Environments contain gateways No
PingOneContains PingOneEnvironment PingOnePropagationStore Environments contain propagation stores No
PingOneHasRoleAssignment PingOneUser PingOneRoleAssignment User has a role assignment No
PingOneHasRoleAssignment PingOneGroup PingOneRoleAssignment Group has a role assignment No
PingOneHasRoleAssignment PingOneApplication PingOneRoleAssignment Application has a role assignment No
PingOneHasRoleAssignment PingOneGateway PingOneRoleAssignment Gateway has a role assignment No
PingOneMemberOfGroup PingOneUser PingOneGroup User is a member of a group Yes
PingOneMemberOfGroup PingOneGroup PingOneGroup Group is a member of a group Yes
PingOneMemberOfPopulation PingOneUser PingOnePopulation Users belong to populations No
PingOneApplicationOwner PingOneUser PingOneApplication Enables reading the application's plaintext secret Yes
PingOneApplicationOwner PingOneGroup PingOneApplication Enables reading the application's plaintext secret Yes
PingOneApplicationOwner PingOneApplication PingOneApplication Enables reading the application's plaintext secret Yes
PingOneApplicationOwner PingOneGateway PingOneApplication Enables reading the application's plaintext secret Yes
PingOneClientApplicationDeveloper PingOneUser PingOneApplication Enables reading the application's plaintext secret Yes
PingOneClientApplicationDeveloper PingOneGroup PingOneApplication Enables reading the application's plaintext secret Yes
PingOneClientApplicationDeveloper PingOneApplication PingOneApplication Enables reading the application's plaintext secret Yes
PingOneClientApplicationDeveloper PingOneGateway PingOneApplication Enables reading the application's plaintext secret Yes
PingOneConfigurationReadOnly PingOneUser PingOneApplication Enables reading the application's plaintext secret Yes
PingOneConfigurationReadOnly PingOneGroup PingOneApplication Enables reading the application's plaintext secret Yes
PingOneConfigurationReadOnly PingOneApplication PingOneApplication Enables reading the application's plaintext secret Yes
PingOneConfigurationReadOnly PingOneGateway PingOneApplication Enables reading the application's plaintext secret Yes
PingOneEnvironmentAdmin PingOneUser PingOneGateway Enables adding a new authentication secret to the gateway Yes
PingOneEnvironmentAdmin PingOneGroup PingOneGateway Enables adding a new authentication secret to the gateway Yes
PingOneEnvironmentAdmin PingOneApplication PingOneGateway Enables adding a new authentication secret to the gateway Yes
PingOneEnvironmentAdmin PingOneGateway PingOneGateway Enables adding a new authentication secret to the gateway Yes
PingOneConfigurationReadOnly PingOneUser PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneConfigurationReadOnly PingOneGroup PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneConfigurationReadOnly PingOneApplication PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneConfigurationReadOnly PingOneGateway PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneEnvironmentAdmin PingOneUser PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneEnvironmentAdmin PingOneGroup PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneEnvironmentAdmin PingOneApplication PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneEnvironmentAdmin PingOneGateway PingOnePropagationStore Enables reading the propagation store's OATH token Yes
PingOneEnvironmentAdmin PingOneUser PingOneApplication Enables reading the application's plaintext secret Yes
PingOneEnvironmentAdmin PingOneGroup PingOneApplication Enables reading the application's plaintext secret Yes
PingOneEnvironmentAdmin PingOneApplication PingOneApplication Enables reading the application's plaintext secret Yes
PingOneEnvironmentAdmin PingOneGateway PingOneApplication Enables reading the application's plaintext secret Yes
PingOneIdentityDataAdmin PingOneUser PingOneGroup Enables adding principals to the group Yes
PingOneIdentityDataAdmin PingOneGroup PingOneGroup Enables adding principals to the group Yes
PingOneIdentityDataAdmin PingOneApplication PingOneGroup Enables adding principals to the group Yes
PingOneIdentityDataAdmin PingOneGateway PingOneGroup Enables adding principals to the group Yes
PingOneIdentityDataAdmin PingOneUser PingOneUser Enables force changing the user's password Yes
PingOneIdentityDataAdmin PingOneGroup PingOneUser Enables force changing the user's password Yes
PingOneIdentityDataAdmin PingOneApplication PingOneUser Enables force changing the user's password Yes
PingOneIdentityDataAdmin PingOneGateway PingOneUser Enables force changing the user's password Yes

Contributing

We welcome and appreciate your contributions! To make the process smooth and efficient, please follow these steps:

  1. Discuss Your Idea

    • If you’ve found a bug or want to propose a new feature, please start by opening an issue in this repo. Describe the problem or enhancement clearly so we can discuss the best approach.

  2. Fork & Create a Branch

    • Fork this repository to your own account.
    • Create a topic branch for your work: 
      git checkout -b feat/my-new-feature

  3. Implement & Test

    • Follow the existing style and patterns in the repo.
    • Add or update any tests/examples to cover your changes.
    • Verify your code runs as expected: 
      # e.g. dot-source the collector and run it

  4. Submit a Pull Request

    • Push your branch to your fork: 
      git push origin feat/my-new-feature
    • Open a Pull Request against the main branch of this repository.
    • In your PR description, please include:
      • What you’ve changed and why.
      • How to reproduce/test your changes.

  5. Review & Merge

    • I’ll review your PR, give feedback if needed, and merge once everything checks out.
    • For larger or more complex changes, review may take a little longer—thanks in advance for your patience!

Thank you for helping improve this extension! 🎉

Licensing

Copyright 2025 Andy Robbins

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.

About

Six Degrees of Organization Admin

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages