# Ping Identity MCP

> Ping Identity MCP lets you manage complex enterprise identities and access rules directly through your AI client. You can audit users, check security policies, and review application connections across PingOne without navigating multiple admin consoles. It gives you full control over user lifecycle management, group memberships, and zero-trust risk settings.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** sso, mfa, zero-trust, iam, user-provisioning, authentication, authorization

## Description

Managing who gets into the network and what they can do is a headache, especially when policy changes happen fast. This MCP connects your AI client to your entire Ping Identity environment. You stop switching between consoles and start talking to it instead. Need to check if a user still exists? Just ask. Want to see which apps are connected or audit who belongs to a specific group? Your agent handles the requests, pulling detailed data on everything from application grants to complex security policies.

It’s all about keeping your identity posture clean and secure. Whether you need to list every internal user profile, review active risk management rules that trigger MFA, or delete an account completely, this MCP gives your AI client the necessary tools. Because Vinkius hosts this connection, you get access to the whole suite of IAM functions from one place.

## Tools

### delete_user
Permanently deletes a user identity and purges all associated credentials and session tokens from the directory.

### get_application
Retrieves the security configuration, callback URIs, and grant types for one specific federated application.

### get_group
Displays all explicit details about a standard Ping Group used to assign permissions.

### get_user
Retrieves the complete context and metadata for any specified user in the directory.

### list_applications
Lists all Web, Native, or SPA applications currently federated under your PingOne environment for exposure review.

### list_groups
Provides a list of identity Groups used to map high-level permissions across SSO channels.

### list_populations
Lists isolated user populations, such as contractors or B2B clients, which have separate security rules.

### list_users
Paginates through and lists all internal and external user identities within the standard PingOne Environment.

### list_risk_policies
Lists active Risk Management rules that trigger real-time multi-factor authentication or block suspicious logins.

### list_sign_on_policies
Lists logical Sign-on flows and strict authentication conditions, detailing required MFA prompts or complex password structures.

## Prompt Examples

**Prompt:** 
```
Can you list all OIDC applications configured in PingOne and highlight any insecure callbacks?
```

**Response:** 
```
You currently have 8 configured applications. I noticed that 'Legacy CRM' uses an Implicit Grant and lacks PKCE. Also, 'Staging Dashboard' has a callback URI using a non-secure protocol (`http://`). I recommend modifying these components directly in the admin console to maintain Zero-Trust compliance.
```

**Prompt:** 
```
Provide the active list of Zero-Trust risk policies governing my environment.
```

**Response:** 
```
There are 3 active Risk Policies in your designated execution environment. 
1. **Impossible Travel** — triggers mandatory MFA prompts upon anomalous geographic location jumps.
2. **Anonymous Networks** — drops authentication directly for identified VPN and TOR entry-points.
3. **Behavior Anomalies** — triggers a step-up challenge utilizing Ping's machine-learning baseline models.
What would you like to drill down into?
```

**Prompt:** 
```
Delete the specific suspended user profile assigned to the ID `81773-XYZ-192`.
```

**Response:** 
```
Execution successful. The PingOne distinct identity assigned to `81773-XYZ-192` has been removed explicitly. Associated explicit MFA linkages, secondary sessions, isolated SCIM references, and assigned app scopes have all been safely purged from the Directory.
```

## Capabilities

### Audit User Status
Get complete details for any user profile, including their current metadata and status in the system.

### Review Applications
List and audit all federated web or native applications connected to your PingOne environment.

### Inspect Security Rules
View active risk management policies that dictate real-time authentication requirements, like mandatory MFA or location checks.

### Manage User Accounts
List all users in the directory and execute a hard deletion of an identity, purging all associated credentials.

### View Group Membership
Retrieve detailed information on specific groups used for assigning permissions across the enterprise.

### Examine Sign-On Flows
Check logical sign-on policies to see what conditions, like required passwords or biometrics, must pass before access is granted.

## Use Cases

### Investigating an Anomalous Login
A security team member noticed unusual login activity. They ask their agent to check the 'Impossible Travel' policies using `list_risk_policies`. The agent responds by detailing that a rule is active, requiring MFA whenever a user jumps across continents in an hour, immediately flagging potential compromised accounts.

### Auditing Contractor Access
The compliance officer needs to know which external parties are connected. They ask their agent to `list_populations`. The tool replies with a breakdown of 'Contractors' and 'Partners', confirming that these isolated populations have different password expiration rules than full-time employees.

### Removing a Former Employee
An IT support specialist needs to offboard an employee immediately. They use the `delete_user` tool with the user's ID. The agent confirms that not only is the identity removed, but all associated MFA linkages and secondary sessions are also purged from the directory.

### Reviewing App Security Gaps
A developer needs to check an old application. They ask their agent to `get_application` for a specific federated app. The tool returns detailed configuration, showing if the app is using secure PKCE flows or if it’s still relying on less secure methods.

## Benefits

- Audit entire application footprints instantly. Instead of manually navigating multiple tabs to check which Web or SPA apps are federated, you use `list_applications` and get a comprehensive list immediately.
- Enforce Zero Trust compliance easily. You can review real-time risk policies using `list_risk_policies`, seeing exactly which rules dictate MFA prompts or block impossible travel attempts without leaving your chat window.
- Handle user offboarding with precision. Use the `delete_user` tool to hard delete an account, ensuring all associated sessions, app scopes, and credentials are purged safely in one API call.
- Understand complex access structures quickly. To map permissions, check group roles using `list_groups` or review specific users' full context by calling `get_user`, eliminating guesswork about who has what access.
- Verify policy complexity without the console headache. You can view sign-on flows with `list_sign_on_policies` to confirm if complex rules, like mandatory biometrics, are active before a user gets access.

## How It Works

The bottom line is, you control your identity infrastructure by talking to it instead of clicking through menus.

1. Subscribe to this MCP and provide your PingOne Environment ID along with an API token.
2. Your AI client connects through the Vinkius platform, authenticating against your credentials.
3. You simply instruct your agent in natural language—for example, 'Show me all users who haven't logged in for 90 days.' — and the MCP executes the necessary actions.

## Frequently Asked Questions

**Can I use Ping Identity MCP to check if an application is secure?**
Yes, you can audit the security configuration for any federated app using `get_application`. This shows whether it uses secure grants or if it has vulnerable callback URIs.

**How do I find all external user accounts with Ping Identity MCP?**
You use the `list_populations` tool. This function lists isolated populations, letting you see groups like 'Contractors' or 'B2B Clients' that are separate from your main employee directory.

**What is the best way to manage user roles with Ping Identity MCP?**
You should use `list_groups` to map out all available identity groups. Then, you can use these group names when checking specific users via `get_user`.

**Is this MCP only for viewing data, or can I delete accounts?**
This MCP handles both reading and writing. You can view policies using `list_risk_policies`, but you also have the power to run the critical `delete_user` tool when an employee leaves.

**How does Ping Identity MCP handle MFA checks?**
You review active policy rules that dictate MFA requirements by calling `list_risk_policies`. This tells you if a specific login attempt triggers extra authentication steps based on context.