PingOne Advanced Identity Cloud MCP Server

---

Features • Use Cases • Prerequisites • Getting Started • Authentication • Available Tools • Docker Deployment • Security • Troubleshooting • Development • License

---

[!CAUTION] Preview Software Notice

This is preview software provided AS IS with no warranties of any kind.

• Current release is only for Sandbox and Development AIC tenants, the server is not enabled for production environments.
• Limited support is available during the public preview phase — please report bugs and provide feedback via the GitHub issue tracker

Your use of this software constitutes acceptance of these terms.

[!CAUTION] Security Notice

Depending on the requests made to the MCP server, tenant configuration or data may be returned. Do not use the MCP server with untrusted MCP clients, agent code or LLM inference.

[!WARNING] Review Generated Configuration

Configuration can be generated dynamically using LLM and user feedback represented dynamically back to agents/conversations. Be sure to review generated configuration before promoting to production environments, or those serving live identity/access requests.

An MCP (Model Context Protocol) server that enables AI assistants to interact with PingOne Advanced Identity Cloud environments. Manage users, roles, groups, organizations, customize authentication themes, analyze logs, and query identity data directly from your AI conversations.

Ask questions like "Find all alpha_users with email starting with [email protected]", "Create a new theme called 'Corporate Brand' with primary color #0066cc", or "Show me all ERROR level logs from the am-authentication source in the last hour".

Features

• Administer your AIC environment using natural language - Interact with PingOne AIC from whichever AI tool you use daily. No need to switch to the admin console or write API scripts - just ask your AI assistant.

• Secure authentication - Supports OAuth 2.0 PKCE flow for local deployment and Device Code Flow for containerized deployment. All actions are user-based and auditable. Tokens stored securely in OS keychain (local) or ephemerally (Docker).

• Broad tool support - Supports full CRUD operations against any managed object type in your environment (users, roles, groups, organizations, and custom types), authentication journey and script management, theme customization, advanced log querying, and environment variable configuration.

Use Cases

• Journey Management - "Show me the Login journey", "Create a new MFA journey", "Add a scripted decision node to the registration flow", "Set Login as the default journey"
• Authentication Customization - "Create a branded theme with our corporate colors", "Show me all themes in production", "Set the new theme as default"
• Audit & Monitoring - "Show me failed login attempts in the last hour", "Find all logs for transaction abc-123", "What log sources are available?"
• Identity Operations - "Find all users with admin in their username", "Create a new developer role", "Update the email for user xyz123"
• Configuration Management - "List all environment variables", "Create a new API key variable", "Update the database connection string"

Getting Started

Prerequisites

• Node.js 18+
• PingOne Advanced Identity Cloud Sandbox or Development Tenant
• MCP-compatible client (Claude Code, Claude Desktop, Cursor, VS Code with GitHub Copilot, Gemini CLI, Codex, etc.)

Configure Your MCP Client

The MCP server requires the AIC_BASE_URL environment variable to be set to your PingOne AIC hostname.

Add this to your MCP client configuration:

{
  "mcpServers": {
    "aic-mcp-server": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

Required: Replace your-tenant.forgeblocks.com with your PingOne AIC tenant URL.

Client-specific instructions:

<details> <summary><b>Claude Code or Claude Desktop</b></summary>

Add this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

</details> <details> <summary><b>Cursor</b></summary>

Add this to your Cursor MCP configuration (.cursor/mcp.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

</details> <details> <summary><b>GitHub Copilot (VS Code)</b></summary>

Add this to your Copilot MCP configuration (mcp.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

</details> <details> <summary><b>Gemini CLI</b></summary>

Add this to your Gemini CLI MCP configuration (settings.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

</details> <details> <summary><b>Codex (OpenAI)</b></summary>

Add this to your Codex MCP configuration (~/.codex/config.toml):

[mcp_servers.aic-mcp-server]
command = "npx"
args = ["-y", "@ping-identity/aic-mcp-server"]
env = {"AIC_BASE_URL" = "your-tenant.forgeblocks.com"}

</details>

Restart your MCP client and start asking questions! Your browser will open for authentication when you use the first tool in a session.

Authentication

The server uses OAuth 2.0 PKCE flow for secure user authentication:

1. First Tool Use - Browser opens automatically for user login at PingOne AIC when you use a tool for the first time in a session
2. Token Storage - Access tokens stored securely in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
3. Automatic Reuse - Cached tokens used for subsequent tool calls within the same session
4. Auto Re-authentication - When tokens expire during a session, browser opens again for new login

Docker Deployment: Uses OAuth 2.0 Device Code Flow with ephemeral token storage (tokens deleted on container restart).

Security Features:

• User-based actions provide complete audit trail
• All actions traceable to authenticated users for compliance

[!CAUTION] Administrator Access Required: This server requires administrative authentication and provides administrative capabilities to your PingOne AIC development and sandbox environments. All operations are performed as the authenticated administrator and are fully auditable.

Development and Sandbox Environments Only: This server can only be used with development and sandbox environments. Use with trusted AI assistants in secure contexts. AI-driven operations can make mistakes - review and test changes carefully before promoting to higher environments.

Available Tools

The server provides tools for AI agents to interact with your

---