explainx.aijoin newsletter3.01k
cloud-infrastructureauth-security

PingOne Advanced Identity Cloud MCP Server

by pingidentity

AI-ready PingOne Advanced Identity Cloud MCP Server — securely manage users, customize auth themes, query identity data,

Enables AI assistants to interact with PingOne Advanced Identity Cloud environments through natural language, supporting user management, authentication theme customization, log analysis, and identity data queries with secure OAuth 2.0 authentication.

github stars

1

GitHubnpm
OAuth 2.0 secure authenticationPreview software - sandbox/dev onlyNatural language identity operations

best for

  • / Identity administrators managing cloud environments
  • / DevOps teams automating identity operations
  • / Security teams analyzing authentication patterns
  • / Developers integrating identity management workflows

capabilities

  • / Manage users in PingOne Advanced Identity Cloud
  • / Customize authentication themes and branding
  • / Analyze identity and authentication logs
  • / Query identity data through natural language
  • / Configure identity cloud settings
  • / Generate dynamic identity configurations

what it does

Connects AI assistants to PingOne Advanced Identity Cloud for managing users, customizing authentication themes, and analyzing identity logs through natural language commands.

about

PingOne Advanced Identity Cloud MCP Server is an official MCP server published by pingidentity that provides AI assistants with tools and capabilities via the Model Context Protocol. AI-ready PingOne Advanced Identity Cloud MCP Server — securely manage users, customize auth themes, query identity data, It is categorized under cloud infrastructure, auth security.

how to install

You can install PingOne Advanced Identity Cloud MCP Server in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

Apache-2.0

PingOne Advanced Identity Cloud MCP Server is released under the Apache-2.0 license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

PingOne Advanced Identity Cloud MCP Server

License: Apache 2.0 GitHub release npm version Node.js TypeScript

FeaturesUse CasesPrerequisitesGetting StartedAuthenticationAvailable ToolsDocker DeploymentSecurityTroubleshootingDevelopmentLicense

[!CAUTION] Preview Software Notice

This is preview software provided AS IS with no warranties of any kind.

  • Current release is only for Sandbox and Development AIC tenants, the server is not enabled for production environments.
  • Limited support is available during the public preview phase — please report bugs and provide feedback via the GitHub issue tracker

Your use of this software constitutes acceptance of these terms.

[!CAUTION] Security Notice

Depending on the requests made to the MCP server, tenant configuration or data may be returned. Do not use the MCP server with untrusted MCP clients, agent code or LLM inference.

[!WARNING] Review Generated Configuration

Configuration can be generated dynamically using LLM and user feedback represented dynamically back to agents/conversations. Be sure to review generated configuration before promoting to production environments, or those serving live identity/access requests.

An MCP (Model Context Protocol) server that enables AI assistants to interact with PingOne Advanced Identity Cloud environments. Manage users, roles, groups, organizations, customize authentication themes, analyze logs, and query identity data directly from your AI conversations.

Ask questions like "Find all alpha_users with email starting with john@example.com", "Create a new theme called 'Corporate Brand' with primary color #0066cc", or "Show me all ERROR level logs from the am-authentication source in the last hour".

Features

  • Administer your AIC environment using natural language - Interact with PingOne AIC from whichever AI tool you use daily. No need to switch to the admin console or write API scripts - just ask your AI assistant.

  • Secure authentication - Supports OAuth 2.0 PKCE flow for local deployment and Device Code Flow for containerized deployment. All actions are user-based and auditable. Tokens stored securely in OS keychain (local) or ephemerally (Docker).

  • Broad tool support - Supports full CRUD operations against any managed object type in your environment (users, roles, groups, organizations, and custom types), authentication journey and script management, theme customization, advanced log querying, and environment variable configuration.

Use Cases

  • Journey Management - "Show me the Login journey", "Create a new MFA journey", "Add a scripted decision node to the registration flow", "Set Login as the default journey"
  • Authentication Customization - "Create a branded theme with our corporate colors", "Show me all themes in production", "Set the new theme as default"
  • Audit & Monitoring - "Show me failed login attempts in the last hour", "Find all logs for transaction abc-123", "What log sources are available?"
  • Identity Operations - "Find all users with admin in their username", "Create a new developer role", "Update the email for user xyz123"
  • Configuration Management - "List all environment variables", "Create a new API key variable", "Update the database connection string"

Getting Started

Prerequisites

  • Node.js 18+
  • PingOne Advanced Identity Cloud Sandbox or Development Tenant
  • MCP-compatible client (Claude Code, Claude Desktop, Cursor, VS Code with GitHub Copilot, Gemini CLI, Codex, etc.)

Configure Your MCP Client

The MCP server requires the AIC_BASE_URL environment variable to be set to your PingOne AIC hostname.

Add this to your MCP client configuration:

{
  "mcpServers": {
    "aic-mcp-server": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

Required: Replace your-tenant.forgeblocks.com with your PingOne AIC tenant URL.

Client-specific instructions:

<details> <summary><b>Claude Code or Claude Desktop</b></summary>

Add this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}
</details> <details> <summary><b>Cursor</b></summary>

Install MCP Server with One-Click

Add this to your Cursor MCP configuration (.cursor/mcp.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}
</details> <details> <summary><b>GitHub Copilot (VS Code)</b></summary>

Install in VS Code Install in VS Code Insiders

Add this to your Copilot MCP configuration (mcp.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}
</details> <details> <summary><b>Gemini CLI</b></summary>

Add this to your Gemini CLI MCP configuration (settings.json):

{
  "mcpServers": {
    "aic-mcp-server": {
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}
</details> <details> <summary><b>Codex (OpenAI)</b></summary>

Add this to your Codex MCP configuration (~/.codex/config.toml):

[mcp_servers.aic-mcp-server]
command = "npx"
args = ["-y", "@ping-identity/aic-mcp-server"]
env = {"AIC_BASE_URL" = "your-tenant.forgeblocks.com"}
</details>

Restart your MCP client and start asking questions! Your browser will open for authentication when you use the first tool in a session.

Authentication

The server uses OAuth 2.0 PKCE flow for secure user authentication:

  1. First Tool Use - Browser opens automatically for user login at PingOne AIC when you use a tool for the first time in a session
  2. Token Storage - Access tokens stored securely in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
  3. Automatic Reuse - Cached tokens used for subsequent tool calls within the same session
  4. Auto Re-authentication - When tokens expire during a session, browser opens again for new login

Docker Deployment: Uses OAuth 2.0 Device Code Flow with ephemeral token storage (tokens deleted on container restart).

Security Features:

  • User-based actions provide complete audit trail
  • All actions traceable to authenticated users for compliance

[!CAUTION] Administrator Access Required: This server requires administrative authentication and provides administrative capabilities to your PingOne AIC development and sandbox environments. All operations are performed as the authenticated administrator and are fully auditable.

Development and Sandbox Environments Only: This server can only be used with development and sandbox environments. Use with trusted AI assistants in secure contexts. AI-driven operations can make mistakes - review and test changes carefully before promoting to higher environments.

Available Tools

The server provides tools for AI agents to interact with your