Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@PingOne Advanced Identity Cloud MCP Servershow me all failed login attempts from the last hour"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
PingOne Advanced Identity Cloud MCP Server
Features • Use Cases • Prerequisites • Getting Started • Authentication • Available Tools • Docker Deployment • Security • Troubleshooting • Development • License
Preview Software Notice
This is preview software provided AS IS with no warranties of any kind.
Current release is only for Sandbox and Development AIC tenants, the server is not enabled for production environments.
Limited support is available during the public preview phase — please report bugs and provide feedback via the GitHub issue tracker
Your use of this software constitutes acceptance of these terms.
Security Notice
Depending on the requests made to the MCP server, tenant configuration or data may be returned. Do not use the MCP server with untrusted MCP clients, agent code or LLM inference.
Review Generated Configuration
Configuration can be generated dynamically using LLM and user feedback represented dynamically back to agents/conversations. Be sure to review generated configuration before promoting to production environments, or those serving live identity/access requests.
An MCP (Model Context Protocol) server that enables AI assistants to interact with PingOne Advanced Identity Cloud environments. Manage users, roles, groups, organizations, customize authentication themes, analyze logs, and query identity data directly from your AI conversations.
Ask questions like "Find all alpha_users with email starting with john@example.com", "Create a new theme called 'Corporate Brand' with primary color #0066cc", or "Show me all ERROR level logs from the am-authentication source in the last hour".
Features
Administer your AIC environment using natural language - Interact with PingOne AIC from whichever AI tool you use daily. No need to switch to the admin console or write API scripts - just ask your AI assistant.
Secure authentication - Supports OAuth 2.0 PKCE flow for local deployment and Device Code Flow for containerized deployment. All actions are user-based and auditable. Tokens stored securely in OS keychain (local) or ephemerally (Docker).
Broad tool support - Supports full CRUD operations against any managed object type in your environment (users, roles, groups, organizations, and custom types), authentication theme management, advanced log querying, and environment variable configuration.
Use Cases
Authentication Customization - "Create a branded theme with our corporate colors", "Show me all themes in production", "Set the new theme as default"
Audit & Monitoring - "Show me failed login attempts in the last hour", "Find all logs for transaction abc-123", "What log sources are available?"
Identity Operations - "Find all users with admin in their username", "Create a new developer role", "Update the email for user xyz123"
Configuration Management - "List all environment variables", "Create a new API key variable", "Update the database connection string"
Getting Started
Prerequisites
Node.js 18+
PingOne Advanced Identity Cloud
MCP-compatible client (Claude Code, Claude Desktop, Cursor, VS Code with GitHub Copilot, Gemini CLI, Codex, etc.)
Configure Your MCP Client
The MCP server requires the AIC_BASE_URL environment variable to be set to your PingOne AIC hostname.
Add this to your MCP client configuration:
Required: Replace your-tenant.forgeblocks.com with your PingOne AIC tenant URL.
Client-specific instructions:
Add this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):
Add this to your Cursor MCP configuration (.cursor/mcp.json):
Add this to your Copilot MCP configuration (mcp.json):
Add this to your Gemini CLI MCP configuration (settings.json):
Add this to your Codex MCP configuration (~/.codex/config.toml):
Restart your MCP client and start asking questions! Your browser will open for authentication when you use the first tool in a session.
Authentication
The server uses OAuth 2.0 PKCE flow for secure user authentication:
First Tool Use - Browser opens automatically for user login at PingOne AIC when you use a tool for the first time in a session
Token Storage - Access tokens stored securely in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
Automatic Reuse - Cached tokens used for subsequent tool calls within the same session
Auto Re-authentication - When tokens expire during a session, browser opens again for new login
Docker Deployment: Uses OAuth 2.0 Device Code Flow with ephemeral token storage (tokens deleted on container restart).
Security Features:
User-based actions provide complete audit trail
All actions traceable to authenticated users for compliance
Administrator Access Required: This server requires administrative authentication and provides administrative capabilities to your PingOne AIC development and sandbox environments. All operations are performed as the authenticated administrator and are fully auditable.
Development and Sandbox Environments Only: This server can only be used with development and sandbox environments. Use with trusted AI assistants in secure contexts. AI-driven operations can make mistakes - review and test changes carefully before promoting to higher environments.
Available Tools
The server provides tools for AI agents to interact with your PingOne AIC environment:
Managed Objects
Generic CRUD operations for any managed object type in your environment.
Tool | Description | Usage Examples |
| Discover all managed object types in your environment | - - - |
| Get schema definition for an object type | - - - |
| Query objects with filters, pagination, sorting | - - - |
| Retrieve an object's complete profile | - - - |
| Create a new managed object | - - - |
| Update object fields | - - - |
| Delete an object | - - - |
Themes
Customize login and account page appearance.
Tool | Description | Usage Examples |
| Get complete theme schema documentation | - - - |
| List all themes in a realm | - - - |
| Get a theme's complete configuration | - - - |
| Create a new theme | - - - |
| Update theme properties | - - - |
| Delete a theme | - - - |
| Set a theme as the realm default | - - - |
Logging
Query and analyze authentication and activity logs.
Tool | Description | Usage Examples |
| List available log sources | - - - |
| Query logs with time range, source, and content filters | - - - |
ESVs (Environment Secrets and Variables)
Manage environment secrets and variables.
Tool | Description | Usage Examples |
| Query variables or secrets by ID pattern | - - - |
| Retrieve a variable with decoded value | - - - |
| Create or update a variable | - - - |
| Delete a variable | - - - |
Docker Deployment
⚠️ EXPERIMENTAL: Docker deployment uses OAuth 2.0 Device Code Flow with MCP form elicitation. This requires MCP client support for form elicitation, which is currently limited. If your client doesn't support it, use the local deployment method above.
Build Image
Configure Your MCP Client
Claude Code or Claude Desktop
Add this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):
Authentication: When authentication is required, your MCP client should display a URL. Click it to authenticate in your browser, then accept the prompt in your client.
Token Storage: Tokens are stored ephemerally in the container filesystem (/app/tokens/token.json) and deleted on container restart for enhanced security.
Security
The PingOne AIC MCP Server implements multiple security layers:
Secure credential storage - Tokens stored in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) for local deployment, or ephemerally in container filesystem for Docker
No plain text secrets - No sensitive information stored in configuration files
OAuth 2.0 authentication - PKCE flow for local deployment prevents authorization code interception; Device Code flow for containerized deployment
User-based authentication - All API calls are authenticated as the user who logged in, providing complete audit trails
Input validation - Built-in protections against path traversal and query injection attacks
Tenant isolation - Tokens are validated against the configured
AIC_BASE_URLto prevent accidental cross-tenant operations
"FATAL: AIC_BASE_URL environment variable is not set"
Set the AIC_BASE_URL environment variable in your MCP client configuration to your PingOne AIC tenant URL (e.g., your-tenant.forgeblocks.com or https://your-tenant.forgeblocks.com).
"Port 3000 is already in use"
Another service is using port 3000 (required for OAuth redirect). Stop that service and try again.
"Browser doesn't open during authentication"
Check that the open package has permissions to launch your browser, or manually navigate to the URL shown in the error message.
Docker: "URL not displayed during authentication"
Your MCP client may not support form elicitation yet. Use the local deployment method instead.
Development
To build the server from source for development:
Then configure your MCP client to use the local build:
For type checking without building:
The project includes a comprehensive test suite covering all tools and authentication flows.
Use the MCP Inspector to visually test tools in a web interface:
Hosts a web interface for interactive tool testing and OAuth flow debugging.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Feedback & Issues
We welcome your feedback! Please use this repository's issue tracker to submit feedback, bug reports, or enhancement requests. For existing issues, you can add a 👍 reaction to help our team gauge priority.
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.