Features • Use Cases • Prerequisites • Getting Started • Authentication • Available Tools • Docker Deployment • Security • Troubleshooting • Development • License
Caution
Preview Software Notice
This is preview software provided AS IS with no warranties of any kind.
- Current release is only for Sandbox and Development AIC tenants, the server is not enabled for production environments.
- Limited support is available during the public preview phase — please report bugs and provide feedback via the GitHub issue tracker
Your use of this software constitutes acceptance of these terms.
Caution
Security Notice
Depending on the requests made to the MCP server, tenant configuration or data may be returned. Do not use the MCP server with untrusted MCP clients, agent code or LLM inference.
Warning
Review Generated Configuration
Configuration can be generated dynamically using LLM and user feedback represented dynamically back to agents/conversations. Be sure to review generated configuration before promoting to production environments, or those serving live identity/access requests.
An MCP (Model Context Protocol) server that enables AI assistants to interact with PingOne Advanced Identity Cloud environments. Manage users, roles, groups, organizations, customize authentication themes, analyze logs, and query identity data directly from your AI conversations.
Ask questions like "Find all alpha_users with email starting with john@example.com", "Create a new theme called 'Corporate Brand' with primary color #0066cc", or "Show me all ERROR level logs from the am-authentication source in the last hour".
-
Administer your AIC environment using natural language - Interact with PingOne AIC from whichever AI tool you use daily. No need to switch to the admin console or write API scripts - just ask your AI assistant.
-
Secure authentication - Supports OAuth 2.0 PKCE flow for local deployment and Device Code Flow for containerized deployment. All actions are user-based and auditable. Tokens stored securely in OS keychain (local) or ephemerally (Docker).
-
Broad tool support - Supports full CRUD operations against any managed object type in your environment (users, roles, groups, organizations, and custom types), authentication theme management, advanced log querying, and environment variable configuration.
- Authentication Customization - "Create a branded theme with our corporate colors", "Show me all themes in production", "Set the new theme as default"
- Audit & Monitoring - "Show me failed login attempts in the last hour", "Find all logs for transaction abc-123", "What log sources are available?"
- Identity Operations - "Find all users with admin in their username", "Create a new developer role", "Update the email for user xyz123"
- Configuration Management - "List all environment variables", "Create a new API key variable", "Update the database connection string"
- Node.js 18+
- PingOne Advanced Identity Cloud Sandbox or Development Tenant
- MCP-compatible client (Claude Code, Claude Desktop, Cursor, VS Code with GitHub Copilot, Gemini CLI, Codex, etc.)
The MCP server requires the AIC_BASE_URL environment variable to be set to your PingOne AIC hostname.
Add this to your MCP client configuration:
{
"mcpServers": {
"aic-mcp-server": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@ping-identity/aic-mcp-server"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}Required: Replace your-tenant.forgeblocks.com with your PingOne AIC tenant URL.
Client-specific instructions:
Claude Code or Claude Desktop
Add this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):
{
"mcpServers": {
"aic-mcp-server": {
"command": "npx",
"args": ["-y", "@ping-identity/aic-mcp-server"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}Cursor
Add this to your Cursor MCP configuration (.cursor/mcp.json):
{
"mcpServers": {
"aic-mcp-server": {
"command": "npx",
"args": ["-y", "@ping-identity/aic-mcp-server"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}GitHub Copilot (VS Code)
Add this to your Copilot MCP configuration (mcp.json):
{
"mcpServers": {
"aic-mcp-server": {
"command": "npx",
"args": ["-y", "@ping-identity/aic-mcp-server"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}Gemini CLI
Add this to your Gemini CLI MCP configuration (settings.json):
{
"mcpServers": {
"aic-mcp-server": {
"command": "npx",
"args": ["-y", "@ping-identity/aic-mcp-server"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}Codex (OpenAI)
Add this to your Codex MCP configuration (~/.codex/config.toml):
[mcp_servers.aic-mcp-server]
command = "npx"
args = ["-y", "@ping-identity/aic-mcp-server"]
env = {"AIC_BASE_URL" = "your-tenant.forgeblocks.com"}Restart your MCP client and start asking questions! Your browser will open for authentication when you use the first tool in a session.
The server uses OAuth 2.0 PKCE flow for secure user authentication:
- First Tool Use - Browser opens automatically for user login at PingOne AIC when you use a tool for the first time in a session
- Token Storage - Access tokens stored securely in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
- Automatic Reuse - Cached tokens used for subsequent tool calls within the same session
- Auto Re-authentication - When tokens expire during a session, browser opens again for new login
Docker Deployment: Uses OAuth 2.0 Device Code Flow with ephemeral token storage (tokens deleted on container restart).
Security Features:
- User-based actions provide complete audit trail
- All actions traceable to authenticated users for compliance
Caution
Administrator Access Required: This server requires administrative authentication and provides administrative capabilities to your PingOne AIC development and sandbox environments. All operations are performed as the authenticated administrator and are fully auditable.
Development and Sandbox Environments Only: This server can only be used with development and sandbox environments. Use with trusted AI assistants in secure contexts. AI-driven operations can make mistakes - review and test changes carefully before promoting to higher environments.
The server provides tools for AI agents to interact with your PingOne AIC environment:
Generic CRUD operations for any managed object type in your environment.
| Tool | Description | Usage Examples |
|---|---|---|
listManagedObjects |
Discover all managed object types in your environment | - What object types are available? - List all managed objects - Show me what types I can work with |
getManagedObjectSchema |
Get schema definition for an object type | - What fields are required for alpha_user? - Show me the schema for bravo_role - What properties does alpha_group have? |
queryManagedObjects |
Query objects with filters, pagination, sorting | - Find users with email @example.com - List all roles sorted by name - Show me the first 10 alpha_groups |
getManagedObject |
Retrieve an object's complete profile | - Get user xyz123 - Show me the details for role abc456 - Display the profile for alpha_user xyz |
createManagedObject |
Create a new managed object | - Create user jsmith - Add a new admin role - Create a bravo_group called Developers |
patchManagedObject |
Update object fields | - Update user xyz123 email to new@example.com - Change role description - Modify the alpha_group name |
deleteManagedObject |
Delete an object | - Delete user xyz123 - Remove role abc456 - Delete the test group |
Customize login and account page appearance.
| Tool | Description | Usage Examples |
|---|---|---|
getThemeSchema |
Get complete theme schema documentation | - Show me available theme customizations - What fields can I set on a theme? - Display the theme configuration options |
getThemes |
List all themes in a realm | - Show themes in alpha realm - List all available themes - What themes exist in bravo? |
getTheme |
Get a theme's complete configuration | - Get the Corporate Brand theme - Show me theme xyz123 - Display the Dark Mode theme settings |
createTheme |
Create a new theme | - Create theme called Dark Mode - Add new theme with blue color scheme - Create a Corporate Brand theme with our colors |
updateTheme |
Update theme properties | - Change Corporate Brand logo - Update theme colors - Modify the Dark Mode background color |
deleteTheme |
Delete a theme | - Delete Test Theme - Remove theme xyz123 - Delete the old branding theme |
setDefaultTheme |
Set a theme as the realm default | - Set Corporate Brand as default - Make Dark Mode the default theme - Use the new theme as default for alpha |
Query and analyze authentication and activity logs.
| Tool | Description | Usage Examples |
|---|---|---|
getLogSources |
List available log sources | - What log sources are available? - Show me all log types - Display available logging sources |
queryLogs |
Query logs with time range, source, and content filters | - Show ERROR logs from last 2 hours - Find login failures for user jsmith - Get logs for transaction xyz |
Manage environment secrets and variables.
| Tool | Description | Usage Examples |
|---|---|---|
queryESVs |
Query variables or secrets by ID pattern | - List all environment variables - Find variables starting with esv-prod - Show me all secrets in the environment |
getVariable |
Retrieve a variable with decoded value | - Get esv-database-url - Show me the API key variable - Display the value of esv-config |
setVariable |
Create or update a variable | - Create variable esv-api-key - Update esv-max-connections to 100 - Set esv-endpoint to https://api.example.com |
deleteVariable |
Delete a variable | - Delete esv-old-config - Remove variable xyz - Delete the deprecated esv-legacy-url |
⚠️ EXPERIMENTAL: Docker deployment uses OAuth 2.0 Device Code Flow with MCP form elicitation. This requires MCP client support for form elicitation, which is currently limited. If your client doesn't support it, use the local deployment method above.
npm run docker:buildAdd this to your Claude MCP configuration (claude.json for Claude Code or claude_desktop_config.json for Claude Desktop):
{
"mcpServers": {
"aic-mcp-server": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"-e",
"AIC_BASE_URL=your-tenant.forgeblocks.com",
"pingidentity/aic-mcp-server:latest"
]
}
}
}Authentication: When authentication is required, your MCP client should display a URL. Click it to authenticate in your browser, then accept the prompt in your client.
Token Storage: Tokens are stored ephemerally in the container filesystem (/app/tokens/token.json) and deleted on container restart for enhanced security.
The PingOne AIC MCP Server implements multiple security layers:
- Secure credential storage - Tokens stored in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) for local deployment, or ephemerally in container filesystem for Docker
- No plain text secrets - No sensitive information stored in configuration files
- OAuth 2.0 authentication - PKCE flow for local deployment prevents authorization code interception; Device Code flow for containerized deployment
- User-based authentication - All API calls are authenticated as the user who logged in, providing complete audit trails
- Input validation - Built-in protections against path traversal and query injection attacks
- Tenant isolation - Tokens are validated against the configured
AIC_BASE_URLto prevent accidental cross-tenant operations
Set the AIC_BASE_URL environment variable in your MCP client configuration to your PingOne AIC tenant URL (e.g., your-tenant.forgeblocks.com or https://your-tenant.forgeblocks.com).
Another service is using port 3000 (required for OAuth redirect). Stop that service and try again.
Check that the open package has permissions to launch your browser, or manually navigate to the URL shown in the error message.
Your MCP client may not support form elicitation yet. Use the local deployment method instead.
To build the server from source for development:
# Clone the repository
git clone https://github.com/pingidentity/aic-mcp-server.git
cd aic-mcp-server
# Install dependencies
npm install
# Compile TypeScript
npm run buildThen configure your MCP client to use the local build:
{
"mcpServers": {
"aic-mcp-server": {
"command": "node",
"args": ["/absolute/path/to/aic-mcp-server/dist/index.js"],
"env": {
"AIC_BASE_URL": "your-tenant.forgeblocks.com"
}
}
}
}For type checking without building:
npm run typecheckThe project includes a comprehensive test suite covering all tools and authentication flows.
# Run all tests
npm test
# Watch mode for development
npm run test:watch
# Generate coverage report
npm run test:coverage
# Update tool schema snapshots
npm run test:snapshots:updateUse the MCP Inspector to visually test tools in a web interface:
# Development mode (no build required - faster iteration)
AIC_BASE_URL=your-tenant.forgeblocks.com npm run dev:inspect
# Production mode (requires build first)
npm run build
AIC_BASE_URL=your-tenant.forgeblocks.com npm run inspectHosts a web interface for interactive tool testing and OAuth flow debugging.
Contributions are welcome! Please feel free to submit a Pull Request.
We welcome your feedback! Please use this repository's issue tracker to submit feedback, bug reports, or enhancement requests. For existing issues, you can add a 👍 reaction to help our team gauge priority.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.