Introducing the PingOne Advanced Identity Cloud (AIC) MCP Server

Developers have already discovered that LLMs (such as Claude, Gemini, GPT, Grok, and others) accelerate workflows across coding, debugging, and operations. A real breakthrough has been the ability to create custom agents within the IDE. Now developers can write specialized agent workflows that combine reasoning, tooling, and domain logic to solve problems autonomously.

To help these agents work effectively, we need a bridge between the AI and your actual services. That is where MCP (Model Context Protocol) comes in.

Today, we are excited to introduce the AIC MCP Server. This tool connects your PingOne Advanced Identity Cloud (AIC) environment directly to the AI agents you use every day in IDEs like Cursor, VS Code, and GitHub Copilot, or command-line tools like Claude Code and Gemini CLI.

What Exactly is an MCP Server?

Think of the Model Context Protocol (MCP) as a universal remote for AI. In the past, every AI platform had to build its own unique way to talk to different databases or services. MCP changes that by creating a standard “contract.”

It allows an AI agent to see a list of available tools, understand what they do, and know exactly how to call them. When you use an MCP server, you aren’t just giving an AI a window into your data; you’re giving it a specialized “hand” to perform tasks for you.

You can find a more detailed look into MCP’s architecture, workflow, and security model in the Ping Identity MCP documentation.

How the AIC MCP Server Works

PingOne Advanced Identity Cloud (AIC) is Ping Identity’s modern, single-tenant identity platform. It manages users, authentication flows, roles, policies, audit logs, and customer-facing themes. If you’re running an identity operation, AIC is where the configuration lives.

The AIC MCP server is an open-source TypeScript tool, distributed through npm, which exposes 40+ tools that wrap AIC’s REST APIs and packages them as MCP-compatible functions. Instead of manually navigating the console or hand-crafting API requests, you describe what you want in natural language. Your agent translates that to the right MCP tools, the MCP server handles the API calls and authentication, and returns results that the agent can reform into natural language.

Here’s the practical difference:

Task	Without MCP	With AIC MCP Server
Find failed logins from 9 PM – 11 PM yesterday	20 minutes (console navigation, log filtering, export)	1 minute (“Show me authentication failures from 9 PM – 11 PM yesterday”)
Create a new role with specific permissions	15 minutes (console form, multi-step workflow)	2 minutes (“Create a role called product-admin with these permissions: …”)
List all users in a specific group	10 minutes (API docs, construct request, parse response)	30 seconds (“Which users are in the engineers group?”)

Why This Matters: MCP Adoption Is Evolving

MCP has become the standard for AI-to-infrastructure integration. Popular developer tools (such as Claude Desktop, Cursor, GitHub Copilot, VS Code, Gemini CLI) all now support MCP. Developers are moving from being software engineers or technical admins to being agent orchestrators.

Identity and access management (IAM) is a perfect fit for AI assistance. Configuration can be repetitive. Audits demand detailed log parsing. Bulk operations can be tedious. Configuration updates may take a while when navigating multiple screens and modals in the web console. IAM is also not an isolated capability, often connected to other systems that benefit from being managed as a group. In this way, MCP clients allow connection of multiple MCP servers from different providers to bridge multi-service, multi-product workflows. The more systems connected, the more autonomy an agent has, the more the user can delegate.

For developers, this means faster operations. Less manual console navigation. Less copying and pasting IDs between tabs. Reduced context-switching.

Core Capabilities: 35+ Tools Across Five Categories

The AIC MCP server exposes 35+ tools organized into five functional areas:

• Managed Objects: Perform “search, create, and update” tasks for users, roles, groups, and organizations. (for example, “Find all users with an @acme.com email.”)
• Themes & Branding: Update your login pages, logos, and brand colors across different regions programmatically.
• Logging & Audits: Query activity logs by time, user, or error type—perfect for quick security check-ups.
• Secrets & Variables: Securely manage API keys and environment variables without having to hard-code them.
• Authentication Journeys: Build and test complex login flows (journeys) and the scripts that power them.

The server exposes many tools providing broad capability, with every action authenticated using OAuth 2.0 with PKCE and tied to your user identity in the audit log.

Getting Started: Hands-On Walkthrough

Getting the AIC MCP Server running takes 5 minutes. You’ll need:

• A Sandbox or Development AIC tenant.
• Node.js 18+ on your machine (or Docker).
• An MCP-compatible AI client (Claude Desktop is recommended).
• 5 minutes of setup time.

Step 1: Configure Your MCP Client

Find your AIC tenant’s base URL in the console (for example, my-tenant.forgeblocks.com). Then add the configuration to your MCP client’s config file:

{
  "mcpServers": {
    "aic-mcp-server": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@ping-identity/aic-mcp-server"],
      "env": {
        "AIC_BASE_URL": "your-tenant.forgeblocks.com"
      }
    }
  }
}

Replace your-tenant.forgeblocks.com with your actual tenant URL (no https:// prefix).

Step 2: Authenticate

Restart your AI client. When you first use a tool, the server will:

1. Open your browser to your AIC login screen.
2. Ask you to log in with your AIC admin credentials as an administrator.
3. Show you the permissions the server needs (scopes like fr:idm:\*, fr:idc:monitoring:\*).
4. After you’re authenticated, securely save your token in your OS keychain (where available).

This is a one-time setup for the session. The token stays in your keychain and can be reused until expiry or ephemerally if using the Docker image. Subsequent tool calls reuse the cached token, if it is still valid.

Step 3: Make Your First Tool Call

Count all users in the system and show me the total.

Behind the scenes, your agent will:

• Understand the available tools provided by the MCP server.
• Call the listManagedObjects tool to discover object types.
• Call queryManagedObjects to fetch users.
• Return the count in plain English.

Expected response: “There are 247 users in your AIC tenant.”

Real-World Use Case: Debugging Authentication Issues

It’s 8 AM. A high-priority bug report just landed: “A recent change to the primary user authentication journey has caused failures in overnight tests.” You need to:

• Analyze the bug and map it to the existing auth journey.
• Provision test identities that match the specific failure criteria.
• Trace the logs to find the exact line of code or configuration causing the break.
• Patch the journey and verify the fix immediately.

Without the server: 45 minutes of context switching (Jira, documentation, console, log aggregators, scripts).

With the AIC MCP Server (and other MCP servers that interact with ticket systems and UX):

1. Analyze the Bug and Journey

Your prompt to Claude:

Read bug report AUTH-802 and show me the current 'SSO-Onboarding' journey configuration.  Compare with recent closed tickets that may have caused a breaking change.

The Action: Your agent fetches the ticket details using the ticket system MCP server and pulls the journey configuration. It identifies a probable failure that happens during a user lookup step from an external data source. Time to insight: 30 - 60 seconds.

2. Reproduce with Test Users

Your prompt to Claude:

Create three test users: two with valid metadata in the external data source and one with invalid data to replicate the reported error.

The Action: Agent calls createManagedObject and tools related to the external data source. It returns key details for fresh accounts tailored to your debugging needs. Result: Environment ready in 20 seconds.

3. Trace Logs & Identify the Root Cause

Your prompt to Claude:

Run a test authentication for the user with invalid data. Show me the logs and highlight any stack traces.

The Action: Agent triggers a mock login and calls queryLogs. Result: “Found an error relating to user lookup. The journey isn’t handling user lookup where there is invalid data correctly.” Time to discovery: 5 minutes.

4. Update & Re-test

Your prompt to Claude:

Update the 'SSO-Onboarding' journey to include appropriate error handling when user data lookups fail, then re-test with the same user.

The Action: Agent calls saveJourney with the fix and re-runs the authentication trace. Result: “Test passed. Redirect successful. Journey updated in Dev environment.”

Total time saved: 30 - 45 minutes of manual work → less than 10 minutes of natural language queries. The workflow can be packaged up into an agent to save more time later. The difference compounds across your team.

Security and Caveats

OAuth 2.0 Authentication

Every tool call is authenticated with your AIC credentials using OAuth 2.0 (PKCE flow). Your password is never stored. The resulting access token is saved securely in your OS keychain—the same place your browser stores credentials.

Audit Trail

All actions—queries, creates, updates, deletes—appear in your AIC audit log tied to your user identity and are traceable as MCP-based interactions. There’s full traceability for compliance and security reviews.

Sandbox and Development Only

Currently, the server works with Sandbox and Development AIC tenants only. Production support is on the roadmap. This ensures you can safely experiment and iterate without risk to live systems.

Agent Permissions

Only use the MCP server with AI agents you trust. The agent has the same permissions as your authenticated user. If you’re an AIC admin, the agent is an admin. Always review agent prompts and tool calls before deploying them to production workflows.

Open Source

The server is Apache 2.0 licensed and open-source on GitHub. Review the code, audit the dependencies, and contribute. The entire codebase is at github.com/pingidentity/aic-mcp-server.

Next Steps: Try It Today, Give us Feedback

• Run your first agent workflow.
• Consider your developer workflows, how can the MCP server be used to turn repetitive or menial tasks into automated, intelligent workflows?
• Share your use cases and workflows with the Ping Identity developer community.
• If you find issues or would like to see enhancements, raise an issue on the code repository. We’re listening!

The AIC MCP Server is in early release. Your feedback shapes what comes next!

References

• GitHub Repository: https://github.com/pingidentity/aic-mcp-server
• NPM Package: https://www.npmjs.com/package/@ping-identity/aic-mcp-server
• PingOne AIC Documentation: https://docs.pingidentity.com/pingoneaic/
• Model Context Protocol (MCP) Specification: https://modelcontextprotocol.io/specification/2025-11-25
• OAuth 2.0 PKCE (RFC 7636): https://tools.ietf.org/html/rfc7636