Identity for AI

Secure AWS Bedrock AgentCore Identity with the Ping Identity Platform

You can integrate Ping Identity’s identity providers (IdPs) with AWS Bedrock AgentCore Identity to secure agent-based workloads.

Specifically, you can configure each IdP, PingOne, PingOne Advanced Identity Cloud, and PingFederate, as an:

Inbound IdP for AgentCore Gateway and Runtime

This enables agents to authenticate and authorize end users using OpenID Connect (OIDC) tokens issued by Ping Identity.

Outbound credential provider for AgentCore Identity

This enables agents to securely obtain OIDC access tokens from Ping Identity in order to call downstream APIs and protected resources.

Goals

  • Centralize authentication and authorization for Bedrock AgentCore agents using the Ping Identity Platform.

  • Enforce consistent OIDC controls such as audience (aud) validation, scopes, and grant types across inbound and outbound agent interactions.

  • Support both user-based flows (authorization code grants) and machine-to-machine flows (client credentials grants) as defined in the AWS Bedrock AgentCore Identity model.

This aligns with AWS’s recommended IdP integration pattern for AgentCore, as described in the AWS Bedrock AgentCore Identity documentation, and demonstrates how Ping Identity products act as both trusted token issuers and credential providers within agent-based architectures.

AWS Bedrock AgentCore Identity model

AWS Bedrock AgentCore Identity provides a standardized mechanism for:

Inbound authentication

Validating OAuth 2.0/OIDC tokens presented to AgentCore Gateway and Runtime by agent users.

Outbound credential acquisition

Securely retrieving OAuth 2.0 access tokens that agents use to access external systems.

AgentCore Identity relies on:

  • OIDC discovery metadata to locate authorization, token, and JSON Web Key Set (JWKS) endpoints.

  • Audience (aud) and scope validation to ensure tokens are issued for the correct resource.

  • Explicit configuration of IdPs and credential providers.

PingOne, PingOne Advanced Identity Cloud, and PingFederate all satisfy these requirements and can be integrated with the following patterns.

PingOne integration

You can configure Ping Identity as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with PingOne as the IdP and authorization server, or your agents to obtain credentials to access resources authorized by PingOne.

To add PingOne as an IdP and authorization server for AgentCore Gateway and Runtime, you must:

  • Configure the discovery URL for your PingOne environment so AgentCore Identity can retrieve OAuth and OIDC metadata.

  • Configure and validate expected aud claims to ensure access tokens are issued for the correct protected resource.

Configuring PingOne for inbound authentication

  1. Sign on to the PingOne admin console.

  2. Go to Applications > Applications.

  3. Click the icon to create a new application.

  4. In the Application Name field, enter a name.

  5. In the Application Type section, click OIDC Web App, and then click Save.

  6. Configure your application as a user federation OAuth 2.0 client:

    1. Select your application and go to the Configuration tab.

    2. In the Response Type section, select the Code checkbox.

    3. In the Grant Type section, select the Authorization Code checkbox, the Client Credentials checkbox, or both depending on your use case.

    4. In the Token Endpoint Authentication Method list, select Client Secret Post.

    5. (Optional) If using the authorization code grant type, enter the Redirect URI.

  7. Create a custom resource.

    1. Go to Applications > Resources and click the icon to create a new resource.

    2. In the Resource Name field, enter a name for the resource, and then click Next.

    3. In the PingOne Mappings list, select a value to map to the sub attribute, and the click Next.

    4. Click + Add Scope+ to define a scope and assign it to the application.

    5. Click Save.

    You will set this resource name as the aud claim for Client Credentials access tokens.

  8. Configure the AgentCore inbound authentication:

    1. In the Discovery URL field, enter the OIDC Discovery Endpoint value from the Overview tab on the PingOne application details pane.

    2. In the Allowed Audiences field, enter the resource name you created in step 7.

You can find more information in the PingOne API documentation.

Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.

AgentCore outbound resource provider configuration

{
  "name": "PingOne",
  "credentialProviderVendor": "PingOneOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "<CLIENT_ID>",
      "clientSecret": "<CLIENT_SECRET>",
      "authorizeEndpoint": "https://auth.pingone.com/<ENV_ID>/as/authorize",
      "tokenEndpoint": "https://auth.pingone.com/<ENV_ID>/as/token",
      "issuer": "https://auth.pingone.com/<ENV_ID>/as"
    }
  }
}

PingOne Advanced Identity Cloud integration

You can configure PingOne Advanced Identity Cloud as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This enables both user-based and machine-based agent interactions secured by PingOne Advanced Identity Cloud.

Configuring PingOne Advanced Identity Cloud for inbound authentication

  1. In the PingOne Advanced Identity Cloud admin console, go to Applications > Custom Application.

  2. Select OIDC - OpenID Connect and then click Service.

  3. Complete the following fields:

    1. Application Name

    2. Description

    3. Owner

  4. Create the Client ID and Client Secret.

  5. On the Sign-On tab, configure the following fields:

    1. Authorization code or client credentials grant types.

    2. Redirect URI if using Authorization Code.

  6. Configure AgentCore inbound authentication:

    1. In the Discovery URL field, enter the OIDC Discovery Endpoint from the Sign-On tab.

    2. In the Allowed Audiences field, enter the Client ID.

Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.

AgentCore outbound resource provider configuration

{
  "name": "PingOne AIC",
  "credentialProviderVendor": "CustomOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "CLIENT_ID",
      "clientSecret": "CLIENT_SECRET",
      "oauthDiscovery": {
        "discoveryUrl": "https://<PINGONE_AIC_TENANT>/am/oauth2/realms/root/realms/<REALM>/.well-known/openid-configuration"
      }
    }
  }
}

PingFederate integration

You can configure PingFederate as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access, supporting enterprise OAuth deployments and fine-grained token control.

Configuring PingFederate for inbound authentication

  1. In the PingFederate admin console, go to Applications > OAuth > Clients and click Add Client.

  2. Configure the following fields:

    1. Client ID and Client Secret.

    2. Redirect URI, if applicable.

    3. For Allowed Grant Types, select Authorization Code or Client Credentials.

  3. Go to System > OAuth Settings > Scope Management and create one or more scopes.

  4. Go to Applications > OAuth > Access Token Management and configure the aud claim by setting the Audience Claim Value.

  5. Allow the client to request the appropriate scopes and grant types.

  6. Configure AgentCore inbound authentication:

    1. Set Discovery URL to https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server.

    2. Set Allowed Audiences to the configured audience value.

Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.

AgentCore outbound resource provider configuration

{
  "name": "PingFederate",
  "credentialProviderVendor": "CustomOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "<CLIENT_ID>",
      "clientSecret": "<CLIENT_SECRET>",
      "oauthDiscovery": {
        "discoveryUrl": "https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server
      }
    }
  }
}

Result

You’ve successfully integrated PingOne, PingOne Advanced Identity Cloud, or PingFederate with AWS Bedrock AgentCore Identity and can apply consistent enterprise identity controls to AI agents.