Secure AWS Bedrock AgentCore Identity with the Ping Identity Platform
You can integrate Ping Identity’s identity providers (IdPs) with AWS Bedrock AgentCore Identity to secure agent-based workloads.
Specifically, it explains how to configure each IdP, PingOne, PingOne Advanced Identity Cloud, and PingFederate, as an:
- Inbound IdP for AgentCore Gateway and Runtime
-
This enables agents to authenticate and authorize end users using OAuth 2.0/OpenID Connect (OIDC) tokens issued by Ping Identity.
- Outbound credential provider for AgentCore Identity
-
This enables agents to securely obtain OAuth 2.0 access tokens from Ping Identity in order to call downstream APIs and protected resources.
Goals
-
Centralize authentication and authorization for Bedrock AgentCore agents using the Ping Identity Platform.
-
Enforce consistent OAuth/OIDC controls such as audience (
aud) validation, scopes, and grant types across inbound and outbound agent interactions. -
Support both user-based flows (Authorization Code grants) and machine-to-machine flows (Client Credentials grants) as defined in the AWS Bedrock AgentCore Identity model.
This aligns with AWS’s recommended IdP integration pattern for AgentCore, as described in the AWS Bedrock AgentCore Identity documentation, and demonstrates how Ping Identity products act as both trusted token issuers and credential providers within agent-based architectures.
AWS Bedrock AgentCore Identity Model
AWS Bedrock AgentCore Identity provides a standardized mechanism for:
- Inbound authentication
-
Validating OAuth 2.0/OIDC tokens presented to AgentCore Gateway and Runtime by agent users.
- Outbound credential acquisition
-
Securely retrieving OAuth 2.0 access tokens that agents use to access external systems.
AgentCore Identity relies on:
-
OIDC discovery metadata to locate authorization, token, and JWKS endpoints.
-
Audience (
aud) and scope validation to ensure tokens are issued for the correct resource. -
Explicit configuration of IdPs and credential providers.
PingOne, PingOne Advanced Identity Cloud, and PingFederate all satisfy these requirements and can be integrated with the following patterns.
PingOne integration
You can configure Ping Identity as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with PingOne as the IdP and authorization server, or your agents to obtain credentials to access resources authorized by PingOne.
To add PingOne as an IdP and authorization server for AgentCore Gateway and Runtime, you must:
-
Configure the discovery URL for your PingOne environment so AgentCore Identity can retrieve OAuth and OIDC metadata.
-
Configure and validate expected
audclaims to ensure access tokens are issued for the correct protected resource.
Configure PingOne for inbound authentication
-
Sign on to the PingOne admin console.
-
Go to Applications > Applications.
-
Click the icon to create a new application.
-
In the Application Name field, enter a name.
-
Select OIDC Web App, and then click Save.
-
Configure your application as a user federation OAuth 2.0 client:
-
Select your application and go to the Configuration tab.
-
In the Response Type field, select Code.
-
In the Grant Type field, select Authorization Code and/or Client Credentials, depending on your use case.
-
In the Token Endpoint Authentication Method, select Client Secret Post.
-
(Optional) If using the Authorization Code Grant type, enter the Redirect URI.
-
-
Create a custom resource.
-
Go to Applications > Resources and click the icon to create a new resource.
-
In the Scopes tab, define a scope and assign that scope to the application.
You will set this resource name as the audclaim for Client Credentials access tokens. -
-
Configure the AgentCore inbound authentication:
-
In the Discovery URL field, enter the OIDC Discovery Endpoint from the PingOne Application Overview.
-
In the Allowed Audiences field, enter the resource name you created in step 7.
-
For more information, refer to the PingOne API documentation.
Configure outbound authentication
Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.
AgentCore outbound resource provider configuration
{
"name": "PingOne",
"credentialProviderVendor": "PingOneOauth2",
"oauth2ProviderConfigInput": {
"includedOauth2ProviderConfig": {
"clientId": "<CLIENT_ID>",
"clientSecret": "<CLIENT_SECRET>",
"authorizeEndpoint": "https://auth.pingone.com/<ENV_ID>/as/authorize",
"tokenEndpoint": "https://auth.pingone.com/<ENV_ID>/as/token",
"issuer": "https://auth.pingone.com/<ENV_ID>/as"
}
}
}
PingOne Advanced Identity Cloud integration
You can configure PingOne Advanced Identity Cloud as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This enables both user-based and machine-based agent interactions secured by PingOne Advanced Identity Cloud.
Configure inbound authentication
-
Sign on the PingOne Advanced Identity Cloud admin console.
-
Go to Applications > Custom Application.
-
Select OIDC - OpenID Connect and then click Service.
-
Complete the following fields:
-
Application Name -
Description -
Owner
-
-
Create the Client ID and Client Secret.
-
Click the Sign-On tab and configure the following fields:
-
Authorization Code and/or Client Credentials grant types.
-
Redirect URI if using Authorization Code.
-
-
Configure AgentCore inbound authentication:
-
In the Discovery URL field, enter the OIDC Discovery Endpoint from the Sign-On tab.
-
In the Allowed Audiences field, enter the Client ID.
-
Configure outbound authentication
Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.
AgentCore outbound resource provider configuration
{
"name": "PingOne AIC",
"credentialProviderVendor": "CustomOauth2",
"oauth2ProviderConfigInput": {
"includedOauth2ProviderConfig": {
"clientId": "CLIENT_ID",
"clientSecret": "CLIENT_SECRET",
"oauthDiscovery": {
"discoveryUrl": "https://<PINGONE_AIC_TENANT>/am/oauth2/realms/root/realms/<REALM>/.well-known/openid-configuration"
}
}
}
}
PingFederate integration
You can configure PingFederate as an identity provider for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access, supporting enterprise OAuth deployments and fine-grained token control.
Configure PingFederate for inbound authentication
-
Sign on to the PingFederate administrator console.
-
Go to Applications > OAuth > Clients and click Add Client.
-
Configure the following fields:
-
Client ID and Client Secret.
-
Redirect URI, if applicable.
-
For Allowed Grant Types, select Authorization Code or Client Credentials.
-
-
Go to System > OAuth Settings > Scope Management and create one or more scopes.
-
Go to Applications > OAuth > Access Token Management and configure the
audclaim by setting the Audience Claim Value. -
Allow the client to request the appropriate scopes and grant types.
-
Configure AgentCore inbound authentication:
-
Set Discovery URL to
https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server. -
Set Allowed Audiences to the configured audience value.
-
Configure PingFederate for outbound authentication
Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application’s redirect URIs.
AgentCore outbound resource provider configuration
{
"name": "PingFederate",
"credentialProviderVendor": "CustomOauth2",
"oauth2ProviderConfigInput": {
"includedOauth2ProviderConfig": {
"clientId": "<CLIENT_ID>",
"clientSecret": "<CLIENT_SECRET>",
"oauthDiscovery": {
"discoveryUrl": "https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server
}
}
}
}