---
title: Secure AWS Bedrock AgentCore Identity with the Ping Identity Platform
description: You can integrate Ping Identity's identity providers (IdPs) with AWS Bedrock AgentCore Identity to secure agent-based workloads.
component: identity-for-ai
page_id: identity-for-ai:agents:idai-securing-aws-ping
canonical_url: https://developer.pingidentity.com/identity-for-ai/agents/idai-securing-aws-ping.html
section_ids:
  goals: Goals
  aws-bedrock-agentcore-identity-model: AWS Bedrock AgentCore Identity model
  p1-steps: PingOne integration
  configuring-pingone-for-inbound-authentication: Configuring PingOne for inbound authentication
  configuring-outbound-authentication: Configuring outbound authentication
  agentcore-outbound-resource-provider-configuration: AgentCore outbound resource provider configuration
  aic-steps: PingOne Advanced Identity Cloud integration
  configuring-pingone-advanced-identity-cloud-for-inbound-authentication: Configuring PingOne Advanced Identity Cloud for inbound authentication
  configuring-outbound-authentication-2: Configuring outbound authentication
  agentcore-outbound-resource-provider-configuration-2: AgentCore outbound resource provider configuration
  pf-steps: PingFederate integration
  configuring-pingfederate-for-inbound-authentication: Configuring PingFederate for inbound authentication
  configuring-outbound-authentication-3: Configuring outbound authentication
  agentcore-outbound-resource-provider-configuration-3: AgentCore outbound resource provider configuration
  result: Result
---

# Secure AWS Bedrock AgentCore Identity with the Ping Identity Platform

You can integrate Ping Identity's identity providers (IdPs) with AWS Bedrock AgentCore Identity to secure agent-based workloads.

Specifically, you can configure each IdP, PingOne, PingOne Advanced Identity Cloud, and PingFederate, as an:

* Inbound IdP for AgentCore Gateway and Runtime

  This enables agents to authenticate and authorize end users using OpenID Connect (OIDC) tokens issued by Ping Identity.

* Outbound credential provider for AgentCore Identity

  This enables agents to securely obtain OIDC access tokens from Ping Identity in order to call downstream APIs and protected resources.

## Goals

* Centralize authentication and authorization for Bedrock AgentCore agents using the Ping Identity Platform.

* Enforce consistent OIDC controls such as audience (`aud`) validation, scopes, and grant types across inbound and outbound agent interactions.

* Support both user-based flows (authorization code grants) and machine-to-machine flows (client credentials grants) as defined in the AWS Bedrock AgentCore Identity model.

This aligns with AWS's recommended IdP integration pattern for AgentCore, as described in the [AWS Bedrock AgentCore Identity documentation](https://docs.aws.amazon.com/bedrock-agentcore/), and demonstrates how Ping Identity products act as both trusted token issuers and credential providers within agent-based architectures.

## AWS Bedrock AgentCore Identity model

AWS Bedrock AgentCore Identity provides a standardized mechanism for:

* Inbound authentication

  Validating OAuth 2.0/OIDC tokens presented to AgentCore Gateway and Runtime by agent users.

* Outbound credential acquisition

  Securely retrieving OAuth 2.0 access tokens that agents use to access external systems.

AgentCore Identity relies on:

* OIDC discovery metadata to locate authorization, token, and JSON Web Key Set (JWKS) endpoints.

* Audience (`aud`) and scope validation to ensure tokens are issued for the correct resource.

* Explicit configuration of IdPs and credential providers.

PingOne, PingOne Advanced Identity Cloud, and PingFederate all satisfy these requirements and can be integrated with the following patterns.

## PingOne integration

You can configure Ping Identity as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with PingOne as the IdP and authorization server, or your agents to obtain credentials to access resources authorized by PingOne.

To add PingOne as an IdP and authorization server for AgentCore Gateway and Runtime, you must:

* Configure the discovery URL for your PingOne environment so AgentCore Identity can retrieve OAuth and OIDC metadata.

* Configure and validate expected `aud` claims to ensure access tokens are issued for the correct protected resource.

### Configuring PingOne for inbound authentication

1. Sign on to the PingOne admin console.

2. Go to Applications > Applications.

3. Click the [icon: plus, set=fa]icon to create a new application.

4. In the **Application Name** field, enter a name.

5. In the **Application Type** section, click **OIDC Web App**, and then click **Save**.

6. Configure your application as a user federation OAuth 2.0 client:

   1. Select your application and go to the **Configuration** tab.

   2. In the **Response Type** section, select the **Code** checkbox.

   3. In the **Grant Type** section, select the **Authorization Code** checkbox, the **Client Credentials** checkbox, or both depending on your use case.

   4. In the **Token Endpoint Authentication Method** list, select **Client Secret Post**.

   5. (Optional) If using the authorization code grant type, enter the **Redirect URI**.

7. Create a custom resource.

   1. Go to Applications > Resources and click the [icon: plus, set=fa]icon to create a new resource.

   2. In the **Resource Name** field, enter a name for the resource, and then click **Next**.

   3. In the **PingOne Mappings** list, select a value to map to the `sub` attribute, and the click **Next**.

   4. Click **+ Add Scope+** to define a scope and assign it to the application.

   5. Click **Save**.

   |   |                                                                                          |
   | - | ---------------------------------------------------------------------------------------- |
   |   | You will set this resource name as the `aud` claim for Client Credentials access tokens. |

8. Configure the AgentCore inbound authentication:

   1. In the **Discovery URL** field, enter the **OIDC Discovery Endpoint** value from the **Overview** tab on the PingOne application details pane.

   2. In the **Allowed Audiences** field, enter the resource name you created in [step 7](#create-resource).

You can find more information in the [PingOne API documentation](http://developer.pingidentity.com/pingone-api/).

### Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application's redirect URIs.

#### AgentCore outbound resource provider configuration

```
{
  "name": "PingOne",
  "credentialProviderVendor": "PingOneOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "<CLIENT_ID>",
      "clientSecret": "<CLIENT_SECRET>",
      "authorizeEndpoint": "https://auth.pingone.com/<ENV_ID>/as/authorize",
      "tokenEndpoint": "https://auth.pingone.com/<ENV_ID>/as/token",
      "issuer": "https://auth.pingone.com/<ENV_ID>/as"
    }
  }
}
```

## PingOne Advanced Identity Cloud integration

You can configure PingOne Advanced Identity Cloud as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access. This enables both user-based and machine-based agent interactions secured by PingOne Advanced Identity Cloud.

### Configuring PingOne Advanced Identity Cloud for inbound authentication

1. In the PingOne Advanced Identity Cloud admin console, go to Applications > Custom Application.

2. Select **OIDC - OpenID Connect** and then click **Service**.

3. Complete the following fields:

   1. `Application Name`

   2. `Description`

   3. `Owner`

4. Create the **Client ID** and **Client Secret**.

5. On the **Sign-On** tab, configure the following fields:

   1. Authorization code or client credentials grant types.

   2. **Redirect URI** if using Authorization Code.

6. Configure AgentCore inbound authentication:

   1. In the **Discovery URL** field, enter the **OIDC Discovery Endpoint** from the **Sign-On** tab.

   2. In the **Allowed Audiences** field, enter the **Client ID**.

### Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application's redirect URIs.

#### AgentCore outbound resource provider configuration

```
{
  "name": "PingOne AIC",
  "credentialProviderVendor": "CustomOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "CLIENT_ID",
      "clientSecret": "CLIENT_SECRET",
      "oauthDiscovery": {
        "discoveryUrl": "https://<PINGONE_AIC_TENANT>/am/oauth2/realms/root/realms/<REALM>/.well-known/openid-configuration"
      }
    }
  }
}
```

## PingFederate integration

You can configure PingFederate as an IdP for accessing AgentCore Gateway and Runtime, or as an AgentCore Identity credential provider for outbound resource access, supporting enterprise OAuth deployments and fine-grained token control.

### Configuring PingFederate for inbound authentication

1. In the PingFederate admin console, go to Applications > OAuth > Clients and click **Add Client**.

2. Configure the following fields:

   1. **Client ID** and **Client Secret**.

   2. **Redirect URI**, if applicable.

   3. For **Allowed Grant Types**, select **Authorization Code** or **Client Credentials**.

3. Go to System > OAuth Settings > Scope Management and create one or more scopes.

4. Go to Applications > OAuth > Access Token Management and configure the `aud` claim by setting the **Audience Claim Value**.

5. Allow the client to request the appropriate scopes and grant types.

6. Configure AgentCore inbound authentication:

   1. Set **Discovery URL** to `https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server`.

   2. Set **Allowed Audiences** to the configured audience value.

### Configuring outbound authentication

Outbound configuration mirrors inbound configuration, with the additional step of adding the AgentCore Identity callback URL to the application's redirect URIs.

#### AgentCore outbound resource provider configuration

```
{
  "name": "PingFederate",
  "credentialProviderVendor": "CustomOauth2",
  "oauth2ProviderConfigInput": {
    "includedOauth2ProviderConfig": {
      "clientId": "<CLIENT_ID>",
      "clientSecret": "<CLIENT_SECRET>",
      "oauthDiscovery": {
        "discoveryUrl": "https://<PINGFED_SERVER_HOSTNAME>/.well-known/oauth-authorization-server
      }
    }
  }
}
```

## Result

You've successfully integrated PingOne, PingOne Advanced Identity Cloud, or PingFederate with AWS Bedrock AgentCore Identity and can apply consistent enterprise identity controls to AI agents.