pingone

The PingOne MCP Server lets AI assistants review and manage PingOne tenants by wiring the PingOne management APIs into conversations. It supports authenticating users via OAuth 2.0 PKCE for local deployments and a Device Code Flow for containerized or headless runs. Administrators can perform environment, application, and population operations through natural-language assisted commands, enabling tasks like creating or updating configurations and querying tenant status. The server is designed to work with common MCP clients (e.g., Claude Desktop, VS Code Copilot Chat, Cursor, Zed) and can be run either as a native binary or in a Docker container, depending on your deployment model. When using the Docker path, ensure the client supports URL mode elicitation to securely pass the authorization URL to users during device authentication.

To start using it, run the binary distribution or Docker image, authenticate with a PingOne tenant, and then issue commands to inspect and adjust your PingOne configuration. Typical workflows involve listing environments, inspecting worker configurations, and applying updates to environments, applications, or populations. The MCP server exposes intents and tools that map to environment management, application configuration, and population data operations, all accessible through natural language prompts in supported MCP clients.

Prerequisites

• A licensed or trial PingOne cloud subscription
• An MCP-compatible client (e.g., Claude Desktop, VS Code Copilot Chat, Cursor, Zed)
• Homebrew (macOS/Linux) for easy installation

Install via Homebrew (macOS and Linux)

brew tap pingidentity/tap
brew install pingone-mcp-server

Manual installation from GitHub releases (macOS and Linux)

1. Open a terminal.
2. Find the latest release and download the appropriate binary for your OS/architecture.
3. Make the binary executable and move it to a directory on your PATH, e.g.:

RELEASE_VERSION=$(basename $(curl -Ls -o /dev/null -w %{url_effective} https://github.com/pingidentity/pingone-mcp-server/releases/latest)); \
OS_NAME=$(uname -s); \
HARDWARE_PLATFORM=$(uname -m | sed s/aarch64/arm64/ | sed s/x86_64/amd64/); \
URL="https://github.com/pingidentity/pingone-mcp-server/releases/download/${RELEASE_VERSION}/pingone-mcp-server_${RELEASE_VERSION#v}_${OS_NAME}_${HARDWARE_PLATFORM}"; \
curl -Ls -o pingone-mcp-server "${URL}"; \
chmod +x pingone-mcp-server; \
sudo mv pingone-mcp-server /usr/local/bin/pingone-mcp-server;

4. Verify with checksums using the release artifacts page.

Docker option (optional) If you prefer running in Docker, follow the Docker Usage Instructions in the repository docs to start the container and configure URL mode elicitation for device flow authentication.

Prerequisites recap

• PingOne subscription and a configured worker application (environment ID and client ID)
• MCP-compatible client
• Access to install binaries or run Docker

Environment variables and configuration: At minimum, you must provide the environment ID and client ID for your PingOne worker application to enable API access. The device flow is recommended for headless or containerized deployments. Review generated configurations before promoting to production, especially when using dynamic configuration generation via LLM prompts. When using Docker, ensure the client supports URL mode elicitation, as the OAuth authorization URL should not be exposed to the AI agent. If you run into authentication issues, verify that the Redirect URI matches the one configured in your PingOne worker application (default is http://127.0.0.1:7464/callback). For troubleshooting, consult the PingOne MCP server docs and the issue tracker on GitHub.