PingOne MCP Server
for AI Agents

Upload a base64-encoded PEM X.509 certificate into the PingOne certificate store as SIGNING or ENCRYPTION usage.

List all X.509 certificates imported into the PingOne environment's certificate store.

Create a new population (user segment) in the PingOne environment with an optional default flag and password policy.

List every population (user segment) in the PingOne environment with optional SCIM filtering and cursor pagination.

Retrieve one population by its PingOne ID, including its associated password policy and user count.

Replace a population's name, description, default flag, and password policy via full PUT replacement.

Permanently delete a population. The population must be empty (no assigned users) before deletion.

Retrieve the default identity provider assigned to a population for sign-on flows.

Set or replace the default identity provider for a population so its users authenticate via that IdP by default.

Create a PingOne user with profile attributes, address, optional initial password, and population assignment.

List users in the PingOne environment with SCIM filtering, cursor pagination, and configurable page size.

Retrieve one PingOne user by ID, optionally expanded with their group membership IDs or names.

PATCH update specific attributes of a user without replacing the full resource.

Permanently delete a user and all of their associated data from the environment. Irreversible.

Check whether a user account is enabled (can sign in) or disabled.

Enable or disable a user account (disabled users cannot sign in).

Retrieve the population a user currently belongs to.

Move a user to a different population, switching the password and sign-on policies that apply to them.

Grant an admin role directly to a user at a specific scope (organization, environment, or population).

List every admin role assigned directly to a user with its scope type and scope ID.

Retrieve one role assignment on a user, including the role reference and scope details.

Revoke a specific admin role assignment from a user, removing the permissions it granted.

Retrieve the external identity provider currently linked to a user.

Link or re-link a user to an external identity provider, replacing any previous IdP association.

Retrieve the current PingOne Verify identity-verification status for a user.

Programmatically set the PingOne Verify identity-verification status on a user.

Create a new group (static or dynamic) with optional population scoping, userFilter, external ID, and custom data.

List all groups in the PingOne environment with SCIM filtering and cursor pagination.

Retrieve one group by ID, optionally including total member counts.

Replace a group's name, description, userFilter, external ID, and custom data via full PUT replacement.

Permanently delete a group. All current members and role assignments are dropped automatically.

List all parent groups that contain this group as a nested (child) member.

Retrieve a single nested-group relationship record between a child group and a specific parent group.

Grant an admin role to every member of a group at a specified scope (organization, environment, or population).

List admin role assignments attached to a group (members inherit these permissions).

Retrieve one admin role assignment attached to a group, including its role and scope.

Revoke an admin role assignment from a group. All members lose the permissions they inherited through it.

Register a new OIDC, SAML, Worker, or external-link application with protocol-specific configuration.

List every application (OIDC, SAML, Worker, External Link, etc.) registered in the PingOne environment.

Retrieve a single application with its full protocol-specific configuration.

Replace the full configuration of an existing application via PUT (name, enabled, protocol, type required).

Permanently delete an application and all of its dependent configuration (grants, attributes, assignments, secrets).

Retrieve the current (and previous, if any) client secret for an OIDC application.

Retire the previous (rotated-out) client secret so only the current secret remains usable.

Grant an OAuth application access to a specific API resource with a set of scopes.

List every resource grant attached to an application (which API resources it can call and with which scopes).

Retrieve one resource grant on an application, including its resource and scope details.

Replace the scopes on a resource grant (resourceId and at least one scope are both required).

Remove a resource grant, revoking the application's access to that API resource and its scopes.

Attach a sign-on policy to an application at a given evaluation priority.

List the sign-on policies attached to an application, in evaluation priority order.

Retrieve one sign-on policy assignment on an application (policy reference and priority).

Replace the referenced policy and/or priority on an existing sign-on policy assignment.

Detach a sign-on policy from an application (the policy itself is not deleted).

Grant a Worker App an admin role at a specific scope (organization, environment, or population).

List admin role assignments on an application (typically Worker Apps using Client Credentials).

Retrieve one admin role assignment on an application, including its role and scope.

Revoke an admin role from a Worker App, removing its permissions at the assignment's scope.

Add an OIDC custom claim or SAML assertion attribute mapping to an application.

List the application's attribute mappings (OIDC custom claims or SAML assertion attributes).

Retrieve one attribute mapping on an application (claim/attribute name, expression, required flag).

Replace the name, value expression, and required flag of an existing attribute mapping.

Permanently remove an attribute mapping so it is no longer emitted in tokens or SAML assertions.

List every built-in (system-defined) admin role available at the PingOne organization level.

Retrieve one built-in admin role with its full permission set and applicable scope types.

Define a new custom admin role with a specific permission set and applicable assignment scopes.

List all custom (environment-scoped) admin roles defined in the connected PingOne environment.

Retrieve one custom admin role with its full permission set and applicable scopes.

Replace the name, description, permissions, and applicable scopes of a custom admin role via full PUT.

Permanently delete a custom admin role. All existing assignments of the role must be revoked first.

Create a new password policy with complexity, history, lockout, and age rules.

Retrieve one password policy with its full set of complexity, history, lockout, and expiry rules.

Replace the full configuration of a password policy via PUT (name plus the three exclusion flags are required).

Permanently delete a password policy. Populations using it fall back to the environment default.

Configure a new external identity provider (OIDC, SAML, or social) for federated authentication.

List every external identity provider (social and enterprise IdPs) configured in the environment.

Retrieve one external identity provider with its full configuration (type, endpoints, credentials).

Replace the full configuration of an external identity provider via PUT (name, type, and enabled are required; type cannot be changed).

Permanently delete an external IdP. Linked users keep their accounts but lose the federation link.

Add an attribute mapping that assigns an external IdP claim to a PingOne user attribute.

List the attribute mappings that translate external IdP claims into PingOne user attributes at sign-on.

Retrieve one attribute mapping on an IdP (PingOne attribute name, external claim expression, update mode).

Replace the name, value expression, and update behavior of an IdP attribute mapping.

Remove an IdP attribute mapping so the associated external claim is no longer applied at sign-on.

Create an empty sign-on policy shell. Add policy actions and application assignments afterwards.

Retrieve one sign-on policy by ID (name, description, default flag, timestamps).

Replace a sign-on policy's name, description, and default flag. Policy actions are managed separately.

Permanently delete a sign-on policy. All application assignments referencing it must be removed first; the default policy cannot be deleted.

List every MFA device (TOTP, email, FIDO2, mobile, etc.) registered to a specific user with its status and type.

Retrieve one MFA device record for a user (type, status, nickname, activation timestamp).

Permanently remove a registered MFA device from a user. The user must re-enroll to use that device type again.

Check whether MFA is enabled for a user (disabled users skip all MFA actions in sign-on policies).

Enable or disable MFA for a user, overriding sign-on policy MFA requirements.

Create a device authentication (MFA) policy with per-method enablement — all five methods (sms/email/mobile/totp/voice) must be configured.

Retrieve one device authentication (MFA) policy with its full per-method configuration.

Replace a device authentication (MFA) policy via full PUT — all five method enablement flags must be supplied.

Permanently delete a device authentication (MFA) policy. The default policy cannot be deleted and all referencing sign-on actions must be updated first.