PingOne Advanced Identity Cloud

Enable the AI agents feature

The AI agents feature is enabled by default for sandbox tenants created on or after March 31, 2026. For sandbox tenants created before that date, you can enable the AI agents feature using the following steps:

  1. Check that your sandbox tenant supports application management using the Application management migration FAQ. If your tenant doesn’t support application management, contact you Ping Identity representative.

  2. Check that your sandbox tenant has groups enabled using the Group identity migration FAQ. If your tenant doesn’t have groups enabled, follow the feature enablement instructions in Group management.

  3. Enable the AI agents identity and privilege object types:

    1. Get an access token with the fr:idm:* scope.

    2. Make a GET request to the openidm/feature/aiagent endpoint to check if the AI agents feature is enabled:

      $ curl \
--request GET 'https://<tenant-env-fqdn>/openidm/feature/aiagent' \(1)
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=1.0' \
--header 'Authorization: Bearer <access-token>'(2)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <access-token> with the access token created in step 1.

      • If the AI agents feature isn’t enabled, the response returns installedVersion as null:

        {
    "_id": "aiagent",
    "installedVersion": null,
    "availableVersions": [
        "1"
    ]
}

      • If the AI agents feature is enabled, the response returns installedVersion as 1:

        {
    "_id": "aiagent",
    "installedVersion": "1",
    "availableVersions": [
        "1"
    ]
}

    3. If the AI agents feature isn’t enabled, make a POST request to the openidm/feature/aiagent endpoint to enable the feature:

      $ curl \
--request POST 'https://<tenant-env-fqdn>/openidm/feature/aiagent?_action=install' \(1)
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=1.0' \
--header 'Authorization: Bearer <access-token>'(2)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <access-token> with the access token created in step 1.

      • If the installation is successful, the response returns status as 200 and message as "Install complete.":

        {
    "status": 200,
    "message": "Install complete."
}

      • If the installation fails, the response returns status as 400, and message contains an error message indicating the reason for the failure. For example, if the feature is already enabled, the error message is "Pre-validate failed.".

  4. Open a support case with Ping Identity support to turn on the AI agents feature flags:

    1. Go to https://support.pingidentity.com.

    2. Click Create a case.

    3. Follow the steps in the case submission wizard by selecting your account and contract and answering questions about your tenant environments.

    4. On the Please answer the following questions to help us understand the issue you’re facing page, enter the following details, and then click Next:

      Field Value

      What product family is experiencing the issue?

      Select PingOne Advanced Identity Cloud

      What specific product is experiencing the issue?

      Select Configuration

      What version of the product are you using?

      Select NA

      What Hostname(s) or Tenant ID(s) does this apply to?

      Enter the of FQDN for your sandbox tenant environment.

    5. On the Tell us about the issue page, enter the following details, and then click Next:

      Field Value

      Provide a descriptive title for your issue

      Enter Enable AI agents feature flags

      Describe the issue below

      Enter Enable AI agents feature flags

    6. Click Submit.

    7. Wait for Ping Identity support to advise that they have enabled the feature flags for your tenant.

  5. Configure the access management OAuth2 Provider service for both realms:

    1. In the Advanced Identity Cloud admin console, select the Alpha realm from the realm selector in the top left corner of the page.

    2. Go to Native Consoles > Access Management > Services.

    3. Click the OAuth2 Provider service.

    4. Click the AI Agents tab. Depending on the size and resolution of your screen, this tab may be listed in the drop-down list of hidden tabs located at the end of the row of tabs.

    5. Configure the AI Agents tab:

      1. Click the Enable AI Agents toggle to enable it.

      2. In the AI Agent Managed Object Name field, enter managed/alpha_aiagent.

      3. In the AI Agent Privilege Managed Object Name field, enter managed/alpha_aiagentprivilege.

      4. In the AI Agent DCR Managed Object Mapping field, enter the following mappings:

        • client_id|oauth2ClientId

        • client_name#en|name

        • client_name|name

        • client_id|name

      5. Click Save Changes.

    6. Repeat the above steps for the Bravo realm, with the following changes:

      • In step 5a, select the Bravo realm from the realm selector in the top left corner of the page.

      • In step 5e, enter managed/bravo_aiagent in the AI Agent Managed Object Name field.

      • In step 5e, enter managed/bravo_aiagentprivilege in the AI Agent Privilege Managed Object Name field.