SEP-990: Enable enterprise IdP policy controls during MCP OAuth flows ↗

mcp guide advanced architecture authentication models

Summary: Enable enterprise IdP policy controls during MCP OAuth flows

Original Documentation

Documentation Index#
Fetch the complete documentation index at: https://modelcontextprotocol.io/llms.txt Use this file to discover all available pages before exploring further.

Enable enterprise IdP policy controls during MCP OAuth flows

Final Standards Track

Field	Value
SEP	990
Title	Enable enterprise IdP policy controls during MCP OAuth flows
Status	Final
Type	Standards Track
Created	2025-06-04
Author(s)	Aaron Parecki (@aaronpk)
Sponsor	None
PR	#646

Abstract#

This extension is designed to facilitate secure and interoperable authorization of MCP clients within corporate environments, leveraging existing enterprise identity infrastructure.

For end users, this removes the need to manually connect and authorize the MCP Client to individual services within the organization.
For enterprise admins, this enables visibility and control over which MCP Servers are able to be used within the organization.

How Has This Been Tested?#

We have an end to end implementation of this here, and in-progress MCP implementations with some partners.

Breaking Changes#

This is designed to augment the existing OAuth profile by providing an alternative when used under an enterprise IdP. MCP clients can opt in to this profile when necessary.

Additional Context#

For more background on this problem, you can refer to my blog post about this here:

Enterprise-Ready MCP

I also presented this at the MCP Dev Summit in May.

A high level overview of the flow is below:

sequenceDiagram
    participant UA as Browser
    participant C as MCP Client
    participant MAS as MCP Authorization Server
    participant MRS as MCP Resource Server
    participant IdP as Identity Provider

    rect rgb(255,255,225)
    C-->>UA: Redirect to IdP
    UA->>+IdP: Redirect to IdP
    Note over IdP: User Logs In
    IdP-->>-UA: IdP Authorization Code
    UA->>C: IdP Authorization Code
    C->>+IdP: Token Request with IdP Authorization Code
    IdP-->-C: ID Token
    end

    note over C: User is logged<br>in to MCP Client.<br>Client stores ID Token.

    C->+IdP: Exchange ID Token for ID-JAG
    note over IdP: Evaluate Policy
    IdP-->-C: Responds with ID-JAG
    C->+MAS: Token Request with ID-JAG
    note over MAS: Validate ID-JAG
    MAS-->-C: MCP Access Token

    loop
    C->>+MRS: Call MCP API with Access Token
    MRS-->>-C: MCP Response with Data
    end

State: Ready to Review

Link last verified June 7, 2026. View original ↗

Source: MCP Docs

Link last verified: 2026-02-26