CloudCodeTree LogoCloudCodeTree
AI NewsTutorialsAbout
CloudCodeTree Logo
CloudCodeTree
  • AI News
  • Tutorials
  • About
← Back to AI News
Add SSO to Your MCP Server in One Extension: MCP Enterprise-Managed Authorization Is Now Stable

Add SSO to Your MCP Server in One Extension: MCP Enterprise-Managed Authorization Is Now Stable

Chris Harper

2 min read

Jul 15, 2026 · 04:09 UTC

AI
Workflow
MCP
Best Practices

TL;DR: MCP's Enterprise-Managed Authorization (EMA) extension is now stable and adopted by Anthropic, Microsoft, and Okta — your MCP server can delegate access control to your org's identity provider instead of requiring per-user consent.

When you expose an MCP server inside an organization, every user has to individually OAuth-consent to it. That's onboarding friction and a compliance headache. The new MCP Enterprise-Managed Authorization (EMA) extension, now stable, fixes this by shifting control to the organization's identity provider.

How EMA works

EMA introduces an Identity Assertion JWT Authorization Grant (ID-JAG) flow:

  1. The user's MCP client presents an IdP-issued assertion to your MCP server's authorization server.
  2. Your auth server exchanges the assertion for an access token.
  3. The client carries the token — no per-user consent UI.

From the user's view: one SSO login covers all organization-approved MCP servers. From the security team's view: access policy lives in Active Directory, Okta, or Entra ID — not in scattered individual user consents.

Who's already using it

Client support: Claude, VS Code / GitHub Copilot. Auth providers: Okta, Microsoft Entra ID, Anthropic's own gateway. Servers: Asana, Atlassian, Canva, Figma, Linear, Supabase.

What to do in your MCP server

  1. Add an authorization server that accepts ID-JAG grants. Okta and Entra publish standard endpoints; most enterprise IdPs already support this grant type.
  2. Declare EMA support in your server's capability response: "enterpriseManagedAuth": { "version": "1.0" }.
  3. Scope tokens narrowly — EMA controls who can connect; what the agent can do once connected is still up to your tool-level permission checks.

For personal projects and small teams, standard per-user OAuth is still the right call. EMA is the answer when IT needs one audit-able policy for 500 users.

Sources: MCP Enterprise-Managed Authorization — InfoQ · MCP Is Growing Up — AAIF · MCP Blog