Skip to main content

Configure SSO and SCIM

Set up Single Sign-On and directory sync (SCIM) for your organization from the MintMCP enterprise settings page. The setup wizard walks you through IdP-specific configuration for your provider.

What SSO covers

SSO delegates authentication for both the MintMCP web UI and the OAuth flows AI clients complete when connecting to a Virtual MCP (VMCP). When a user signs in to the MintMCP app, or when a client like Claude, Cursor, or ChatGPT starts an OAuth flow against a VMCP endpoint, the browser redirects through your IdP. The user authenticates there (with whatever MFA, conditional access, and device posture rules the IdP enforces) and returns to MintMCP with a signed assertion. Your IdP's security policies apply to AI client connections, not just browser logins.

Once SSO is enabled:

  • Users sign in with their corporate identity, and MintMCP does not store passwords.
  • The IdP's MFA and conditional-access policies apply to MintMCP access, including client OAuth flows.
  • Disabling a user in the IdP prevents them from starting new sessions in MintMCP immediately; existing tokens can be revoked from the admin UI.
  • Audit logs record the IdP-provided identity for each session and each tool call.

What SCIM covers

SCIM (System for Cross-domain Identity Management) keeps the directory of users in MintMCP in sync with the IdP, so admins don't manage invitations and deactivations manually. SCIM provisioning covers:

  • User creation: When a user is assigned to the MintMCP application in the IdP, a corresponding MintMCP user is created.
  • Attribute updates: Changes to name, email, or group membership in the IdP flow into MintMCP.
  • Deactivation: Unassigning a user or disabling them in the IdP deactivates the user in MintMCP automatically.
  • Group sync (where the IdP supports it): Groups from the IdP are mirrored into MintMCP and become subjects for Virtual MCP access policies, so directory group membership controls which VMCPs a user can connect to. Groups can also be mapped to org-level roles, so directory membership drives administrative rights as well; see Roles and permissions and Role-based access control.

What SCIM does not do

SCIM does not replace SSO: you still need SSO configured for users to actually sign in. SCIM only syncs the directory.

SCIM also does not provision downstream credentials. Assigning a user to MintMCP in the IdP does not authorize them to every downstream MCP server. Users still pick up per-user credentials on first use (OAuth to the downstream service) or inherit shared credentials through policy. SCIM only controls whether they exist in MintMCP and what groups they belong to.

Prerequisites

  • A MintMCP account with enterprise access
  • A verified email domain if you plan to enforce SSO for your organization (see Domain verification)

Setup

  1. Go to app.mintmcp.com/enterprise
  2. Click Configure SSO or Configure SCIM
  3. Follow the setup wizard, which walks you through step-by-step instructions specific to your identity provider

Before you roll it out

  • Confirm attribute mapping. MintMCP uses the user's email address as the primary identifier and for user identity forwarding to MCP servers, so make sure the IdP sends a stable, verified email.
  • Decide on groups. If you plan to use IdP groups as subjects for MintMCP access policies, enable SCIM group sync.

Effect on AI clients

Once SSO is in place, there is no additional configuration for AI clients. The next time a user runs the OAuth flow from their client to a Virtual MCP, the login step redirects through the IdP automatically. Existing sessions continue to work until their tokens expire or are revoked.

Supported providers

MintMCP supports any identity provider that uses SAML 2.0 or OpenID Connect (OIDC) for SSO, and SCIM 2.0 for provisioning. The setup wizard includes provider-specific instructions for:

ProviderSSOSCIM
OktaYesYes
Microsoft Entra IDYesYes
Google WorkspaceYesNo
OneLoginYesYes
JumpCloudYesYes
AD FSYesNo
PingFederateYesNo
DuoYesNo
Auth0YesNo
CyberArkYesNo

Any SAML 2.0 or OIDC provider will work, even if not listed above.

For setup help, contact enterprise@mintmcp.com.