How MCP Manager brokers enterprise single sign-on through Auth0: how IdP federation and email-domain routing work, what you provide to connect Okta or Entra ID, just-in-time provisioning, and troubleshooting plus FAQs on sharing credentials securely, secret rotation, break-glass accounts, and social sign-in versus enterprise SSO.
Single sign-on (SSO) lets your team sign in to MCP Manager with your existing corporate identity provider (IdP) — Okta, Microsoft Entra ID, or any OIDC-compatible IdP (see Supported identity providers) — instead of an MCP Manager-specific credential. MCP Manager brokers enterprise SSO through Auth0: your IdP federates to MCP Manager’s Auth0 tenant, and MCP Manager routes each sign-in based on the user’s verified email domain. The result is one-click access for your people, central control in your IdP, and no separate password for anyone to manage.
Setting up SSO is a guided, assisted process — you do not self-serve it from a settings screen. You provide a few values from your IdP, and the MCP Manager team completes the connection on our side. To request SSO for your workspace, use the Contact us prompt on the SSO / SCIM settings page or talk to your MCP Manager contact.
MCP Manager does not implement SAML or OIDC endpoints directly. Instead, it uses Auth0 as the identity broker between your corporate IdP and the MCP Manager application. Your IdP is added to MCP Manager’s Auth0 tenant as an enterprise connection, and sign-in is matched to your organization by email domain.Three properties of this flow matter for planning:
Domain-based routing. MCP Manager decides whether to send a sign-in through your IdP by matching the part of the email address after the @ against the domains you register for SSO. You tell us which domains route through your IdP (for example, yourcompany.com).
Verified email required. MCP Manager accepts a federated identity only when your IdP asserts that the email address is verified. A sign-in carrying an unverified email is rejected and returned to the login screen. This prevents anyone from claiming an account on your domain that they do not actually control.
No forced SSO by default. Enabling SSO for a domain does not, on its own, disable other sign-in methods for addresses outside that domain. Email addresses on domains you have not registered for SSO continue to use the standard email-code login. Use this deliberately to keep a break-glass account (see the FAQ).
End users never create or manage an MCP Manager password. They sign in one of two ways: by clicking the MCP Manager tile on your IdP dashboard (if you configure one — see Add an MCP Manager tile to your IdP dashboard), or by entering their work email at the login page, where MCP Manager recognizes the registered domain and routes them to your IdP to authenticate.
MCP Manager provisions an account the first time a user signs in through SSO — you do not have to pre-create accounts.
Just-in-time account creation. When a user on a registered domain signs in through your IdP and no MCP Manager account exists yet, MCP Manager creates one from the verified identity (email, first and last name) — even if the user was never provisioned through SCIM.
Access still depends on teams. A just-in-time account, on its own, grants no access to any gateway — access in MCP Manager comes from team membership. Until a user is placed on a team, they can sign in but will not see any gateways.
SCIM is the durable path to team access. Pair SSO with SCIM provisioning so group membership flows from your IdP into MCP Manager teams automatically.
Connecting your IdP is a short exchange: you create one application in your IdP and send us the connection details; we register your enterprise connection and confirm when it is live.
Configure your IdP for a new OpenID Connect connection (in Okta, an OIDC — Web Application app integration) and provide us with all of the following:
Issuer URL (ends with /.well-known/openid-configuration)
Client ID
Client Secret (the secret value, not its ID)
The email domain(s) that should sign in through your IdP (for example, all users with an email address @yourcompany.com)
Allow the following sign-in redirect (callback) URLs in your IdP application — paste them verbatim; the redirect URI must match exactly for the connection to succeed:
https://login.usercentrics-sandbox.eu/login/callback (for our test system)
The Client Secret is a sensitive credential, and the choice of secure channel is yours. Some customers create a secure note in their password management system and share a time-limited access link just for this process. If a secret is ever exposed, rotate it in your IdP and send us the new value.
Once the connection is live, a user on a registered domain who enters their work email at the login page is routed to your IdP to authenticate.
A user is not routed to the IdP and sees a code prompt instead
MCP Manager routes to your IdP only for email domains registered for SSO. If a user enters an address on an unregistered domain, they get the standard email-code flow. Confirm the user’s email domain is one you registered with us, and that they entered the corporate address rather than a personal one.
Authentication fails after the IdP returns the user
The most common cause is that the user is not assigned to the OIDC application in your IdP. Assign the user (or their group) to the OIDC application and have them try again. Remember that assignment to the OIDC application is separate from SCIM provisioning assignment — a user can be provisioned yet still be unable to sign in if they are not assigned to the OIDC application.
Sign-in is rejected with an unverified-email message
MCP Manager only accepts a federated identity whose email your IdP marks as verified. Confirm the user’s email is verified in your IdP. This guard is intentional and protects against accounts being claimed on your domain by someone who does not control the address.
The user signs in but sees no gateways
A just-in-time account has no team membership, and gateway access in MCP Manager comes from teams. Add the user to a team — automatically through SCIM group-to-team mapping or manually on the team — so they gain access. See SCIM provisioning and Teams.
Where do I find these values in Okta or Microsoft Entra ID?
Okta: create an OIDC — Web Application app integration. The Client ID and Client Secret are on the application’s General tab under Client Credentials. The Issuer URL is your Okta org domain followed by the discovery path: https://yourcompany.okta.com/.well-known/openid-configuration.Microsoft Entra ID: register a new app following Microsoft’s quickstart. The Issuer URL is listed under the Endpoints button in your app’s overview page. Create a Client Secret under Certificates & secrets — and send us the secret Value, not the Secret ID.
How do I securely share the Client ID and Client Secret with you?
That choice is yours. If your security policy permits sending credentials by email, you can do that. We recommend a one-time link instead — a self-destructing secret link from your password manager or a one-time-secret service — so the value cannot be read again after we retrieve it. If a secret is ever exposed in transit, rotate it in your IdP and send us the new value.
My client secret expired or was rotated — what should I do?
Create a new secret in your IdP and send the new value to us through a secure channel; we update your enterprise connection and confirm when it is in place. Sign-ins through your IdP fail from the moment the old secret expires until the new one is active, so if your IdP enforces secret expiry (Microsoft Entra ID does by default), plan the rotation with us ahead of the expiry date.
Can we use “Sign in with Google” instead of connecting our IdP?
Yes — we can route your email domain to a standard Google sign-in without any of the setup on this page. The difference from enterprise SSO is control: with Google sign-in, authentication happens against the user’s Google account rather than your IdP, so it cannot be enforced or centrally managed by your IT team, and it does not pair with SCIM provisioning for automatic team membership. Connecting your IdP as an enterprise connection gives you both.
Is “Sign in with Microsoft” the same as connecting Microsoft Entra ID?
No. A social “Sign in with Microsoft” button authenticates personal Microsoft accounts and is not compatible with your organization’s Microsoft Entra ID. If your organization uses Entra ID, connect it as an enterprise connection following the steps on this page — that is what routes your users through your directory, with your policies enforced.
Which OpenID scopes do you request?
We request the default OpenID scopes: openid profile email. No custom scopes or extension claims are required.
Does SSO control what users can do in MCP Manager?
SSO handles authentication (who the user is), not authorization (what they can do). Access to gateways comes from team membership, and permissions come from roles — both managed in MCP Manager, or driven automatically from your IdP groups via SCIM provisioning. Blocking or removing a user in your IdP does stop them from signing in to MCP Manager.
Should we route every email domain through SSO?
No — keep at least one administrator account outside SSO as a break-glass account. Because MCP Manager routes sign-in by email domain, any domain you do not register keeps the standard email-code login. If your IdP ever has an outage or a misconfiguration, an administrator account on an unregistered domain can still sign in and restore access; registering every domain removes this safety net.
Why can't I see the SSO / SCIM settings page?
Your role does not have the Manage SSO/SCIM mapping capability, which controls visibility and access to the SSO / SCIM settings page — without it, the page is hidden and navigating to it returns you to the People area. Ask a workspace administrator to grant the capability to your role from People. Only the settings page is gated; the end-user sign-in flow works for anyone on a registered domain.