> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Supported Identity Providers

> The identity providers MCP Manager works with for enterprise SSO and SCIM provisioning, in one searchable table. Because sign-in is standards-based OpenID Connect (OIDC) federated through Auth0 and provisioning is SCIM 2.0 (RFC 7643 and RFC 7644), any conformant IdP works — Okta, Microsoft Entra ID, Ping Identity, OneLogin, JumpCloud, Google Workspace, and many more. Each provider is marked for SSO (OIDC) and outbound SCIM 2.0 support.

MCP Manager's enterprise identity features are **standards-based**, so compatibility is broad rather than a fixed list of certified vendors. Sign-in is [**OpenID Connect (OIDC)**](/enterprise/sso) federated through Auth0, and user provisioning is [**SCIM 2.0**](/enterprise/scim) — both open IETF/OpenID standards that virtually every modern identity provider (IdP) implements. The table below names the providers customers most often ask about and marks, for each, what MCP Manager supports today.

<Info>
  **Short answer: if your IdP speaks OIDC and SCIM 2.0, MCP Manager works with it.** There is no per-vendor integration code on our side — we federate any OIDC provider and accept SCIM 2.0 from any conformant client. If you don't see your provider below, that almost certainly means we haven't listed it yet, **not** that it is unsupported. [Talk to us](https://app.mcpmanager.ai/settings/people/sso) and we'll confirm.
</Info>

## How compatibility is determined

Two independent standards decide whether a provider appears with a check mark, and they are worth separating because a provider can support one without the other.

### SSO — OpenID Connect (OIDC)

MCP Manager brokers single sign-on through **Auth0**, which adds your IdP as an OIDC **enterprise connection** and routes each sign-in by verified email domain. Your IdP only has to do what any OpenID Connect identity provider does:

* Expose a standard **OIDC** provider built on **OAuth 2.0 / OAuth 2.1**, ideally with an OpenID Provider Metadata document at `/.well-known/openid-configuration` for discovery.
* Support the **Authorization Code flow with PKCE** ([RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)) and return an **ID token** (a signed JWT) carrying the `email` and `email_verified` claims.

That surface is near-universal, so the **SSO (OIDC)** column is a check mark for essentially every real identity provider. MCP Manager does not implement SAML endpoints — connections are OIDC. See [Single Sign-On (SSO)](/enterprise/sso) for the full setup.

### SCIM provisioning — SCIM 2.0 (outbound)

MCP Manager is a **SCIM 2.0 service provider (the target)**, implementing the System for Cross-domain Identity Management protocol per [**RFC 7643**](https://datatracker.ietf.org/doc/html/rfc7643) (core schema) and [**RFC 7644**](https://datatracker.ietf.org/doc/html/rfc7644) (protocol), authenticated with an **OAuth 2.0 Bearer token** ([RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)). It exposes the standard `/ServiceProviderConfig`, `/ResourceTypes`, and `/Schemas` discovery endpoints, and reads group membership from both the `groups` attribute and the Enterprise User extension schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`).

The distinction that decides the **SCIM 2.0 provisioning** column is direction:

* **Outbound SCIM (what MCP Manager needs).** Your IdP acts as a SCIM *client/source*, pushing create, update, and deactivate operations to MCP Manager's endpoint. Only providers that can do this earn a check mark.
* **Inbound SCIM (not sufficient on its own).** Many platforms — especially developer-focused CIAM products — implement SCIM only as a *service provider* that receives provisioning from an upstream IdP. Being a SCIM target does not let a provider push to MCP Manager, so those providers are not marked for SCIM here.

See [SCIM Provisioning](/enterprise/scim) for the supported operations, filtering, and paging limits.

## How to read the table

<Info>
  **`✓`** means MCP Manager supports that capability with this provider.

  **`—`** means it is **not a documented path today** — not a claim that the provider is incompatible. Many `—` cells are simply combinations we have not yet validated or that depend on a provider edition; sign-in may still work even where provisioning is not listed. When in doubt, [contact us](https://app.mcpmanager.ai/settings/people/sso).
</Info>

## Supported identity providers

| Identity provider                              | SSO (OIDC) | SCIM 2.0 provisioning | Notes                                                                                                                                       |
| ---------------------------------------------- | :--------: | :-------------------: | ------------------------------------------------------------------------------------------------------------------------------------------- |
| **Okta** (Workforce Identity)                  |      ✓     |           ✓           | Outbound SCIM requires the **Okta Lifecycle Management** add-on. Okta ships a *SCIM 2.0 Test App (OAuth Bearer Token)* reference connector. |
| **Microsoft Entra ID** (Azure AD)              |      ✓     |           ✓           | Provisioning to a non-gallery SCIM app requires **Entra ID P1** or higher.                                                                  |
| **Microsoft Entra External ID**                |      ✓     |           ✓           | Uses the same Entra provisioning service as workforce Entra ID.                                                                             |
| **Google Workspace / Cloud Identity**          |      ✓     |           —           | OIDC sign-in is supported. Google's auto-provisioning is catalog-gated, so a generic custom SCIM endpoint is not a documented path.         |
| **Ping Identity — PingOne**                    |      ✓     |           ✓           | Configure a *SCIM Outbound* connection with OAuth 2 Bearer Token auth.                                                                      |
| **Ping Identity — PingFederate**               |      ✓     |           ✓           | Enable outbound provisioning (the SCIM provisioner).                                                                                        |
| **OneLogin**                                   |      ✓     |           ✓           | SCIM provisioning is a paid capability on your OneLogin plan.                                                                               |
| **JumpCloud**                                  |      ✓     |           ✓           | Use a *Custom SCIM* integration (base URL + token).                                                                                         |
| **AWS IAM Identity Center** (formerly AWS SSO) |      ✓     |           —           | Federates via OIDC/SAML, but it is a SCIM *target*, not an outbound source.                                                                 |
| **Amazon Cognito**                             |      ✓     |           —           | Acts as an OIDC provider; no native outbound SCIM.                                                                                          |
| **Auth0** (by Okta)                            |      ✓     |           —           | OIDC provider; Auth0 supports **inbound** SCIM only.                                                                                        |
| **IBM Security Verify**                        |      ✓     |           ✓           | Generic SCIM 2.0 custom-application connector with bearer auth.                                                                             |
| **Oracle Cloud Infrastructure IAM / IDCS**     |      ✓     |           ✓           | Use the *Generic SCIM App Template*.                                                                                                        |
| **SailPoint Identity Security Cloud**          |      ✓     |           ✓           | SCIM 2.0 outbound connector; SSO is typically via a paired IdP.                                                                             |
| **CyberArk Identity**                          |      ✓     |           ✓           | Outbound SCIM provisioning with a SCIM URL and access token.                                                                                |
| **ForgeRock / Ping (PingIDM)**                 |      ✓     |           ✓           | PingIDM SCIM connector, configured over REST.                                                                                               |
| **SAP Cloud Identity Services (IAS + IPS)**    |      ✓     |           ✓           | OIDC via IAS; outbound SCIM 2.0 via the Identity Provisioning Service.                                                                      |
| **Salesforce Identity**                        |      ✓     |           —           | OIDC provider; Salesforce is a SCIM *target*.                                                                                               |
| **Cisco Duo**                                  |      ✓     |           ✓           | Generic OIDC relying party plus a generic SCIM 2.0 target.                                                                                  |
| **Rippling**                                   |      ✓     |           ✓           | Custom SAML + SCIM app integration.                                                                                                         |
| **Workday**                                    |      —     |           ✓           | SCIM requires **Workday Enterprise** with SSO enabled. Sign-in is typically SAML-based; confirm OIDC with us.                               |
| **WSO2 Identity Server**                       |      ✓     |           ✓           | Outbound provisioning connector (SCIM 2.0).                                                                                                 |
| **Keycloak**                                   |      ✓     |           —           | OIDC provider; no built-in outbound SCIM client (community extensions only).                                                                |
| **authentik**                                  |      ✓     |           ✓           | Native SCIM provider (base URL + bearer token).                                                                                             |
| **Zitadel**                                    |      ✓     |           —           | OIDC provider; an outbound SCIM client is in development.                                                                                   |
| **Authelia**                                   |      ✓     |           —           | OIDC provider; no SCIM provisioning.                                                                                                        |
| **Gluu**                                       |      ✓     |           —           | Primarily a SCIM *server* (inbound).                                                                                                        |
| **Cloudflare Access (Zero Trust)**             |      ✓     |           —           | OIDC for apps; outbound SCIM to apps is in limited beta.                                                                                    |
| **WorkOS**                                     |      ✓     |           —           | Directory Sync *receives* SCIM (target), and provides OIDC SSO.                                                                             |
| **Frontegg**                                   |      ✓     |           —           | OIDC provider; SCIM is inbound only.                                                                                                        |
| **FusionAuth**                                 |      ✓     |           —           | Implements SCIM as a server (inbound) only.                                                                                                 |
| **Stytch**                                     |      ✓     |           —           | B2B OIDC; SCIM target for upstream IdPs.                                                                                                    |
| **Clerk**                                      |      ✓     |           —           | OIDC provider; SCIM is inbound only.                                                                                                        |
| **Descope**                                    |      ✓     |           —           | OIDC provider; SCIM is inbound only.                                                                                                        |
| **miniOrange**                                 |      ✓     |           ✓           | *SCIM server* app for outbound provisioning (base URL + bearer token).                                                                      |
| **LoginRadius**                                |      ✓     |           ✓           | Directory Sync supports outbound SCIM 2.0.                                                                                                  |
| **Beyond Identity**                            |      ✓     |           ✓           | Generic SCIM 2.0 registration for outbound provisioning.                                                                                    |
| **Transmit Security (Mosaic)**                 |      ✓     |           ✓           | SCIM-based user lifecycle to downstream apps.                                                                                               |
| **RSA Governance & Lifecycle**                 |      ✓     |           ✓           | SCIM connector for outbound provisioning.                                                                                                   |
| **Broadcom / Symantec VIP**                    |      ✓     |           ✓           | VIP Authentication Hub exposes SCIM 2.0 management APIs.                                                                                    |
| **OpenText / NetIQ Identity Manager**          |      ✓     |           ✓           | SCIM driver (Integration Module) for outbound provisioning.                                                                                 |
| **Optimal IdM (OptimalCloud)**                 |      ✓     |           ✓           | SCIM 2.0 inbound and outbound.                                                                                                              |
| **HelloID (Tools4ever)**                       |      ✓     |           ✓           | Outbound SCIM availability varies by target connector.                                                                                      |
| **Azure AD B2C**                               |      ✓     |           —           | OIDC sign-in; no outbound app provisioning service.                                                                                         |
| **Shibboleth IdP**                             |      ✓     |           —           | OIDC via the OP plugin; no SCIM.                                                                                                            |
| **SimpleSAMLphp**                              |      ✓     |           —           | OIDC OP module; no SCIM.                                                                                                                    |

## Edition and licensing notes

A few providers gate **outbound SCIM** behind a specific edition or add-on. Where a row above is marked `✓` for SCIM, confirm your license covers provisioning before you plan a rollout:

* **Okta** — outbound SCIM to a custom app requires the **Lifecycle Management** add-on.
* **Microsoft Entra ID** — provisioning a non-gallery SCIM application requires **Entra ID P1** (or P2 / a bundle that includes it).
* **OneLogin** — provisioning is a paid capability on the IdP plan.
* **Workday** — SCIM is part of the **Enterprise** tier and requires SSO to be enabled first.

SSO via OIDC generally carries no such gating — it is part of the base offering for nearly every provider listed.

## Don't see your provider?

The table is a convenience, not a boundary. Because MCP Manager federates **any** OIDC provider and accepts SCIM 2.0 from **any** conformant client, a provider's absence here is not a statement that it won't work.

<Check>
  If your IdP issues OIDC ID tokens with a verified email claim, you can use it for **SSO**. If it can push outbound **SCIM 2.0** with a bearer token, you can use it for **provisioning**. To confirm your specific provider and edition, use the **Contact us** prompt on the [SSO / SCIM settings page](https://app.mcpmanager.ai/settings/people/sso) or talk to your MCP Manager contact.
</Check>

## Further reading

<CardGroup cols={2}>
  <Card title="Single sign-on (SSO)" icon="right-to-bracket" href="/enterprise/sso">
    How MCP Manager federates your OIDC identity provider through Auth0.
  </Card>

  <Card title="SCIM provisioning" icon="arrows-rotate" href="/enterprise/scim">
    Automatically create users and sync IdP groups to MCP Manager teams.
  </Card>

  <Card title="Authentication & Identity" icon="fingerprint" href="/security/authentication-and-identity">
    The two-authentications model and how identity is brokered to servers.
  </Card>

  <Card title="Teams" icon="users" href="/deployment/teams">
    How team membership grants users access to gateways.
  </Card>
</CardGroup>

## External sources

<CardGroup cols={2}>
  <Card title="OpenID Connect Core" icon="openid" iconType="brands" href="https://openid.net/specs/openid-connect-core-1_0.html">
    The OIDC specification behind MCP Manager's SSO federation.
  </Card>

  <Card title="SCIM 2.0 — RFC 7644" icon="file-lines" href="https://datatracker.ietf.org/doc/html/rfc7644">
    The SCIM protocol MCP Manager implements as a service provider.
  </Card>

  <Card title="SCIM Core Schema — RFC 7643" icon="file-lines" href="https://datatracker.ietf.org/doc/html/rfc7643">
    The SCIM resource schema for users and groups.
  </Card>

  <Card title="OAuth 2.0 Bearer Token — RFC 6750" icon="key" href="https://datatracker.ietf.org/doc/html/rfc6750">
    The bearer-token scheme that authenticates SCIM requests.
  </Card>
</CardGroup>
