Group Type
Interest GroupMission Statement
The Enterprise-Managed Authorization Interest Group provides a venue for identity-provider vendors, MCP client implementers, and MCP server operators to coordinate on real-world adoption of the Enterprise-Managed Authorization extension (io.modelcontextprotocol/enterprise-managed-authorization). The extension’s ID-JAG flow only delivers value when an enterprise IdP, an MCP client, and an MCP server’s authorization server all interoperate end to end — this group exists to gather deployment experience, surface compatibility gaps between independent implementations, and feed validated problems back to the Authorization IG and the ext-auth specification.
Scope
In Scope
- Interoperability reports: documented results of pairing specific IdPs, MCP clients, and MCP authorization servers through the full ID-JAG exchange, including what worked, what required workarounds, and what failed
- Conformance scenario input: identifying the assertions an EMA conformance suite should make (ID-JAG validation, audience and issuer checks, claim mapping, account linking, error handling) and contributing scenarios to the conformance repository
- Deployment patterns: comparing notes on tenant isolation, admin-consent flows, JIT provisioning, claim-to-permission mapping, and token-lifetime choices observed in production rollouts
- IdP capability gaps: cataloguing where existing IdP products cannot yet issue or validate ID-JAGs as specified, so implementers know what to expect and IdP vendors have a shared backlog
- Spec clarification requests: collecting ambiguities and underspecified behaviour discovered during implementation and routing them to the ext-auth repository as issues or PRs
Out of Scope
- Other authorization profiles: Client Credentials, DPoP, Workload Identity Federation, and the core OAuth 2.1 flow belong to the Authorization IG
- General enterprise deployment topics: networking, packaging, and host-application rollout concerns that are not specific to the ID-JAG flow
- End-user product configuration walk-throughs: the IG discusses patterns, not step-by-step setup for individual IdP or client products. Vendor-reported constraints on what an IdP can or cannot implement are in scope as deployment experience
- Competitively sensitive or non-public business information, per the MCP Antitrust Policy
Related Groups
- Authorization IG: parent group for all MCP authorization work; EMA spec changes are incubated there and this IG’s findings feed its agenda
- Security IG: token-audience confusion, issuer validation, and account-linking risks in the ID-JAG flow sit at the boundary between the two groups
- SDK Maintainers: SDKs ship the EMA client implementation; interop findings inform cross-SDK behaviour and defaults
Leadership
| Role | Name | Organization | GitHub | Term |
|---|---|---|---|---|
| Facilitator | Paul Carleton | Anthropic | @pcarleton | Initial |
| Facilitator | Aaron Parecki | Okta | @aaronpk | Initial |
Membership
Open to anyone; no formal membership or approval step is required to join the channel, attend calls, or contribute. The group particularly seeks participants from enterprise IdP vendors, MCP client implementers shipping EMA support, and MCP server operators integrating with an enterprise IdP. Join the#enterprise-managed-auth-ig channel on the MCP Contributors Discord or open a thread in the Authorization category of GitHub Discussions. Calls are open and attendance is optional — async participation via Discord and GitHub is equally valued.
Operations
| Meeting | Frequency | Duration | Purpose |
|---|---|---|---|
| Interop Call | Every 2 weeks | 45 min | Deployment reports, compatibility-matrix review, spec-feedback triage |
#enterprise-managed-auth-ig ahead of each call. Meeting notes are posted to the Authorization category in GitHub Discussions.
Discord: #enterprise-managed-auth-ig · invite
Changelog
| Date | Change |
|---|---|
| 2026-06-16 | Initial charter |