Claude · Enterprise feature
Claude Enterprise-Managed Auth: Zero-Touch MCP Connectors via Okta
Anthropic shipped enterprise-managed authorization for MCP connectors on June 18, 2026. Admins provision Okta once; employees get Asana, Atlassian, Figma, Linear, and four more connectors on first login across Claude Chat, Claude Code, and Cowork — no per-user OAuth.
Every MCP connector has the same onboarding story: engineer finds a useful tool, clicks "Connect," hits an OAuth screen, approves scopes, stores a token, and repeats the whole dance in every Claude product they use. For a team of 200, that's 200 separate approval flows per connector. It adds up fast, and IT has no visibility into any of it. On June 18, 2026, Anthropic shipped enterprise-managed authorization — and the per-user OAuth flow is now optional.
The model is simple: admins connect Okta once, select which MCP connectors the organization should have, scope access by group or role, and employees inherit those connectors automatically on first login. No tickets. No OAuth prompts. No shadow IT. The connectors are just there.
7
connectors at launch
Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase
0
OAuth steps per user
connectors inherit from IdP on login
3
Claude products unified
Claude Chat, Claude Code, Cowork
The OAuth friction problem
The MCP ecosystem grew fast in early 2026. By the time Atlassian, Figma, Linear, and Supabase all shipped production MCP servers, most engineering teams were running four or more connectors per developer. At $120-per-seat Claude Max, nobody complained about capability — they complained about setup.
The specific complaint: OAuth is per-product, not per-account. A developer who wants Jira issues in Claude Chat has to authorize the Atlassian connector in Claude Chat. Then separately in Claude Code. Then separately in Cowork. Three separate OAuth flows, three separate token stores, three separate places for tokens to expire and need renewal. Multiply by six connectors and you're looking at 18 OAuth screens before an engineer is fully set up.
From IT's side, it's worse: no central inventory of who has authorized what. When an engineer leaves the company, someone has to remember to revoke their Atlassian MCP token. If the Supabase connector scopes are too broad, there's no audit trail.
How enterprise-managed auth works
The technical foundation is an open extension to the MCP spec called the Enterprise-Managed Authorization (EMA) extension. Anthropic drafted it alongside the June 18 launch and published it to the MCP governance repository for comment. The short version: EMA adds a machine-to-machine provisioning layer above the existing OAuth flow. The IdP (currently Okta) handles token issuance; Claude products accept the provisioned token without prompting the user.
On the Okta side, the integration uses Cross App Access (XAA) — the same mechanism Okta uses for app-to-app token delegation. Admins configure it from the Claude Enterprise admin panel, not from the Okta dashboard, which keeps the integration accessible to non-Okta admins.
Admin panel → Integrations → MCP Connectors → Enterprise-Managed Auth
1. Connect identity provider
└─ Select: Okta (additional providers coming)
└─ Authorize via OAuth 2.0 machine-to-machine flow
2. Select connectors to provision
└─ Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase
3. Scope access by IdP group / role
└─ Example: "Engineering" → Atlassian + Linear + Supabase
"Design" → Figma + Canva
"All staff" → Granola + Asana
4. Save → provisioning is live for matching users on next loginFrom a security standpoint, the admin retains full lifecycle control. Token lifetimes can be shortened below the connector's default. Revocation is instant: deprovisioning an Okta user revokes their MCP connector access across all Claude products simultaneously.
Seven connectors at launch
The launch set covers most of the tools an engineering team interacts with daily:
- Asana — task and project management; create/update tasks, read project status.
- Atlassian — Jira issues, Confluence pages, Rovo search. The highest-volume MCP connector in the ecosystem by call count.
- Canva — design asset access; useful in marketing and content workflows.
- Figma — design file access and component inspection; pairs naturally with Claude Code for design-to-code handoffs.
- Granola — meeting note retrieval. Useful for giving Claude Code context on what was decided in the last sprint.
- Linear — issue tracking and roadmap; tight integration with Claude Code for shipping-related queries.
- Supabase — database schema and table access. Agents with Supabase MCP access can read schema context and run read-only queries against dev environments.
Slack is listed as "coming soon," which means the gap in the launch set is messaging history. Anthropic has not given a date for Slack support.
The zero-touch user experience
For end users, the change is invisible in the best possible way. An engineer who joins a team where the admin has already provisioned Linear and Atlassian sees those connectors active in Claude Code on their first login. No setup step. No "link your Atlassian account" prompt. No token to manage.
The same connectors are active in Claude Chat and Cowork — the three products share the provisioned token via EMA, so there's no per-product auth even if the user switches between them mid-session.
Connect your identity provider to Claude and choose which MCP connectors to enable for your organization. When an employee logs in, their connectors are already there.
For existing users who already had connectors authorized manually, the enterprise-managed token takes precedence when EMA is configured. The old personal token is superseded but not deleted — if IT later removes EMA, the personal token resumes. This is a deliberate design choice to avoid breaking workflows during rollout.
Claude Code gets it too
The most immediate impact for developers is in Claude Code. With an Atlassian connector provisioned via EMA, Claude Code can read Jira issue context without any explicit tool configuration. Ask it to implement PROJ-1234 and it pulls the spec directly — no copy-paste, no switching windows.
$ claude
> Implement the feature described in PROJ-1234
Claude Code: Reading Jira issue PROJ-1234...
Title: "Add cursor-based pagination to /api/v1/skills"
Acceptance criteria:
✓ cursor param replaces offset
✓ nextCursor returned in response envelope
✓ backward compat with offset=0 callers
✓ < 10ms p99 on the skills table with 50k rows
Proceeding with implementation...The same pattern works with Linear for issue tracking and Supabase for schema context. The result is that Claude Code has the project management layer baked into its context without developers having to manually pipe information in.
One practical note: Claude Code respects the token scopes set at the IdP level. If admin scoped Supabase access to read-only, Claude Code cannot run destructive queries through that connector — even if the user asks it to. Scope enforcement happens at the connector layer, not in the model.
MCP skills on skills-hub.ai
If you're rolling out enterprise-managed auth, the integration work doesn't stop at the Okta configuration. You'll want Claude Code skills that know how to use each connector well — querying Jira with the right JQL syntax, creating Linear issues with proper labels, reading Supabase schema in ways the model can reason about.
Skills-hub.ai hosts a growing set of integration skills for each of the seven EMA connectors. The new mcp-enterprise-auth skill (available today) automates the audit and configuration process itself:
# Install the MCP enterprise auth audit + setup skill
npx @skills-hub-ai/cli install mcp-enterprise-auth
# Run an audit of current connector state
# (Claude Code reads your claude_desktop_config.json + active tokens)
# and generates the Okta provisioning config
npx @skills-hub-ai/cli install atlassian-mcp
npx @skills-hub-ai/cli install linear-mcp
npx @skills-hub-ai/cli install supabase-mcpBrowse the full integration catalog at /browse?category=integration — or filter by MCP-tagged skills specifically.
What's next
Anthropic has signaled two near-term additions to enterprise-managed auth: more identity providers (Microsoft Entra and Google Workspace are the obvious candidates given Claude's enterprise customer base), and Slack connector support. The connector list at launch covers project management and design tools well but misses the communication layer entirely.
The broader implication is more interesting. EMA is the first step toward treating MCP connectors as infrastructure rather than per-user configuration. When connectors are provisioned at the org level and token lifetimes are managed by IT, agents operating on behalf of employees become auditable. That's the prerequisite for enterprises to trust agents with write-side operations — not just reading Jira issues but closing them, not just querying Supabase but running migrations.
The June 18 launch is a foundation, not a ceiling. The connectors that benefit most from this pattern are the ones where write-side agent access is genuinely useful but currently too risky to enable broadly. Slack is one. GitHub is another. Both require org-level token governance before most engineering teams will let an agent post or push on their behalf.
If you're on Claude Team or Enterprise, EMA is in beta now. IT teams can enable it from the admin panel without waiting for a GA launch. For solo developers and small teams not on an enterprise plan, the per-user OAuth flow stays unchanged — this feature is specifically for organizations that need centralized control.
Related reading: MCP goes stateless in the July spec (the protocol change that makes multi-instance MCP servers practical), integration skills on skills-hub.ai, and the MCP server directory if you're evaluating which connectors to provision first.
Written by
Skills-Hub Team
Anthropic ecosystem coverage
Skills-Hub is the open registry for AI coding skills, with SKILL.md files synced daily from Anthropic, Google, Microsoft, and 90+ official sources. Free + MIT.