Agent-2-Agent
Integrate Gatana as MCP Gateway in your Agent-2-Agent architecture
The Challenge
In Agent-2-Agent (A2A) architectures, a centralized service orchestrates AI agents that need access to various tools and APIs. The fundamental challenge is identity and credential propagation:
- How does a new employee immediately get access to the right tools?
- How do you inject team-specific API credentials without per-user configuration?
- How does the A2A service call downstream tools on behalf of the user?
Gatana solves this by combining OIDC token trust, claim-based profile mapping, and credential overrides—enabling zero-touch onboarding for new users.
How It Works
┌──────────────┐ ┌─────────────────┐
│ End User │──── Authenticates ──────────►│ Corporate IdP │
│ (new hire) │ │ (Okta, Entra) │
└──────────────┘ └────────┬────────┘
│
Access Token with claims:
{ team: "platform", ... }
│
▼
┌──────────────┐ Token forwarded ┌─────────────────┐
│ A2A Service │◄────────────────────────────│ A2A Agent │
│ (Orchestrator) │ (e.g. Slack) │
└──────┬───────┘ └─────────────────┘
│
│ Same token passed to Gatana
▼
┌─────────────────────────────────────────────────────────────┐
│ Gatana Gateway │
│ │
│ 1. Validates token via OIDC Token Trust │
│ 2. Extracts claims (team: "platform") │
│ 3. Applies matching profile (platform-team) │
│ 4. Injects profile credentials (Logz.io token, etc.) │
│ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Logz.io MCP │ │ GitHub MCP │ │ Jira MCP │
│ (team token) │ │ (user OAuth) │ │ (shared creds) │
└─────────────────┘ └─────────────────┘ └─────────────────┘See Zero Touch Onboarding for instructions on how to setup zero-trust onboarding.
New hire onboarding flow:
- Employee joins and is added to
platform-teamgroup in IdP - Employee opens their AI assistant, which calls the company A2A service
- A2A service forwards their access token to Gatana
- Gatana validates token, sees
team: platformclaim, appliesplatform-teamprofile - Employee immediately has access to Logz.io, AWS, and GitHub tools with correct credentials
Related Documentation
- Zero Touch Onboarding - Setup Zero Touch Onboarding
- Identity Federation — Configure OIDC/SAML and token trust
- Profiles — Credential overrides, restrictive mode, and claim mappings
- Credentials — How credential scoping works