Zero-Touch Onboarding
With trusted identity providers your users gain seamless access to Gatana
The Hidden Problem
You've set up MCP servers for your team. Now what?
Most teams end up with one of two bad options:
- Shared credentials — Everyone uses the same API key.
- Manual provisioning — IT manually grants access to each user.
There's a better way: let your identity provider handle it.
Gatana's Approach
Gatana implements zero trust principles access through two mechanisms:
- OIDC Token Trust — Accept access tokens directly from your corporate IdP
- Claim-Based Mapping — Automatically apply the right permissions based on token claims
The result: a new employee authenticates once, and Gatana knows exactly which tools they can access and which credentials to inject—based entirely on who they are in your IdP.
┌──────────────┐ ┌─────────────────┐
│ End User │──── Authenticates ──────────►│ Corporate IdP │
└──────────────┘ │ (Okta, Entra) │
└────────┬────────┘
│
Access Token with claims:
{ team: "platform", role: "engineer" }
│
▼
┌─────────────────────────────────┐
│ Gatana Gateway │
│ │
│ ✓ Validates token signature │
│ ✓ Extracts claims │
│ ✓ Maps to profile & team │
│ ✓ Injects scoped credentials │
│ │
└─────────────────────────────────┘
│
┌───────────────────────────────┼───────────────────────────────┐
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Logz.io MCP │ │ GitHub MCP │ │ Jira MCP │
│ (team token) │ │ (user OAuth) │ │ (org API key) │
└─────────────────┘ └─────────────────┘ └─────────────────┘How to Enable
1. Enable OIDC Token Trust
Configure Gatana to accept access tokens from your identity provider:
- Go to Settings → Authentication
- Add your OIDC provider (Okta, Microsoft Entra, Auth0, etc.)
- Enable OIDC Access Token Trust
Any valid access token from your IdP with the Client ID from step (2) can now authenticate to Gatana. Users are automatically provisioned on first access—no manual setup required.
See Identity Federation for detailed provider setup instructions.
2. Create Profiles with Credential Overrides
Profiles let you inject team-specific credentials for tools that don't support per-user OAuth:
- Create a profile (e.g.,
platform-team) - Add the relevant MCP servers
- Configure credential overrides with team API keys
- Disable Open to All to restrict access
3. Map Claims to Profiles
The key to zero-touch access: map IdP claims to profiles.
In the profile settings, add claim mappings:
| Claim Key | Claim Value |
|---|---|
team | platform |
Now anyone whose token contains team: platform automatically gets the platform-team profile applied—with all its servers and credentials.
Day-one experience:
- New hire is added to
platformteam in your IdP - They open their AI assistant
- Gatana validates their token, sees the
team: platformclaim - They immediately have access to the right tools with the right credentials.
Related Documentation
- Identity Federation — Configure OIDC/SAML providers
- Profiles — Credential overrides and claim mappings
- Credentials — How credential scoping works
- Agent-2-Agent — How Gatana enables Agent-2-Agent architectures