MCP's Enterprise Auth Standard Goes Stable: Okta Provisions 2,000 Ramp Employees in One Policy

On June 18, 2026, the Model Context Protocol team published Enterprise-Managed Authorization (EMA) as a stable extension, eliminating what the MCP community had identified as the single largest obstacle to enterprise-scale AI tool deployment: the per-user OAuth consent screen that security teams could not centrally govern.

Ramp, the fintech company, reports that 2,000 employees are now provisioned across every approved MCP connector through a single Okta policy — with zero additional steps required of any of them.

The Problem EMA Solves

Before EMA, deploying MCP connectors in a large organization produced a predictable failure mode. At a company with 50 employees and 10 connected MCP servers, that's 500 individual OAuth flows to complete and track. Security teams had no central view of who authorized what. Personal and corporate accounts blurred. When someone left, their authorized sessions persisted across every server they had individually approved — unless IT caught each one.

EMA flips the model: an administrator configures MCP enterprise authentication once in the identity provider. From that point, every approved connector appears automatically at each employee's first login. No tickets to IT. No redirect queues. No configuration required from the end user.

How It Works: ID-JAG and the Standards Path

The technical foundation is the Identity Assertion JWT Authorization Grant (ID-JAG): the client obtains a JWT from the IdP during single sign-on, then exchanges it for an access token from the MCP server's authorization server — with no per-server consent screen involved.

The spec did not emerge overnight. ID-JAG was adopted by the IETF OAuth working group in September 2025, incorporated into the MCP specification in November 2025, and declared stable on June 18, 2026. Anthropic's production rollout is the first live implementation of that stable extension. Because the specification is open, any MCP connector — including custom-built internal tools — can adopt EMA without going through Anthropic.

Okta markets its ID-JAG implementation as Cross App Access (XAA). Okta's TypeScript and Java SDKs already include XAA support; developers in those languages can implement the standard with minimal additional integration work.

Who Is Live at Launch

Clients: Anthropic ships EMA across Claude, Claude Code, and Cowork under a single shared MCP layer — one admin configuration covers all three. Microsoft ships support in Visual Studio Code directly in the IDE.

MCP servers: Seven providers support EMA at launch — Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase. Slack support is in progress. HubSpot, Ramp, and Webflow are named early enterprise adopters.

Current limitation: Okta is the only supported identity provider. Enterprises on Microsoft Entra ID (Azure AD) or Google Workspace are waiting. Anthropic says additional providers are coming but has given no dates.

The feature is in beta for Claude Team and Enterprise plan customers.

Security Properties

Three enterprise security properties follow directly from the architecture:

• Centralized audit: All access decisions are recorded in the IdP's admin console — one auditable trail across every connector, subject to the same compliance reporting that governs all other enterprise access.
• Clean account separation: Without an interactive account-selection step, there is no mechanism for a user to accidentally route work data through a personal OAuth grant.
• Instant revocation: Remove a user from the relevant Okta group and their access to all connected MCP servers disappears immediately — no need to revoke across each server individually.

Aaron Parecki, Director of Identity Standards at Okta, framed the shift: by embedding Cross App Access into MCP as the EMA extension, organizations turn identity into a centralized governance plane.

The Competitive Angle

EMA's stable release landed one day after WitnessAI launched Agentic Control, a separate product that monitors MCP server interactions, discovers AI agents across enterprise environments, and blocks malicious prompts at runtime. WitnessAI raised $58 million in January 2026 (led by Sound Ventures, with Qualcomm Ventures and Samsung Ventures participating) and reported over 500% ARR growth in the past 12 months.

The two approaches are not mutually exclusive — EMA governs who can connect to which servers at provisioning time; WitnessAI governs what agents do once connected at runtime — but they compete for the same security budget and the same CISO's attention. Enterprises may end up layering both, or choosing the IdP-centric EMA path alone if runtime inspection is not a regulatory requirement.

Key Facts

• Date stable: June 18, 2026
• Standard path: IETF OAuth WG (Sept 2025) → MCP spec (Nov 2025) → stable extension (June 2026)
• First live IdP: Okta (Cross App Access / XAA)
• Clients at launch: Claude, Claude Code, Cowork (Anthropic); VS Code (Microsoft)
• Servers at launch: Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase
• Early enterprise adopters: HubSpot, Ramp (2,000 employees), Webflow
• Availability: Beta, Claude Team and Enterprise plans
• Pending: Entra ID / Google Workspace support; no timeline given

What to Watch

Microsoft Entra ID and Google Workspace EMA support in Q3 2026 would take this from a notable enterprise feature to a universal enterprise standard — watch for announcements alongside the next major MCP spec revision. The WitnessAI vs. IdP-centric tension is also worth tracking: if runtime MCP policy enforcement becomes a compliance requirement in regulated industries, demand for the layered approach will accelerate.

Sources: MCP Blog — Enterprise-Managed Authorization · Anthropic Claude Blog · WitnessAI raises $58M — PR Newswire · Help Net Security — WitnessAI Agentic Control

Source: devto_mcp, gn_mcp_protocol, devto_claudecode