ID-JAG: Solving OAuth Sprawl for Enterprise AI Agents

Enterprise AI agents are moving from demos into production, and auth is becoming a blocker. Demo agents can connect to tools with OAuth, but real enterprise agents may need SaaS services for thousands of employees. Per-user, per-service consent does not scale.

This session explains ID-JAG, the Identity Assertion JWT Authorization Grant pattern behind MCP's Enterprise-Managed Authorization extension. ID-JAG turns an existing SSO login into centrally governed, auditable access to approved MCP servers, without repeated OAuth prompts.

We'll cover the production problem, protocol flow, and lessons from implementing ID-JAG support in Archestra, one of the first MCP clients to support it. We'll also discuss what identity provider support enables.

Attendees will leave with a model for production agent auth: one SSO login, centralized policy, scoped MCP-native access tokens, fewer consent screens, and a cleaner security review story.

We'll close with the missing piece: SaaS provider adoption. To unlock enterprise deployments, authorization servers need to support this flow so agents can access approved business systems without key-sharing, manual credentials, or one-off integrations.