集中管理 MCP 连接器的授权
Centrally manage authorization for MCP connectors
Admins can now provision MCP connectors for their whole organization through their identity provider, starting with Okta. Users get connector access automatically on first login, with authorization configured centrally by their organization.
Connectors make Claude more useful at work — they give Claude the context it needs from the tools that your teams already use. Until now, turning them on required action at two steps: admins enabled a connector for the organization, and then every individual user authorized it themselves.
Enterprise-managed authorization streamlines that second step. Admins authorize a connector once, users inherit access through the IdP groups and roles they already have, and the connector is there the first time someone opens Claude. The result is zero-touch connector setup for the end user.
Enterprise-managed auth is the first implementation of the Enterprise-Managed Authorization extension to the Model Context Protocol. It's built on an open standard so any connector can support it — including the custom connectors your own teams build — and they all work the same way for every Claude customer.
How it works
Connect your identity provider to Claude and choose which MCP connectors to enable for your organization. When an employee logs in, their connectors are already there. Access stays consistent across Claude chat, Claude Code, and Cowork.
For admins, this folds MCP access management into the same workflow that governs the rest of your stack: provision once, scope by group, manage revocation through the IdP. Because checking access with the IdP is frictionless, admins can shorten access token lifetimes without impacting productivity — so when someone is deprovisioned, their connector access expires fast instead of lingering on an old token. Access runs through the identity provider you already trust, so connectors fall under the same security and access controls as everything else, rather than a separate surface to monitor.
Admins can also require that a connector only ever connects through the IdP, which keeps work and personal use cleanly separated and prevents someone from accidentally linking a personal account to a work tool.
Built with an ecosystem
Enterprise-managed authorization works across three groups: the identity providers that govern access, the MCP providers that support the standard, and the Claude customers deploying managed connections across their teams.
Identity providers. Okta is supported at launch, with support for additional identity providers coming soon.
MCP providers. Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase support Enterprise-managed auth at launch, with Slack coming soon.
Claude customers. Hubspot, Ramp, and Webflow are among the organizations rolling out enterprise-managed auth across their teams.
"Enterprise-managed auth is a foundational milestone in realizing Asana's vision as the operating system for human-agent teams. By providing organizations with a secure, controlled way to connect Claude to their most critical workflows, we are unlocking the ability to scale AI-driven value across the enterprise—backed by the absolute governance, compliance, and trust that large-scale deployment demands."
“Enterprise-managed auth makes Atlassian Rovo MCP easier for Claude Enterprise customers to adopt at scale, giving employees a simple way to connect Claude to the Atlassian work they already rely on across Jira, Confluence, and Teamwork Graph. Just as importantly, it gives admins a centralized place to manage MCP clients' access, so organizations can move faster with AI while maintaining the governance they expect."
"Canva is already trusted by 95% of the Fortune 500, and our MCP server lets even more teams create, edit and publish on-brand designs with Canva's AI and design tools, all in the same workflow. Enterprise-managed auth with Okta makes it clear and simple for enterprises to manage AI access with a system they already trust, enabling teams to create with AI, safely and at scale."
"The Figma MCP brings the power of code and canvas together so teams can move faster, explore more and ship products that stand out. As MCP adoption grows, enterprise-managed auth makes it easier for enterprises to scale their MCP deployments securely without slowing teams down."
"It's great to see Anthropic and Okta make it easier for enterprises to connect to MCP servers securely, centrally and at scale. Granola helps teams capture some of the most important context at work: decisions, details and follow ups as they happen. MCP makes this useful across team tools, and enterprise-managed auth makes it available frictionlessly across teams."
“Enterprise-managed auth is the security and user experience that we've been looking for with MCP connections. Folks just perform a standard login to Okta and they're connected with their personal context to all MCP hosts in our software ecosystem. Personal identity passes through, but no one gets tripped up on a multitude of OAuth grants. It's a huge win for enterprise management, especially paired with selective control of individual tools exposed by those MCP hosts.”
"Logging in once and automatically having all your MCP connectors automatically set up is pretty magical."
"The momentum around MCP is incredible, but as we move toward an interconnected AI workforce, security can't be an afterthought. By embedding the Cross App Access protocol into MCP as the Enterprise-Managed Authorization extension, as well as implementing it in the Claude ecosystem, we turn identity into a centralized governance plane and give security teams strict compliance control and users a seamless, secure experience."
“Before enterprise-managed auth, onboarding a new hire to their full toolkit meant a queue of per-connector OAuth approvals. Now they log in to Claude on day one already connected — 2,000 employees, provisioned through Okta, zero extra steps.”
“Slack is the place where humans and agents are working side by side, in the same conversation, with the same context, toward the same goals. Through the Slack MCP server, all of this becomes accessible to Claude, not just to read but to act on. Enterprise-managed auth means organizations can roll out access to all users without friction. Security teams configure it once through their existing identity provider and users get seamless access.”
“The only way to use Supabase through Claude was to be an org owner or hand out Personal Access Tokens to everyone on your team. Enterprise-managed auth fixes that: your IdP controls access and roles, so builders can use Claude to explore and query their data without IT compromising on security to get there.”
“Our team opens Claude and every tool they’re cleared for is right there, scoped by the identity groups IT already runs. Enterprise-managed auth turned AI into something people use instead of request, and we’re taking it across Webflow.”
Getting started
Enterprise-managed auth is available today in beta for customers on the Claude Team and Enterprise plans. Learn more on our Help Center and apply for access to get started.
Any identity or MCP provider can add support for enterprise-managed auth by implementing the open extension to the MCP authorization spec. Submit interest to join the beta here.
集中管理 MCP 连接器的授权
原文:Centrally manage authorization for MCP connectors
管理员现在可以通过身份提供商(identity provider,IdP)为整个组织下发 MCP 连接器(connector),首批支持 Okta。用户首次登录时即自动获得连接器访问权限,授权(authorization)则由组织集中配置。
连接器让 Claude 在工作中更有用——它们把团队已经在用的工具里的上下文喂给 Claude。在此之前,开启一个连接器需要两步操作:管理员先为组织启用连接器,然后每位用户再各自授权一次。
企业托管授权(Enterprise-managed authorization)把第二步简化掉了。管理员只授权一次,用户便通过自己已有的 IdP 用户组(group)和角色(role)继承访问权限,连接器在某人第一次打开 Claude 时就已经在那里了。对终端用户来说,这意味着零接触(无需任何手动操作)的连接器配置。
企业托管授权是模型上下文协议(Model Context Protocol,MCP)的 Enterprise-Managed Authorization 扩展 的首个实现。它基于开放标准构建,因此任何连接器都能支持它——包括你自己团队搭建的自定义连接器——而且对每一位 Claude 客户,它们的工作方式都完全一致。
工作原理
把你的身份提供商接入 Claude,再选择要为组织启用哪些 MCP 连接器。当员工登录时,他们的连接器已经就位。访问权限在 Claude 聊天、Claude Code 和 Cowork 之间保持一致。
对管理员而言,这把 MCP 的访问管理收进了治理其余技术栈的同一套流程:一次下发(provision)、按组(group)划定范围、通过 IdP 管理权限回收。由于向 IdP 核验访问权限毫无摩擦,管理员可以缩短访问令牌(access token)的有效期而不影响生产力——这样当某人被注销账号(deprovision)时,他的连接器访问权限会很快过期,而不是赖在一个旧令牌上迟迟不失效。访问全程走你本就信任的身份提供商,于是连接器和其他一切一样,落在同一套安全与访问控制之下,而不是又多出一块需要单独盯防的环节。
管理员还可以要求某个连接器只能通过 IdP 连接,这样就能把工作用途和个人用途干净地隔开,防止有人不小心把个人账号关联到工作工具上。
与生态共建
企业托管授权横跨三方协同运作:管控访问的身份提供商、支持该标准的 MCP 提供方,以及在团队中部署托管连接的 Claude 客户。
身份提供商。 发布时支持 Okta,更多身份提供商的支持即将到来。
MCP 提供方。 Asana、Atlassian、Canva、Figma、Granola、Linear 和 Supabase 在发布时即支持企业托管授权,Slack 即将跟进。
Claude 客户。 Hubspot、Ramp 和 Webflow 等组织正在团队中推广企业托管授权。
"企业托管授权,是 Asana 实现『人机协作团队的操作系统』这一愿景的奠基性里程碑。我们为组织提供了一种安全、可控的方式,把 Claude 接入它们最关键的工作流,从而释放出一种能力——在整个企业范围内规模化地创造 AI 驱动的价值,而这一切都有大规模部署所要求的绝对治理、合规与信任作支撑。"
—— Arnab Bose,CPO,Asana
"企业托管授权让 Atlassian Rovo MCP 更易于被 Claude 企业版客户大规模采用,员工可以用一种简单的方式,把 Claude 接入他们在 Jira、Confluence 和 Teamwork Graph 中本就依赖的 Atlassian 工作。同样重要的是,它给了管理员一个集中管理 MCP 客户端访问权限的地方,让组织既能用 AI 跑得更快,又能维持他们所期望的治理水平。"
—— Brendan Haire,工程副总裁(Rovo and AI),Atlassian
"Canva 已经赢得了财富 500 强中 95% 企业的信任,我们的 MCP 服务器让更多团队能在同一套工作流里,用 Canva 的 AI 和设计工具创作、编辑并发布符合品牌规范的设计。配合 Okta 的企业托管授权,让企业用一套自己本就信任的系统来管理 AI 访问,变得清晰而简单,从而让团队能安全地、规模化地用 AI 创作。"
—— Anwar Haneef,总经理兼生态负责人,Canva
"Figma MCP 把代码与画布的力量合到一处,让团队能跑得更快、探索更多,做出与众不同的产品。随着 MCP 的采用不断扩大,企业托管授权让企业既能安全地扩大 MCP 部署,又不会拖慢团队节奏。"
—— Devdatta Akhawe,工程副总裁,Figma
"很高兴看到 Anthropic 和 Okta 让企业能更安全、更集中、更大规模地连接到 MCP 服务器。Granola 帮团队捕捉工作中一些最重要的上下文:决策、细节,以及随时产生的待办事项。MCP 让这些信息在各类团队工具间变得有用,而企业托管授权让它能毫无摩擦地覆盖到所有团队。"
—— Chris Pedregal,CEO 兼联合创始人,Granola
"企业托管授权,正是我们在 MCP 连接上一直在找的那种安全性与用户体验。大家只需向 Okta 做一次标准登录,就能带着各自的个人上下文连上我们软件生态里的所有 MCP 宿主(host)。个人身份得以贯穿其中,却没有人会被一大堆 OAuth 授权弄得焦头烂额。这对企业管理是一个巨大的胜利,尤其是配合对这些 MCP 宿主所暴露的单个工具的精细化控制。"
—— Andrew Meinert,系统运营与 AI 总监,Hubspot
"登录一次,所有 MCP 连接器就自动配置好了,这相当神奇。"
—— Tom Moor,工程负责人,Linear
"MCP 带来的势头令人惊叹,但当我们迈向一支彼此互联的 AI 劳动力时,安全不能是事后才想起来的东西。我们把 Cross App Access 协议(Okta 的跨应用访问协议)以 Enterprise-Managed Authorization 扩展的形式嵌入 MCP,并在 Claude 生态中加以实现,从而把身份变成一个集中化的治理平面(governance plane),既给安全团队严格的合规控制,也给用户无缝、安全的体验。"
—— Aaron Parecki,身份标准总监,Okta
"在企业托管授权之前,给一名新员工开通全套工具,意味着一长串逐个连接器的 OAuth 审批排队。如今他们入职第一天登录 Claude 就已经连好了——2,000 名员工,全部通过 Okta 下发,零额外步骤。"
—— Cameron Leavenworth,IT 资深工程师(AI),Ramp
"Slack 是人与 agent 并肩工作的地方——在同一段对话里,共享同样的上下文,奔向同样的目标。通过 Slack MCP 服务器,这一切都对 Claude 开放,不只是读取,还能据此行动。企业托管授权意味着组织可以毫无摩擦地把访问权限推送给所有用户。安全团队通过他们现有的身份提供商配置一次,用户就能获得无缝的访问。"
—— Rod García,工程副总裁,Slack
"过去要通过 Claude 使用 Supabase,唯一的办法就是当组织所有者(org owner),或者给团队里每个人都发个人访问令牌(Personal Access Token)。企业托管授权解决了这个问题:由你的 IdP 来控制访问权限和角色,于是开发者可以用 Claude 探索和查询自己的数据,而 IT 无需在安全上做任何妥协就能做到这一点。"
—— Bil Harmer,CISO,Supabase
"我们团队打开 Claude,他们获准使用的每个工具就都在那里,按 IT 早已在运行的身份组(identity group)划定好了范围。企业托管授权把 AI 从一件要去『申请』的事,变成了一件人们直接『使用』的事,我们正把它推广到整个 Webflow。"
—— Reed Shackelford,企业 AI 运营高级经理,Webflow
如何开始
企业托管授权今天已经面向 Claude Team 和 Enterprise 套餐的客户开放 beta 测试。可在我们的帮助中心 了解更多,并 申请访问权限 以开始使用。
任何身份提供商或 MCP 提供方,都可以通过实现 MCP 授权规范的 开放扩展 来加入对企业托管授权的支持。如有兴趣加入 beta,请在 此处 提交意向。