Configure Identity Provider

Configure your identity provider to authenticate users accessing MCP servers through Golf Gateway. Golf Gateway supports Auth0, Microsoft Entra ID (Azure AD), and Descope.

Prerequisites

Auth0
Microsoft Entra ID
Descope

Create a Single Page Application in Auth0.You’ll need:

Domain (e.g., your-tenant.auth0.com)
Client ID
Client Secret (for group sync)

Application (client) ID
Directory (tenant) ID
Client secret
Redirect URI configured as: https://your-gateway.com/oauth/callback

Configure Golf Gateway

Auth0
Microsoft Entra ID
Descope

Admin Portal
YAML

Go to Settings > Identity Provider
Select Auth0 as provider type
Enter your Auth0 domain (e.g., your-tenant.auth0.com)
Enter API identifiers for audience validation
(Optional) Add M2M credentials for group sync
Click Save

identity_providers:
  - name: auth0
    type: auth0
    issuer: https://YOUR_TENANT.auth0.com/
    jwks_uri: https://YOUR_TENANT.auth0.com/.well-known/jwks.json
    api_identifiers:
      - https://your-api.example.com
    # Optional: Management API for group sync
    client_id: ${AUTH0_MGMT_CLIENT_ID}
    client_secret: ${AUTH0_MGMT_CLIENT_SECRET}

Admin Portal
YAML

Go to Settings > Identity Provider
Select Microsoft Entra ID as provider type
Enter your Tenant ID
Enter Application (client) ID
Enter API identifier (e.g., api://your-app-id)
(Optional) Add Graph API credentials for group sync
Click Save

identity_providers:
  - name: entra-id
    type: microsoft-entra-id
    issuer: https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0
    jwks_uri: https://login.microsoftonline.com/YOUR_TENANT_ID/discovery/v2.0/keys
    api_identifiers:
      - api://your-app-id
    # Optional: Graph API for group sync
    client_id: ${ENTRA_ID_CLIENT_ID}
    client_secret: ${ENTRA_ID_CLIENT_SECRET}

Admin Portal
YAML

Go to Settings > Identity Provider
Select Descope as provider type
Enter your Project ID
(Optional) Add Management Key for role sync
(Optional) Enter Tenant ID for tenant-scoped roles
Click Save

identity_providers:
  - name: descope
    type: descope
    project_id: ${DESCOPE_PROJECT_ID}
    # issuer and jwks_uri are auto-generated for Descope
    # Optional: Management API for role sync
    management_key: ${DESCOPE_MANAGEMENT_KEY}
    tenant_id: optional-tenant-id  # For multi-tenant

Enable Group Sync

Group sync allows Golf Gateway to use your identity provider’s groups/roles for RBAC.

Auth0
Microsoft Entra ID
Descope

Create a Machine-to-Machine application with Management API access. See Create M2M Apps in Auth0 documentation.Required scopes: read:users, read:rolesAdd the M2M credentials to your Golf Gateway configuration.

Auth0 uses “roles” instead of “groups”. Golf Gateway maps Auth0 roles to RBAC groups automatically.

Your app registration needs Graph API permissions. See Configure app permissions in Microsoft documentation.Required permissions (Application type):

GroupMember.Read.All
User.Read.All

After granting admin consent, add the credentials to your Golf Gateway configuration.

Golf Gateway fetches transitive group memberships, so nested groups are supported.

Create a Management Key in Descope Console. See Management Keys in Descope documentation.Add the key to your Golf Gateway configuration. Roles are synced automatically on user authentication.

If you use Descope tenants, set tenant_id in your config to sync only tenant-specific roles.

Next Steps

Set Up Server RBAC - Use identity provider groups for access control
Set Up Capability RBAC - Fine-grained tool permissions

Overview

Guides

Reference

Support

Prerequisites

Configure Golf Gateway

Enable Group Sync

Next Steps

Overview

Guides

Reference

Support

​Prerequisites

​Configure Golf Gateway

​Enable Group Sync

​Next Steps

Prerequisites

Configure Golf Gateway

Enable Group Sync

Next Steps