×
2025/06/19
 
19 Jun, 2025

Unlocking Enterprise AI: Building a Secure Enterprise MCP Server for Claude Integration

The era of generative AI is upon us, and large language models (LLMs) like Claude are demonstrating incredible potential to revolutionize how businesses operate and interact with customers. However, to truly unlock this potential, AI needs secure and standardized access to the wealth of information and services locked within enterprise systems. This is where standards such as Model Context Protocol (MCP) come in, offering a powerful way to make enterprise resources AI-consumable.

This article explores how to build an enterprise-grade MCP server, secured by a robust authorization server, that agentic AI or LLMs such as Claude can interact with, transforming your business services into intelligent, AI-driven tools.

What is the Model Context Protocol (MCP)?

At its core, the Model Context Protocol (MCP) is an open specification designed to allow AI models to securely and reliably interact with external tools and services. Think of it as a standardized API contract specifically for AI. It defines how an AI (like Claude) can discover the capabilities (tools) offered by a server, understand how to use them (input/output schemas), and then invoke them.

MCP enables AIs to go beyond their pre-trained knowledge and access real-time, specific information or perform actions in the real world through these tools.

Why make enterprise resources AI-consumable via MCP?

Strategically exposing enterprise resources, such as APIs, internal services, and data sources, to AI through the MCP offers a cascade of significant advantages that can dramatically impact various facets of a business:

  1. Hyper-personalized experiences: AI can tap into live enterprise data to craft highly contextual and individualized interactions with customers. Imagine a customer service bot that instantly accesses a customer's purchase history and account details to provide tailored support or proactively suggest relevant products.
  2. Creation of novel service offerings: Businesses can pioneer entirely new, AI-powered services that were previously unimaginable. Think of an AI-driven financial advisor that can analyze a user's complete financial portfolio and offer personalized investment strategies based on real-time market data accessed through MCP.
  3. Enhanced automation of complex workflows: AI can orchestrate intricate sequences of actions by intelligently invoking various enterprise tools through MCP. For example, an AI could automate the entire process of onboarding a new customer, from verifying their identity to provisioning their access to relevant systems.
  4. Significant improvements in operational efficiency: Employees can offload time-consuming tasks like data retrieval, information summarization, and routine queries to AI agents powered by MCP. This frees up human capital to focus on more strategic, creative, and complex endeavors.
  5. Establishment of standardization: MCP provides a universal language for interactions between AI models and enterprise systems. This simplifies the often-complex process of integrating different AI models with diverse backend infrastructure, fostering interoperability and reducing development overhead.

Claude and enterprise MCP integrations

Claude, developed by Anthropic, is a powerful and versatile LLM known for its safety features and conversational abilities. Claude's integration capabilities allow enterprise developers to build their own MCP servers for business services. This means you can define a set of "tools" (representing your business functions) that Claude can understand and invoke. Claude's LLM intelligently decides, based on the user's query, which tool (or sequence of tools) from your MCP server is most appropriate to use to fulfill the request. This allows enterprises to manage these services remotely and connect them seamlessly into Claude's reasoning process.

The crucial role of security and access control

When the power of AI is connected to the sensitive fabric of enterprise data and critical business services, security and access control cease to be mere considerations and become absolute necessities. Neglecting these crucial aspects exposes organizations to a multitude of potentially devastating risks:

  • Catastrophic data breaches: Unauthorized access to confidential and sensitive data, including customer information, financial records, and proprietary intellectual property, can lead to severe financial losses, legal liabilities, and irreparable damage to reputation.
  • Unauthorized and potentially malicious actions: Without proper controls, AI could be exploited to perform unintended or even malicious actions on enterprise systems, such as initiating fraudulent transactions, making unauthorized modifications to critical data, or disrupting essential services.
  • Crippling denial of service attacks: Uncontrolled AI requests, whether intentional or due to flawed logic, can overwhelm enterprise systems, leading to service outages and significant business disruption.
  • Severe compliance violations: Failure to implement adequate security measures can result in breaches of stringent data privacy regulations like GDPR or CCPA, leading to hefty fines and legal repercussions.
  • Irreversible reputational damage: A security breach involving AI accessing sensitive data can erode customer trust and severely damage the organization's reputation, potentially leading to long-term business consequences.

Proper access controls ensure that only authorized AI instances, acting on behalf of authenticated users or pre-defined processes, can access specific tools and data, adhering to the principle of least privilege.

Architecture: Building a secure, Claude-consumable MCP server

A well-designed architecture is the foundation of a secure and effective MCP implementation. Here's a detailed breakdown of a high-level architecture for establishing a secure, Claude-consumable MCP server:


  • Claude (MCP client): The LLM environment where the user interacts. Claude's internal LLM decides which tools to invoke based on the conversation.
  • Auth gateway: This acts as a security gateway in front of your enterprise MCP server. Its primary role is to enforce the MCP authorization latest specification.
    • Dynamic client registration (DCR): Allows MCP clients (like Claude) to register themselves with the authorization server, which secures the business services and manages users and their access.
    • Token issuance and validation: Facilitates the OAuth 2.0 flow for clients to obtain tokens from the authorization server (like Asgardeo) and validates incoming tokens on every request to the MCP server.
    • Auth server metadata: Exposes necessary OAuth 2.0 metadata endpoints (e.g., .well-known/oauth-authorization-server) for clients to discover how to authenticate and obtain tokens.
  • Enterprise MCP server: This is your custom-built server that exposes your business services according to the MCP specification.
    • MCP server can connect to multiple business services and resources in the backend to expose selected capabilities over tools.
  • Authorization server: An OAuth 2.0 compliant authorization server, such as Asgardeo, acts as the authorization provider. It handles client registration, user identities (for user-delegated access), and issues access tokens with specific permissions (scopes) to access tools on the MCP server.

Securing the MCP server with OpenMCPAuthProxy and Asgardeo

The OpenMCPAuthProxy: is an open source project designed to protect your MCP server by implementing crucial authentication and authorization requirements as per the latest MCP authorization latest specification. While OpenMCPAuthProxy offers a specialized tool for this purpose, it's important to recognize that these critical gating requirements can also be met through other architectural choices. For instance, general-purpose API gateways can be configured to enforce the necessary MCP security protocols, or these authentication and authorization capabilities can be embedded directly within the MCP server implementation itself, depending on architectural preferences and existing infrastructure. The key in all approaches is strict adherence to the MCP authorization specifications to ensure robust security and interoperability.

Configuring the authorization server (Asgardeo)

Before Claude (or any MCP client) starts connecting to the MCP server, several foundational configurations must be established within the authorization server (e.g., Asgardeo). This setup ensures that the MCP server and its tools are properly defined as protected resources and that access policies are in place. After deploying the MCP server and OpenMCPAuthProxy, the following steps should be performed in Asgardeo:

  1. Register the MCP server and its business function "tools" as resources (or scopes) in Asgardeo.
  2. Define granular OAuth 2.0 scopes for these tools, representing specific permissions (e.g., read customer info).
  3. Create Asgardeo roles corresponding to user access levels (e.g., CustomerServiceAgent). Assign relevant tool scopes to these roles (e.g., CustomerServiceAgent gets scopes for reading customer info and updating order status).
  4. Enroll users and assign them to appropriate Asgardeo roles.

This pre-configuration is critical because it forms the basis of the authorization decisions made by Asgardeo when Claude later requests access tokens on behalf of a user. It ensures that the principle of least privilege can be enforced from the outset, allowing only authorized users (through Claude) to access specific tools based on their defined roles and permissions.

Initial setup (DCR - dynamic client registration):

  1. To successfully integrate, the Claude instance that the user is interactive with mush be registered as an OAuth 2.0 client. It makes a DCR request to a specific endpoint on the OpenMCPAuthProxy.
  2. OpenMCPAuthProxy forwards this registration request to the authorization server (e.g., Asgardeo).
    • In addition to the standard DCR request, OpenMCPAuthProxy allows registering applications with predefined authentication flows for end-users and resource authorizations for these client applications.
  3. The authorization server (e.g., Asgardeo) registers the client and returns client details (e.g., client ID) back through the proxy to Claude. It is recommended that these OAuth clients are configured to be public clients and follow the required security standards.

Token acquisition (OAuth 2.0 authorization code grant):

  1. When Claude needs to interact with the MCP server or utilize an MCP tool, MCP remote uses its pre-configured client credentials to start the authorization process. This begins by directing the user to the Authorization Server's/authorize endpoint (often accessed through OpenMCPAuthProxy), which initiates the login procedure.
  2. The authorization server verifies the user's identity and then provides the MCP Client with an authorization code.
  3. Subsequently, the MCP client exchanges this authorization code for an access token. The authorization server issues this token, typically in JWT format, which contains specific permissions.

Tool invocation:

  1. Claude makes a request to the desired tool endpoint on the OpenMCPAuthProxy (or equivalent gateway) including the obtained access token in the Authorization: Bearer <token> header.
  2. The OpenMCPAuthProxy receives the request. It validates the access token:
    • Checks the signature (against the Authorization Server's public keys, e.g., Asgardeo's).
    • Checks the issuer, audience, and expiration.
    • Verifies that the token contains the necessary scopes required for the requested tool.
  3. If the token is valid and has sufficient permissions, the OpenMCPAuthProxy forwards the request to the backend enterprise MCP server.
  4. The MCP server processes the request and returns the response.
  5. The OpenMCPAuthProxy relays the response back to Claude.

Ensuring privileged access and security

Given that AI models like Claude can autonomously decide to invoke tools based on conversational context, implementing robust preventative measures against potential misbehavior is paramount. This architecture establishes a robust security framework for privileged access, providing multiple layers of defense and granular control over interactions with the MCP server. The key security mechanisms integrated into this setup offer significant advantages:

  1. Authentication: This process necessitates explicit user delegation, meaning a human user must actively authorize the client application's request for an access token. This enables human-in-the-loop verification to enhance security and prevent unauthorized access.
  2. Authorization: As the central authorization server, Asgardeo issues tokens with specific scopes only when the user is authorized and has provided consent.The OpenMCPAuthProxy enforces these scopes, ensuring the client (and by extension, Claude) can only access tools it's explicitly permitted to use (principle of least privilege).
  3. Token-based security: Access is granted via short-lived, verifiable access tokens, reducing the risk associated with static credentials.
  4. Centralized policy management: Access policies are managed centrally in Asgardeo, making it easier to update permissions, revoke access, and audit activity.
  5. Gateway protection: The OpenMCPAuthProxy acts as a choke point, protecting the MCP server from direct exposure and handling all security concerns before requests reach the business logic.

These practices, combined with continuous monitoring and potentially human-in-the-loop approvals for highly sensitive operations, are essential for mitigating risks associated with AI-driven actions on enterprise systems.

Unlocking new possibilities and value

By exposing enterprise services through a well-defined and secure MCP, organizations can empower AI applications to interact with core business logic and data in a controlled and standardized manner. This eliminates the complexities and security risks associated with direct integration, paving the way for a more agile and scalable approach to AI adoption. Making enterprise services AI-consumable through a secure MCP architecture opens up a world of possibilities. Some of the examples are:

Business-to-consumer (B2B):

  • Intelligent shopping assistant: An AI-powered assistant that utilizes MCP tools to perform real-time inventory checks, access a customer's past purchases to provide highly relevant product recommendations, answer detailed product inquiries, and even initiate the order placement process seamlessly.
  • Dynamic and personalized travel planner: An AI that leverages MCP tools to query up-to-the-minute flight availability and pricing, explore hotel booking options based on user preferences, access real-time local event schedules, and retrieve accurate weather forecasts to construct a fully customized and dynamic travel itinerary.
  • Instant and context-aware customer support: An AI agent that employs MCP tools to instantly look up a customer's complete account history, track the status of their recent orders, access detailed product specifications, and retrieve relevant troubleshooting guides to provide immediate, accurate, and contextually appropriate support, resolving issues efficiently.

Business-to-employee (B2E):

  • Comprehensive HR assistant: An AI powered by MCP tools that can answer employee inquiries regarding leave policies, benefits packages, navigate complex internal documentation, and guide employees through HR processes, freeing up HR personnel for more strategic initiatives.
  • Proactive IT support bot: An AI that utilizes MCP tools to diagnose and troubleshoot common IT issues automatically, check the status of critical systems, guide users through self-service solutions, and, if necessary, automatically generate and route support tickets to the appropriate IT team.
  • Insightful sales & marketing data analyst: An AI capable of querying CRM data, analyzing the performance of ongoing marketing campaigns, and extracting key sales figures through MCP tools. This enables the AI to generate on-demand reports, identify emerging trends, and provide valuable insights to inform strategic decision-making in sales and marketing.

Conclusion

In conclusion, the synergy between the MCP and robust security solutions like Asgardeo, facilitated by tools such as the OpenMCPAuthProxy, offers a clear and powerful pathway for enterprises. It's a strategy to not merely connect, but to deeply integrate AI like Claude into the very fabric of business operations. By transforming internal data and services into secure, AI-consumable tools, organizations can move beyond theoretical AI potential to unlock tangible value: unprecedented personalization, innovative service creation, and dramatic gains in operational efficiency. Embracing this secure, standardized approach is paramount for businesses aiming to truly supercharge their AI initiatives and lead in the evolving landscape of intelligent enterprise solutions.

English
 
Products

API Management

Integration

Identity and Access Management

Internal Developer Platform

Solutions
Resources
Support
Company
Sign Up For Our Newsletter

Follow us

Learn About Security At WSO2