# MCP Server
## Overview
The MCP Server Integration connects IFS Loops to any MCP-compatible server to fetch and execute available tools. It supports two authentication methods — OAuth 2.0 and API Key — depending on what your MCP Server requires, with OAuth required for AWS Bedrock Agent Core.
### Best practices
* Supported Authentication types:
* **OAuth 2.0 Authentication**
* MCP Server is protected by an OAuth-compatible Identity Provider (IdP).
* Examples: Keycloak, Okta, Auth0.
* **API Key Authentication**
* MCP Server is protected using a static API key.
* API key is sent in request headers.
* No Identity Provider configuration is required.
* Choose one authentication method (OAuth or API Key) based on what your MCP Server supports. You do not need to configure both. If you are using AWS Bedrock Agent Core, you must select **OAuth** — API Key authentication is not supported.
## Setup instructions
### OAuth-Based MCP Server Configuration
*Follow this section only if your MCP Server uses OAuth authentication.*
*In OAuth-based authentication, the MCP Server is integrated with an Identity Provider, users must create an OAuth client, and IFS Loops uses this OAuth client to authenticate and access the MCP Server.*
*The steps below use **Keycloak** as the example Identity Provider. Similar steps apply for Okta, Auth0, or other providers, though screens and exact steps may differ slightly.*
#### Login
{% stepper %}
{% step %}
Use admin credentials to log in to your identity provider.
{% endstep %}
{% endstepper %}
#### Create a New Scope (Optional)
{% stepper %}
{% step %}
Navigate to the **Client Scopes** section.
{% endstep %}
{% step %}
Click **Create** and provide a **Scope Name**.
{% endstep %}
{% step %}
Navigate to the **Client Scopes** section.
1. Enable **Include in Token Scope** if you want this scope to be directly included in access tokens without needing to explicitly pass it during the authorization flow.
2. Otherwise, you can pass the scope manually when adding the MCP Server integration in IFS Loops.
{% endstep %}
{% step %}
Click **Save**.
{% endstep %}
{% endstepper %}
#### Configure a Mapper for Audience
{% stepper %}
{% step %}
Go to the **Mappers** section.
{% endstep %}
{% step %}
Click **Configure New Mapper**.
{% endstep %}
{% step %}
Select **Audience** as the Mapper Type.
{% endstep %}
{% step %}
Enter the unique name and audience value based on your MCP Server configuration.
1. Example: If your MCP Server expects the client ID as the audience in the token, enter it here.
2. For the IFS Loops MCP Server, the MCP Server URL is used as the audience.
{% endstep %}
{% step %}
Click **Save**.
{% endstep %}
{% endstepper %}
#### Create a New OAuth Client
{% stepper %}
{% step %}
Navigate to the **Clients** section and click **Create**.
{% endstep %}
{% step %}
Enter:
* **Client ID**
* **Name**
* **Description**
{% endstep %}
{% step %}
Enable **Client Authentication**.
{% endstep %}
{% step %}
Ensure **Standard Flow** is enabled.
{% endstep %}
{% step %}
Click **Next**.
{% endstep %}
{% endstepper %}
#### Regenerate Token
{% stepper %}
{% step %}
Go to your **SharePoint integration**.
{% endstep %}
{% step %}
Click on the **Edit** button.
{% endstep %}
{% step %}
Navigate to the **Authentication** tab.
{% endstep %}
{% step %}
Click on the **Regenerate Token** button.
{% endstep %}
{% step %}
An Azure login screen will appear. Log in using your credentials.
{% endstep %}
{% step %}
On success, you will see a popup: **"Integration updated successfully"**
{% endstep %}
{% endstepper %}
#### Configure Redirect URIs
*Add redirect URLs based on your IFS Loops cluster:*
* **Concept Cluster:**
* **IFS EU Cluster:**
* **IFS US Cluster:**
* **Preprod Cluster:**
* **Prod US Cluster:**
* **Prod EU Cluster:**
#### Advanced Configuration (Optional)
{% stepper %}
{% step %}
Navigate to the **Advanced** tab.
{% endstep %}
{% step %}
Adjust token lifespans (access token) if needed.
{% endstep %}
{% step %}
Click **Save**.
{% endstep %}
{% endstepper %}
#### Assign Scopes
{% stepper %}
{% step %}
Add required scopes for your client application.
{% endstep %}
{% step %}
Include the **offline\_access** scope if you want to allow refresh tokens for long-term access. You may also include any additional scopes as required.
{% endstep %}
{% endstepper %}
#### Retrieve OAuth Credentials
{% stepper %}
{% step %}
Go to the **Credentials** tab.
{% endstep %}
{% step %}
Copy the **Client Secret**.
{% endstep %}
{% step %}
The following credentials are required when adding the integration in IFS Loops:
* Client ID
* Client Secret
* MCP Server URL
* Scopes
* Audience (optional)
{% endstep %}
{% endstepper %}
#### Configure Inbound OAuth in Bedrock Agent Core Runtime
*Applicable only for AWS Bedrock Agent Core MCP Servers.*
{% stepper %}
{% step %}
After creating OAuth credentials in your Identity Provider, configure **Inbound OAuth** in Amazon Bedrock Agent Core Runtime.
{% endstep %}
{% step %}
Provide:
1. Identity Provider discovery URL
2. Allowed OAuth client details (Client ID)
3. Required scopes and audience values (if applicable)
{% endstep %}
{% step %}
Save and deploy the configuration.
1. This enables Bedrock Agent Core to accept OAuth tokens issued for IFS Loops.
{% endstep %}
{% endstepper %}
### OAuth Integration Flow for MCP Server in IFS Loops
*When adding an MCP Server integration using OAuth, IFS Loops performs the following steps:*
### Mcp server integration guide · MD
Copy
## MCP Server Integration Guide
### Overview
The MCP Server Integration connects IFS Loops to any MCP-compatible server to fetch and execute available tools. It supports two authentication methods — OAuth 2.0 and API Key — depending on what your MCP Server requires, with OAuth required for AWS Bedrock Agent Core.
***
### Supported Authentication Types
**OAuth 2.0 Authentication**
* MCP Server is protected by an OAuth-compatible Identity Provider (IdP).
* Examples: Keycloak, Okta, Auth0.
**API Key Authentication**
* MCP Server is protected using a static API key.
* API key is sent in request headers.
* No Identity Provider configuration is required.
**Note:** Choose one authentication method (OAuth or API Key) based on what your MCP Server supports. You do not need to configure both. If you are using AWS Bedrock Agent Core, you must select **OAuth** — API Key authentication is not supported.
***
### A. OAuth-Based MCP Server Configuration
Follow this section only if your MCP Server uses OAuth authentication.
In OAuth-based authentication, the MCP Server is integrated with an Identity Provider, users must create an OAuth client, and IFS Loops uses this OAuth client to authenticate and access the MCP Server.
The steps below use **Keycloak** as the example Identity Provider. Similar steps apply for Okta, Auth0, or other providers, though screens and exact steps may differ slightly.
#### Step 1: Log in to Your Identity Provider
Use admin credentials to log in.
#### Step 2: Create a New Scope (Optional)
* Navigate to the **Client Scopes** section.
* Click **Create** and provide a **Scope Name**.
* Set **Type** to **Default** or **Optional**.
* Enable **Include in Token Scope** if you want this scope to be directly included in access tokens without needing to explicitly pass it during the authorization flow. Otherwise, you can pass the scope manually when adding the MCP Server integration in IFS Loops.
* Click **Save**.
#### Step 3: Configure a Mapper for Audience
* Go to the **Mappers** section.
* Click **Configure New Mapper**.
* Select **Audience** as the Mapper Type.
* Enter the unique name and audience value based on your MCP Server configuration.
* Example: If your MCP Server expects the client ID as the audience in the token, enter it here.
* For the IFS Loops MCP Server, the MCP Server URL is used as the audience.
* Click **Save**.
#### Step 4: Create a New OAuth Client
* Navigate to the **Clients** section and click **Create**.
* Enter:
* **Client ID**
* **Name**
* **Description**
* Enable **Client Authentication**.
* Ensure **Standard Flow** is enabled.
* Click **Next**.
#### Step 5: Configure Redirect URIs
Add redirect URLs based on your IFS Loops cluster:
* **Concept Cluster:**
* **IFS EU Cluster:**
* **IFS US Cluster:**
* **Preprod Cluster:**
* **Prod US Cluster:**
* **Prod EU Cluster:**
Click **Save**.
#### Step 6: Advanced Configuration (Optional)
* Navigate to the **Advanced** tab.
* Adjust token lifespans (access token) if needed.
* Click **Save**.
#### Step 7: Assign Scopes
* Add required scopes for your client application.
* Include the **offline\_access** scope if you want to allow refresh tokens for long-term access. You may also include any additional scopes as required.
#### Step 8: Retrieve OAuth Credentials
* Go to the **Credentials** tab.
* Copy the **Client Secret**.
* The following credentials are required when adding the integration in IFS Loops: Client ID, Client Secret, MCP Server URL, Scopes, and Audience (optional).
#### Configure Inbound OAuth in Bedrock Agent Core Runtime
*Applicable only for AWS Bedrock Agent Core MCP Servers.*
After creating OAuth credentials in your Identity Provider, configure **Inbound OAuth** in Amazon Bedrock Agent Core Runtime. Provide the Identity Provider discovery URL, the allowed OAuth client details (Client ID), and required scopes and audience values (if applicable). Save and deploy the configuration. This enables Bedrock Agent Core to accept OAuth tokens issued for IFS Loops.
***
### B. OAuth Integration Flow for MCP Server in IFS Loops
When adding an MCP Server integration using OAuth, IFS Loops performs the following steps:
#### Authorization and Token URL Discovery
* IFS Loops dynamically retrieves the Authorization URL and Token URL based on the Identity Provider's API.
#### **Ping MCP Server**
* While adding an integration, IFS Loops sends a sample ping request to the MCP Server.
* Example endpoint: `https://domain.com/path/mcp`
* or `https://example.com/your-path/mcp`.
* If you are using AWS Bedrock Agent Core, IFS Loops uses the following runtime invocation endpoint:
* `https://bedrock-agentcore..amazonaws.com/runtimes//invocations?qualifier=`
#### Verify Resource Metadata
* The MCP Server responds with headers including **WWW-Authenticate**, which may contain **resource\_metadata**.
* IFS Loops uses this resource metadata URL to fetch Identity Provider details.
* If the header is missing, IFS Loops uses a fallback URL for resource metadata, such as the standard:
* `https://{MCP_SERVER_DOMAIN}/.well-known/oauth-protected-resource`.
* If you are using AWS Bedrock Agent Core, IFS Loops uses the runtime-based resource metadata endpoint:
* `https://bedrock-agentcore..amazonaws.com/runtimes//invocations/.well-known/oauth-protected-resource?qualifier=`
#### Fetch Identity Provider Metadata
* From the resource metadata API response, IFS Loops identifies the authorization server URL
* for example, `https://auth.domain.com/realms/master/`)
* IFS Loops requests OAuth metadata from the `{AUTHORIZATION_SERVER_URL}/.well-known/openid-configuration` endpoint to retrieve the Authorization URL and Token endpoint.
* **Fallback Option:** If the above endpoint is not supported, IFS Loops uses `{AUTHORIZATION_SERVER_URL}/.well-known/oauth-authorization-server`.
* From the API response, IFS Loops retrieves the required **Authorization URL** and **Token URL**, which are then used to complete the OAuth authentication flow with the MCP Server.
### Add MCP Server Integration in IFS Loops
#### Initiate
{% stepper %}
{% step %}
Log in to the IFS Loops platform using your credentials.
{% endstep %}
{% step %}
Navigate to the **Connectors** section from the sidebar.
{% endstep %}
{% step %}
Click on the **Add Integration** button.
{% endstep %}
{% step %}
From the list of available integrations, locate and select **MCP Server**.
{% endstep %}
{% step %}
Provide Integration Details
1. **Integration Name** — Enter a unique name for the integration.
2. **Authentication Type** — Select one of the following and click **Next**:
* OAuth
* Token (API Key)
3. **MCP Server URL or Agent Runtime ARN** — Enter the full MCP Server URL (for example, `https://api.example.com/mcp` or `https://example.com/your-path/mcp`). If you are using AWS Bedrock Agent Core, enter the Agent Runtime ARN as the domain.
{% endstep %}
{% endstepper %}
#### How to get the Agent Runtime ARN (AWS Bedrock Agent Core only):
{% stepper %}
{% step %}
Log in to the AWS account where the Bedrock Agent is created
{% endstep %}
{% step %}
Select the correct AWS Region.
{% endstep %}
{% step %}
In the AWS Console search bar, type **Bedrock** and click **Amazon Bedrock**.
{% endstep %}
{% step %}
Open the **Agents** section from the left-hand menu.
{% endstep %}
{% step %}
Select the Agent you want to integrate with.
{% endstep %}
{% step %}
Click on the Agent name to open the Agent details page.
{% endstep %}
{% step %}
Navigate to the **Aliases** tab.
{% endstep %}
{% step %}
Select the **Agent Alias** being used (for example: prod, qa, or default).
{% endstep %}
{% step %}
On the Alias details page, locate **Agent Runtime ARN** and copy the full ARN.
1. **Example:** `arn:aws:bedrock-agentcore:us-west-2:228145693324:runtime/dev_mcp_runtime-TB1ryl3RKy`
{% endstep %}
{% step %}
**If Authentication Type is OAuth 2.0**, provide the following:
1. **Client ID** — Client ID provided by your Identity Provider.
2. **Client Secret** — Client Secret provided by your Identity Provider.
3. **Region** *(AWS Bedrock only)* — Enter the AWS region where the Bedrock Agent Core runtime is deployed. This field is mandatory for Bedrock Agent Core.
4. **Qualifier** *(AWS Bedrock only)* — Enter the qualifier for the Agent Core runtime. This field is optional. If no value is provided, the system automatically uses the default qualifier: **DEFAULT**.
5. **Scopes** — Enter the required access token scopes. Add **offline\_access** to enable refresh tokens. Use spaces to separate multiple scopes.
6. **Audience (Optional)** — Enter the audience only if your Identity Provider or MCP Server requires it to validate who the access token is issued for.
{% endstep %}
{% step %}
**If Authentication Type is API Key**, provide the following:
1. **API Key** — Enter the API key generated by your MCP Server in the *Token* field.
{% endstep %}
{% step %}
Once all details are entered, click the **Connect** button to proceed.
{% endstep %}
{% step %}
A login screen for your Identity Provider will appear. Log in to grant the required permissions.
{% endstep %}
{% step %}
After successful integration, you will see a popup: **"Integration Configured Successfully"**
{% endstep %}
{% endstepper %}
#### Regenerate Token
{% stepper %}
{% step %}
Go to your **MCP Server integration**. Click on the **Edit** button.
{% endstep %}
{% step %}
Navigate to the **Authentication** tab.
{% endstep %}
{% step %}
Click on the **Regenerate Token** button.
{% endstep %}
{% step %}
A login screen for your Identity Provider will appear. Log in using your credentials.
{% endstep %}
{% step %}
After successful login, you will see the message: **"Integration updated successfully".**
{% endstep %}
{% endstepper %}
#### How to Use the MCP Server Integration in IFS Loops
{% stepper %}
{% step %}
Go to your **MCP Server integration**.
{% endstep %}
{% step %}
Click on the **Edit** button.
{% endstep %}
{% step %}
Go to the **Jobs / Data Ingestion** tab.
{% endstep %}
{% step %}
Select **Ingress Type** as **Full Ingress**.
{% endstep %}
{% step %}
Click on **Start Ingress** to launch the job and pull all available tools.
{% endstep %}
{% step %}
After a few minutes, check the **job status** to confirm it is successful.
{% endstep %}
{% step %}
If successful, navigate to the **Tools** tab.
{% endstep %}
{% step %}
Click on the **Import** button.
{% endstep %}
{% step %}
Click on the **Import** button.
{% endstep %}
{% step %}
To import tools:
1. Click on the **View Tool Details** (👁) icon.
2. Then click on **Import.**
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kb.theloops.io/agenticstudio/integrations/mcp-server.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.