MCP Server
Overview
The MCP Server Integration connects IFS Loops to any MCP-compatible server to fetch and execute available tools. It supports two authentication methods β OAuth 2.0 and API Key β depending on what your MCP Server requires, with OAuth required for AWS Bedrock Agent Core.
Best practices
Supported Authentication types:
OAuth 2.0 Authentication
MCP Server is protected by an OAuth-compatible Identity Provider (IdP).
Examples: Keycloak, Okta, Auth0.
API Key Authentication
MCP Server is protected using a static API key.
API key is sent in request headers.
No Identity Provider configuration is required.
Choose one authentication method (OAuth or API Key) based on what your MCP Server supports. You do not need to configure both. If you are using AWS Bedrock Agent Core, you must select OAuth β API Key authentication is not supported.
Setup instructions
OAuth-Based MCP Server Configuration
Follow this section only if your MCP Server uses OAuth authentication.
In OAuth-based authentication, the MCP Server is integrated with an Identity Provider, users must create an OAuth client, and IFS Loops uses this OAuth client to authenticate and access the MCP Server.
The steps below use Keycloak as the example Identity Provider. Similar steps apply for Okta, Auth0, or other providers, though screens and exact steps may differ slightly.
Login
Use admin credentials to log in to your identity provider.
Create a New Scope (Optional)
Navigate to the Client Scopes section.
Click Create and provide a Scope Name.
Navigate to the Client Scopes section.
Enable Include in Token Scope if you want this scope to be directly included in access tokens without needing to explicitly pass it during the authorization flow.
Otherwise, you can pass the scope manually when adding the MCP Server integration in IFS Loops.
Click Save.
Configure a Mapper for Audience
Go to the Mappers section.
Click Configure New Mapper.
Select Audience as the Mapper Type.
Enter the unique name and audience value based on your MCP Server configuration.
Example: If your MCP Server expects the client ID as the audience in the token, enter it here.
For the IFS Loops MCP Server, the MCP Server URL is used as the audience.
Click Save.
Create a New OAuth Client
Navigate to the Clients section and click Create.
Enter:
Client ID
Name
Description
Enable Client Authentication.
Ensure Standard Flow is enabled.
Click Next.
Regenerate Token
Go to your SharePoint integration.
Click on the Edit button.
Navigate to the Authentication tab.
Click on the Regenerate Token button.
An Azure login screen will appear. Log in using your credentials.
On success, you will see a popup: "Integration updated successfully"
Configure Redirect URIs
Add redirect URLs based on your IFS Loops cluster:
Concept Cluster: https://app.concept.theloops.ai/v1/oauth/callback
IFS EU Cluster: https://app.ifs-eu.theloops.ai/v1/oauth/callback
IFS US Cluster: https://app.ifs-us.theloops.ai/v1/oauth/callback
Preprod Cluster: https://app.preprod.theloops.ai/v1/oauth/callback
Prod US Cluster: https://app.prod1.theloops.ai/v1/oauth/callback
Prod EU Cluster: https://app.eu.prod1.theloops.ai/v1/oauth/callback
Advanced Configuration (Optional)
Navigate to the Advanced tab.
Adjust token lifespans (access token) if needed.
Click Save.
Assign Scopes
Add required scopes for your client application.
Include the offline_access scope if you want to allow refresh tokens for long-term access. You may also include any additional scopes as required.
Retrieve OAuth Credentials
Go to the Credentials tab.
Copy the Client Secret.
The following credentials are required when adding the integration in IFS Loops:
Client ID
Client Secret
MCP Server URL
Scopes
Audience (optional)
Configure Inbound OAuth in Bedrock Agent Core Runtime
Applicable only for AWS Bedrock Agent Core MCP Servers.
After creating OAuth credentials in your Identity Provider, configure Inbound OAuth in Amazon Bedrock Agent Core Runtime.
Provide:
Identity Provider discovery URL
Allowed OAuth client details (Client ID)
Required scopes and audience values (if applicable)
Save and deploy the configuration.
This enables Bedrock Agent Core to accept OAuth tokens issued for IFS Loops.
OAuth Integration Flow for MCP Server in IFS Loops
When adding an MCP Server integration using OAuth, IFS Loops performs the following steps:
Mcp server integration guide Β· MD
Copy
MCP Server Integration Guide
Overview
The MCP Server Integration connects IFS Loops to any MCP-compatible server to fetch and execute available tools. It supports two authentication methods β OAuth 2.0 and API Key β depending on what your MCP Server requires, with OAuth required for AWS Bedrock Agent Core.
Supported Authentication Types
OAuth 2.0 Authentication
MCP Server is protected by an OAuth-compatible Identity Provider (IdP).
Examples: Keycloak, Okta, Auth0.
API Key Authentication
MCP Server is protected using a static API key.
API key is sent in request headers.
No Identity Provider configuration is required.
Note: Choose one authentication method (OAuth or API Key) based on what your MCP Server supports. You do not need to configure both. If you are using AWS Bedrock Agent Core, you must select OAuth β API Key authentication is not supported.
A. OAuth-Based MCP Server Configuration
Follow this section only if your MCP Server uses OAuth authentication.
In OAuth-based authentication, the MCP Server is integrated with an Identity Provider, users must create an OAuth client, and IFS Loops uses this OAuth client to authenticate and access the MCP Server.
The steps below use Keycloak as the example Identity Provider. Similar steps apply for Okta, Auth0, or other providers, though screens and exact steps may differ slightly.
Step 1: Log in to Your Identity Provider
Use admin credentials to log in.
Step 2: Create a New Scope (Optional)
Navigate to the Client Scopes section.
Click Create and provide a Scope Name.
Set Type to Default or Optional.
Enable Include in Token Scope if you want this scope to be directly included in access tokens without needing to explicitly pass it during the authorization flow. Otherwise, you can pass the scope manually when adding the MCP Server integration in IFS Loops.
Click Save.
Step 3: Configure a Mapper for Audience
Go to the Mappers section.
Click Configure New Mapper.
Select Audience as the Mapper Type.
Enter the unique name and audience value based on your MCP Server configuration.
Example: If your MCP Server expects the client ID as the audience in the token, enter it here.
For the IFS Loops MCP Server, the MCP Server URL is used as the audience.
Click Save.
Step 4: Create a New OAuth Client
Navigate to the Clients section and click Create.
Enter:
Client ID
Name
Description
Enable Client Authentication.
Ensure Standard Flow is enabled.
Click Next.
Step 5: Configure Redirect URIs
Add redirect URLs based on your IFS Loops cluster:
Concept Cluster: https://app.concept.theloops.ai/v1/oauth/callback
IFS EU Cluster: https://app.ifs-eu.theloops.ai/v1/oauth/callback
IFS US Cluster: https://app.ifs-us.theloops.ai/v1/oauth/callback
Preprod Cluster: https://app.preprod.theloops.ai/v1/oauth/callback
Prod US Cluster: https://app.prod1.theloops.ai/v1/oauth/callback
Prod EU Cluster: https://app.eu.prod1.theloops.ai/v1/oauth/callback
Click Save.
Step 6: Advanced Configuration (Optional)
Navigate to the Advanced tab.
Adjust token lifespans (access token) if needed.
Click Save.
Step 7: Assign Scopes
Add required scopes for your client application.
Include the offline_access scope if you want to allow refresh tokens for long-term access. You may also include any additional scopes as required.
Step 8: Retrieve OAuth Credentials
Go to the Credentials tab.
Copy the Client Secret.
The following credentials are required when adding the integration in IFS Loops: Client ID, Client Secret, MCP Server URL, Scopes, and Audience (optional).
Configure Inbound OAuth in Bedrock Agent Core Runtime
Applicable only for AWS Bedrock Agent Core MCP Servers.
After creating OAuth credentials in your Identity Provider, configure Inbound OAuth in Amazon Bedrock Agent Core Runtime. Provide the Identity Provider discovery URL, the allowed OAuth client details (Client ID), and required scopes and audience values (if applicable). Save and deploy the configuration. This enables Bedrock Agent Core to accept OAuth tokens issued for IFS Loops.
B. OAuth Integration Flow for MCP Server in IFS Loops
When adding an MCP Server integration using OAuth, IFS Loops performs the following steps:
Authorization and Token URL Discovery
IFS Loops dynamically retrieves the Authorization URL and Token URL based on the Identity Provider's API.
Ping MCP Server
While adding an integration, IFS Loops sends a sample ping request to the MCP Server.
Example endpoint:
https://domain.com/path/mcpor
https://example.com/your-path/mcp.
If you are using AWS Bedrock Agent Core, IFS Loops uses the following runtime invocation endpoint:
https://bedrock-agentcore.<region>.amazonaws.com/runtimes/<runtime-arn>/invocations?qualifier=<qualifier>
Verify Resource Metadata
The MCP Server responds with headers including WWW-Authenticate, which may contain resource_metadata.
IFS Loops uses this resource metadata URL to fetch Identity Provider details.
If the header is missing, IFS Loops uses a fallback URL for resource metadata, such as the standard:
https://{MCP_SERVER_DOMAIN}/.well-known/oauth-protected-resource.
If you are using AWS Bedrock Agent Core, IFS Loops uses the runtime-based resource metadata endpoint:
https://bedrock-agentcore.<region>.amazonaws.com/runtimes/<runtime-arn>/invocations/.well-known/oauth-protected-resource?qualifier=<qualifier>
Fetch Identity Provider Metadata
From the resource metadata API response, IFS Loops identifies the authorization server URL
for example,
https://auth.domain.com/realms/master/)
IFS Loops requests OAuth metadata from the
{AUTHORIZATION_SERVER_URL}/.well-known/openid-configurationendpoint to retrieve the Authorization URL and Token endpoint.Fallback Option: If the above endpoint is not supported, IFS Loops uses
{AUTHORIZATION_SERVER_URL}/.well-known/oauth-authorization-server.From the API response, IFS Loops retrieves the required Authorization URL and Token URL, which are then used to complete the OAuth authentication flow with the MCP Server.
Add MCP Server Integration in IFS Loops
Initiate
Log in to the IFS Loops platform using your credentials.
Navigate to the Connectors section from the sidebar.
Click on the Add Integration button.
From the list of available integrations, locate and select MCP Server.
Provide Integration Details
Integration Name β Enter a unique name for the integration.
Authentication Type β Select one of the following and click Next:
OAuth
Token (API Key)
MCP Server URL or Agent Runtime ARN β Enter the full MCP Server URL (for example,
https://api.example.com/mcporhttps://example.com/your-path/mcp). If you are using AWS Bedrock Agent Core, enter the Agent Runtime ARN as the domain.
How to get the Agent Runtime ARN (AWS Bedrock Agent Core only):
Log in to the AWS account where the Bedrock Agent is created
Select the correct AWS Region.
In the AWS Console search bar, type Bedrock and click Amazon Bedrock.
Open the Agents section from the left-hand menu.
Select the Agent you want to integrate with.
Click on the Agent name to open the Agent details page.
Navigate to the Aliases tab.
Select the Agent Alias being used (for example: prod, qa, or default).
On the Alias details page, locate Agent Runtime ARN and copy the full ARN.
Example:
arn:aws:bedrock-agentcore:us-west-2:228145693324:runtime/dev_mcp_runtime-TB1ryl3RKy
If Authentication Type is OAuth 2.0, provide the following:
Client ID β Client ID provided by your Identity Provider.
Client Secret β Client Secret provided by your Identity Provider.
Region (AWS Bedrock only) β Enter the AWS region where the Bedrock Agent Core runtime is deployed. This field is mandatory for Bedrock Agent Core.
Qualifier (AWS Bedrock only) β Enter the qualifier for the Agent Core runtime. This field is optional. If no value is provided, the system automatically uses the default qualifier: DEFAULT.
Scopes β Enter the required access token scopes. Add offline_access to enable refresh tokens. Use spaces to separate multiple scopes.
Audience (Optional) β Enter the audience only if your Identity Provider or MCP Server requires it to validate who the access token is issued for.
If Authentication Type is API Key, provide the following:
API Key β Enter the API key generated by your MCP Server in the Token field.
Once all details are entered, click the Connect button to proceed.
A login screen for your Identity Provider will appear. Log in to grant the required permissions.
After successful integration, you will see a popup: "Integration Configured Successfully"
Regenerate Token
Go to your MCP Server integration. Click on the Edit button.
Navigate to the Authentication tab.
Click on the Regenerate Token button.
A login screen for your Identity Provider will appear. Log in using your credentials.
After successful login, you will see the message: "Integration updated successfully".
How to Use the MCP Server Integration in IFS Loops
Go to your MCP Server integration.
Click on the Edit button.
Go to the Jobs / Data Ingestion tab.
Select Ingress Type as Full Ingress.
Click on Start Ingress to launch the job and pull all available tools.
After a few minutes, check the job status to confirm it is successful.
If successful, navigate to the Tools tab.
Click on the Import button.
Click on the Import button.
To import tools:
Click on the View Tool Details (π) icon.
Then click on Import.
Last updated
Was this helpful?