Set up organization SSO

Organization owners and admins can configure SAML single sign-on from Settings without leaving the MCP Stack dashboard.

What the setup does#

The setup flow creates a short-lived SSO setup session for the organization and runs the setup steps directly inside the dashboard. The hosted setup portal remains available to system admins from the internal admin dashboard.

During setup you will:

1. Choose an identity provider.
2. Verify the organization's email domain.
3. Copy the service provider Entity ID and ACS URL into the identity provider.
4. Import IdP SAML metadata.
5. Activate and test the connection.

Domain verification#

MCP Stack verifies domain ownership with a DNS TXT record. It does not require Azure DNS, a DNS provider API key, or provider-specific write access.

When you enter a domain, the dashboard shows a TXT record like:

Type: TXT
Name: _mcpstack-verify.example.com
Value: mcpstack-domain-verification=...

Add the record at your DNS provider, then click Check DNS. MCP Stack performs read-only public DNS-over-HTTPS lookups and compares the TXT value exactly. DNS propagation can take a few minutes depending on the provider and TTL.

Home-realm discovery#

After the domain is verified and the SSO connection is active, users with matching email domains are routed to the organization's SSO provider during sign-in. Unverified domains are not used for home-realm discovery.

Troubleshooting#

If Check DNS fails:

• Confirm the TXT record name includes _mcpstack-verify.
• Confirm the value matches exactly, including the mcpstack-domain-verification= prefix.
• Wait for DNS propagation and try again.
• Check whether your DNS provider stores TXT values with quotes; this is normal, but the final resolved value must match exactly.

If activation is blocked, verify the domain first and then import valid SAML metadata with a signing certificate and SSO URL.