# BoxyHQ MCP for AI Agents MCP > Manage enterprise Single Sign-On (SSO) and user provisioning through BoxyHQ’s MCP. This tool lets your AI agent automate complex identity workflows, handling everything from SAML/OIDC connection setup to SCIM directory synchronization. Get instant visibility into security configurations and manage user lifecycles without leaving the chat interface. ## Overview - **Category:** fort-knox - **Price:** Free - **Tags:** sso, saml, oidc, scim, user-provisioning, enterprise-auth, audit-logs ## Description Running enterprise authentication is complicated. You're dealing with multiple tenants, different protocols (SAML, OIDC), and a constant need for an accurate audit trail. With this MCP, you connect your BoxyHQ instance to your preferred AI client and treat identity management like any other workflow. Your agent handles the tedious parts of enterprise authentication and user lifecycle control. Need to prove who has access? Ask it to list all SSO connections or check connection metadata by tenant ID. Setting up a new product requires automated user provisioning? The MCP creates SCIM 2.0 directories instantly, managing user creation and de-provisioning automatically. It also lets you update existing security setups or delete stale credentials when they're no longer needed. Because Vinkius hosts this catalog, your AI client can access BoxyHQ’s full suite of identity tools from one place, so you don't have to switch dashboards just to verify connection health. ## Tools ### add_connection Programmatically adds a new Single Sign-On (SSO) connection, either SAML or OIDC. ### create_directory Sets up and configures a Directory Sync (SCIM) connection for user provisioning. ### delete_connection Removes an existing, outdated SSO connection from the system. ### get_connections Retrieves a list of all active Single Sign-On connections for a given product or tenant. ### get_directory_groups Lists every group belonging to a specific user directory within a client's tenancy. ### get_directory_users Retrieves a list of all active users associated with a given SCIM directory. ### health_check Performs an immediate check on the overall operational health and status of BoxyHQ services. ### update_connection Modifies settings for an already established SSO connection, like changing credentials or metadata. ## Prompt Examples **Prompt:** ``` I need to check which products are using SAML authentication right now. ``` **Response:** ``` **SSO Connection Report** We found 4 active connections: * `Globex Corp`: Protocol (SAML), Last Updated (2024-11-01) * `Internal Portal`: Protocol (SAML), Last Updated (2023-05-20) * `Acme SaaS`: Protocol (OIDC), Last Updated (2024-06-15) * `Client X`: Protocol (Unknown), Status (**Needs Review**) I recommend reviewing the Client X connection details immediately. ``` **Prompt:** ``` Can you set up a new user directory for my client, 'TechCorp'? I need it to sync users right away. ``` **Response:** ``` **Directory Sync Status** The SCIM 2.0 directory for TechCorp has been created successfully. * **Base URL:** `https://sso.boxyhq.com/api/scim/v2.0/techcorp` * **Status:** Active * **Next Step:** Provide this URL to the client's IdP team for immediate user synchronization. Please let me know if you need a different tenant ID. ``` **Prompt:** ``` What are all the active connections in the 'enterprise-portal' product? ``` **Response:** ``` **Connections Found for enterprise-portal** You have 3 connected services: | Client Name | Protocol | Status | Action | | :--- | :--- | :--- | :--- | | Globex Corp | SAML | Active | Inspect Details | | Initech | OIDC | Active | Update Credentials | | Umbrella | SAML | Deprecated | Delete Connection | Which connection would you like to inspect or delete? ``` ## Capabilities ### Manage SSO Connections Add, view, or modify SAML and OIDC connections for specific products and tenants. ### Automate User Provisioning Directories Create SCIM 2.0 directories to manage user accounts across your enterprise applications. ### Audit Identity Connections Retrieve detailed metadata about existing connections using client, product, or tenant IDs. ### Monitor Service Health Check the overall operational status and health of the BoxyHQ service. ## Use Cases ### Onboarding a New Client Product A DevOps engineer needs to integrate a new SaaS offering for a client. Instead of logging into multiple consoles, they prompt their agent: 'Create an Okta SCIM directory for tenant X and product Y.' The MCP uses `create_directory` to automate the entire provisioning foundation. ### Compliance Audit of Credentials A Security Engineer needs to prove which products are using SAML. They prompt: 'List all SSO connections for tenant Acme Corp.' The agent runs `get_connections` and returns a structured list, immediately flagging any non-compliant or unmanaged credentials. ### User Access Review A Product Manager needs to know who is currently active in the system. They ask the agent to 'List all users for the main directory.' The MCP runs `get_directory_users` and provides a real-time list, solving the question of user access immediately. ### Emergency Cleanup The team discovers several old product tenants that were decommissioned months ago. Rather than manually finding them, they ask the agent to 'Delete all connections for product Z.' The MCP uses `delete_connection` instantly. ## Benefits - Audit security configurations instantly. Instead of jumping through dashboard menus, your agent uses `get_connections` to list all SSO links across tenants. - Eliminate manual provisioning steps. Use `create_directory` to set up SCIM 2.0 directories and automate user lifecycle management during onboarding. - Maintain a clean security posture by using `delete_connection` to remove stale or unused credentials when a product is retired. - Speed up deployments with metadata control. The agent can configure Identity Provider metadata using raw XML, bypassing complex GUI inputs. - Handle changes without downtime. If an existing connection needs tweaking, use `update_connection` instead of rebuilding the whole thing. ## How It Works The bottom line is: you manage complex enterprise identity workflows using plain English prompts instead of navigating multiple web dashboards. 1. Subscribe to this MCP on Vinkius, providing your specific BoxyHQ Instance URL and API Key. 2. Tell your AI agent exactly what you need—for example, 'Add a new OIDC connection for client X.' 3. The agent executes the required action against BoxyHQ and reports back the status, connection ID, or user list. ## Frequently Asked Questions **How do I use the BoxyHQ MCP for AI Agents to audit my SSO setup?** You ask your agent to list all connections, specifying the tenant or product ID. It will retrieve detailed metadata, letting you see which credentials are active, when they were last updated, and if anything is stale. This gives you a full security picture without manual clicks. **Can I use BoxyHQ MCP for AI Agents to add new SSO connections?** Yes, your agent can establish new SAML or OIDC links by accepting connection details like metadata URLs. It handles the technical setup and confirms the link is active, saving you from manual configuration. **What if I need to automate user creation for a new client? Does BoxyHQ MCP support that?** Absolutely. You use the MCP to create an SCIM directory connection. This sets up the foundational link, allowing you and your team to automatically provision users into the application from your central identity source. **Is BoxyHQ MCP for AI Agents better than just using a GUI?** It's faster and more reliable. Instead of navigating through multiple dashboards, you describe the action in plain English, and the agent executes the correct tool call instantly. You get structured data right back in your chat window. **Can I delete old or unused connections using BoxyHQ MCP for AI Agents?** Yes, you can safely decommission credentials. By having the agent run a deletion command on an outdated connection, you maintain a clean and compliant security posture instantly.