MCP Tools acting On‑Behalf‑Of Users in Orchestrate Agents
Summary
IBM watsonx Orchestrate now supports "On-Behalf-Of" (OBO) flows with Single Sign-On (SSO) for its Multi-Cloud Platform (MCP) tools, enabling agents to perform actions impersonating users without requiring repeated OAuth approvals. This enhancement streamlines automation by allowing users to authenticate once, after which agents securely access external systems and execute tasks in the background. The system integrates with Identity Providers like Okta for user authentication and Role-Based Access Control (RBAC), where plugins can enforce permissions, such as restricting salary queries to managers. The setup involves configuring MCP tools with JWT verification, setting up OAuth OBO connections, and managing credentials within Orchestrate, with an option to embed agents into custom web chat frontends.
Key takeaway
For AI Engineers building agentic solutions on IBM watsonx Orchestrate, implementing SSO with OAuth On-Behalf-Of flows significantly reduces user friction by eliminating repetitive authentication. You should configure your MCP tools to leverage JWT tokens for secure, impersonated access and utilize Orchestrate plugins for fine-grained Role-Based Access Control, ensuring agents operate within defined user permissions.
Key insights
SSO and OAuth OBO flows in watsonx Orchestrate enable secure, seamless agent impersonation for automated task execution.
Principles
- Automate tasks securely via agent impersonation.
- Enforce RBAC using pre-invoke agent plugins.
Method
Configure MCP tools with JWT verification, set up OAuth OBO connections using `oauth_auth_token_exchange_flow`, and manage credentials via Orchestrate Connections for seamless agent access.
In practice
- Use FastMCP for Python-based MCP tool development.
- Integrate Okta as an OpenID Connect provider.
- Embed watsonx Orchestrate agents into custom web chats.
Topics
- IBM watsonx Orchestrate
- OAuth On-Behalf-Of
- Single Sign On
- Role Based Access Control
- Agentic Tools
Code references
Best for: AI Engineer, MLOps Engineer, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Niklas Heidloff.