One Login to Rule Them All: Cross-App Access for MCP — Garrett Galow, WorkOS

3.4K views · Apr 28, 2026 · 23:24 min · Watch on YouTube ↗

Takeaway

Cross-App Access via the corporate IDP eliminates per-MCP consent screens and restores enterprise revocation/visibility that today's MCP OAuth flow breaks.

Summary

WorkOS's Garrett Galow (powers SSO for Anthropic, Cursor, OpenAI) argues MCP's OAuth-everywhere model breaks enterprise SSO and produces consent-screen fatigue.
IT loses visibility: arbitrary clients (Cursor, DeepSeek) can hold standing access tokens for weeks after offboarding because revocation via SCIM isn't universal.
Solution: Cross-App Access (XAA) lets an IDP (Okta/Entra) act as trust broker between MCP client and server, so credentials issue without per-server consent screens.
Demo: Claude Code with XAA logged into Okta once auto-connects Figma MCP server — no clicks, no consent dialog.
Behind the scenes: four entities (client, IDP, resource auth server, resource server) exchange tokens through the IDP relationship both apps already trust.

mcpauthenterprise

Original description

Connecting a coding agent to multiple services often means facing a dozen OAuth consent screens, a dozen token lifecycles, and a dozen chances for something to break. Despite having Single Sign-On, users still find themselves signing in repeatedly.

This talk explores how Cross-App Access leverages a three-way trust between the MCP client, the MCP server, and the organization's Identity Provider to simplify authentication. Through the Identity Assertion Authorization Grant flow, a single SSO login is transformed into access tokens across every MCP server, offering seamless access to all applications. The session will also highlight what this pattern enables for agent identity beyond MCP.

Speaker info:
https://www.linkedin.com/in/garrett-galow/