Skip to main content

Teams

Organize users into logical groups and control their access to MCP Servers and Agent Personas. Teams integrate with your Identity Provider (IdP) to automatically assign users based on SSO group membership, enabling scalable role-based access control.

Overview

Teams provide a layer of access control that determines which MCP Servers and Agent Personas users can access. Key concepts:

  • SSO Group Mapping: Automatically assign users to teams based on their IdP group membership
  • Resource Assignment: Control which MCP Servers and Personas each team can access
  • Public by Default: Resources without team assignments remain accessible to all authenticated users
  • Intersection Logic: When a Persona is assigned to multiple teams, only shared resources are accessible

Key Features

SSO Group Integration

Map IdP groups directly to AI Gateway teams. When users log in, their group memberships are automatically evaluated and team access is granted in real-time.

IdP ProviderGroup ClaimSetup Guide
Microsoft Entra IDgroups claim in SAML/OIDCConfigure Entra Group Claims
Google WorkspaceGroups attribute in SAMLConfigure Google Workspace Group Claims
OktaGroup membershipComing soon

Access Control Model

Teams use a "public by default" model with flexible access control:

Resource ConfigurationVisibility
No teams assignedPublic - visible to all authenticated users
Teams assignedRestricted - visible only to team members

Bidirectional Sync

Team assignments are automatically synchronized:

  • Assign MCP Servers to teams from either the Team detail page or MCP Server settings
  • Assign Personas to teams from either the Team detail page or Persona creation wizard
  • Removing a resource automatically updates all related team assignments

Use Cases

Department-Based Access

Create teams for each department with access to relevant tools:

Example: Engineering Team

  • Access to GitLab, Jira, and internal DevOps MCP servers
  • Engineering SSO group: engineering@company.com or Engineering Department

Example: Sales Team

  • Access to Salesforce, HubSpot, and CRM MCP servers
  • Sales SSO group: sales@company.com or Sales Department

Project-Based Access

Create temporary teams for cross-functional projects:

Example: Product Launch Team

  • Members from Engineering, Marketing, and Sales
  • Access to shared project tools and documentation servers
  • Multiple SSO groups can map to the same team

Compliance & Security

Restrict sensitive tools to authorized personnel:

Example: Security Operations Team

  • Access to security monitoring and incident response MCP servers
  • Strict SSO group membership controlled by IT/Security admins

Creating a Team

Prerequisites

  • Super Admin, Tenant Admin, or Platform Operator role
  • SSO configured with your Identity Provider
  • IdP groups created for team membership (see IdP Setup Guides)

Step 1: Navigate to Teams

  1. Log in to the Cequence AI Gateway portal
  2. Click AccessTeams in the left navigation
  3. Click Create Team

Step 2: Configure Team Details

  1. Enter a Team Name (required)
  2. Add a Description to explain the team's purpose (optional)
  3. Add SSO Groups that should be mapped to this team:
    • Type the exact group name or ID from your IdP
    • Press Enter to add each group
    • Multiple groups can be added (users matching ANY group join the team)
Finding SSO Group Names

The SSO group name must match exactly what your IdP sends in the token. See the IdP Setup Guides for instructions on finding or configuring group names for your provider.

Step 3: Click Create

Your team is created and ready for resource assignment. Users with matching SSO groups will automatically join on their next login.

Assigning Resources to Teams

Assigning MCP Servers

From the Team Detail Page:

  1. Navigate to AccessTeams
  2. Click on the team name to open details
  3. Go to the MCP Servers tab
  4. Click Assign Servers
  5. Select the MCP servers to assign
  6. Click Save

From the MCP Server Settings:

  1. Navigate to MCP Registry
  2. Click on an MCP server
  3. Go to SettingsAccess Control
  4. Select teams that should have access
  5. Click Save

Assigning Agent Personas

During Persona Creation:

  1. In the Create Agent Persona wizard, Step 1 (Basic Info)
  2. Select one or more teams in the Teams dropdown
  3. Continue with persona creation

From the Team Detail Page:

  1. Navigate to AccessTeams
  2. Click on the team name
  3. Go to the Agent Personas tab
  4. Click Assign Personas
  5. Select the personas to assign
  6. Click Save
Intersection Logic for Personas

When creating a Persona assigned to multiple teams, only MCP Servers accessible by ALL selected teams will be available for tool selection. This prevents unauthorized access escalation.

Example: If you select both "Engineering" and "Design" teams for a Persona:

  • Only MCP Servers that BOTH teams can access appear in tool selection
  • Public MCP Servers (no team assignment) are always available

Access Control Behavior

For Employees (Non-Admin Users)

ScenarioMCP Server AccessPersona Access
User in no teams, no teams configuredAll resources (graceful adoption)All resources
User in no teams, teams configuredPublic resources onlyPublic resources only
User in Team APublic + Team A resourcesPublic + Team A resources
User in Teams A and BPublic + Team A + Team B resourcesPublic + Team A + Team B resources

For Admins

Admins (Super Admin, Tenant Admin, Platform Operator, Security Admin, Network Admin) bypass team-based access control and can see all resources regardless of team membership.

Managing Teams

Viewing Team Members

Team membership is dynamic based on SSO group matching:

  1. Navigate to AccessTeams
  2. Click on a team name
  3. View the SSO Mappings tab to see configured group mappings
  4. Current members are determined at login time based on IdP groups
Dynamic Membership

Unlike traditional group systems, team membership is evaluated in real-time during authentication. Changes to IdP group membership take effect on the user's next login.

Editing a Team

  1. Navigate to AccessTeams
  2. Click on the team name
  3. Click Edit (pencil icon)
  4. Modify name, description, or SSO mappings
  5. Click Save

Deleting a Team

  1. Navigate to AccessTeams
  2. Click on the team name
  3. Click Delete
  4. Confirm the deletion
Resource Access After Deletion

When a team is deleted:

  • Users lose access to team-restricted resources
  • MCP Servers previously assigned to the team become public (if no other teams assigned) or remain accessible only to remaining teams
  • The team is automatically removed from all assigned Personas

IdP Setup Guides

Configure your Identity Provider to send group claims that AI Gateway can use for team mapping:

Microsoft Entra ID (Azure AD)

Configure group claims in your Entra ID SAML/OIDC setup to include user's group memberships in the authentication token.

Configure Microsoft Entra Group Claims →

Google Workspace

Configure group membership in your Google Workspace SAML app to include user's group memberships in the authentication response.

Configure Google Workspace Group Claims →

Okta

Coming soon - Configure Okta group membership claims for team mapping.

Best Practices

Security

  • Use SSO groups: Leverage your existing IdP groups rather than manual membership
  • Principle of least privilege: Only assign teams to resources they need
  • Regular audits: Review team assignments and SSO mappings periodically
  • Separate sensitive resources: Create dedicated teams for compliance-sensitive tools

Organization

  • Consistent naming: Use clear, descriptive team names (e.g., "Engineering - Platform Team")
  • Document SSO mappings: Record which IdP groups map to which teams
  • Align with org structure: Mirror your organizational hierarchy for intuitive access control

Performance

  • Minimize team sprawl: Consolidate teams where possible to reduce complexity
  • Use public access for shared resources: Don't create teams just for widely-used resources

Troubleshooting

Users Not Seeing Expected Resources

Issue: User should have access but can't see MCP servers or Personas

Solution:

  1. Verify the user's IdP groups include the team's SSO mapping
  2. Check that the resource is assigned to the user's team
  3. Have the user log out and log back in (membership is evaluated at login)
  4. Verify the SSO group name matches exactly (case-sensitive)

SSO Groups Not Working

Issue: Team SSO mapping configured but users aren't joining

Solution:

  1. Verify your IdP is configured to send group claims (see IdP Setup Guides)
  2. Check the exact group name/ID your IdP sends
  3. Ensure the group claim attribute is correctly mapped in your SSO configuration
  4. Verify the SSO mapping rule is enabled (not disabled)

Persona Tool Selection Empty

Issue: When creating a Persona with teams selected, no MCP servers appear

Solution:

  1. This occurs when selected teams have no common MCP Server access (intersection logic)
  2. Verify at least one MCP Server is assigned to ALL selected teams
  3. Public MCP Servers should always appear - check if any exist
  4. Consider reducing the number of teams assigned to the Persona

Admin Can't See Team Restrictions

Issue: Admin user sees all resources regardless of team settings

Solution: This is expected behavior. Admins bypass team-based access control by design. To test team restrictions, use a non-admin account.

Getting Help

If you encounter issues not covered in this documentation:

  • Support: Contact your organization's administrator
  • Community: Reach out to Cequence support