Skip to Content
IdentityServer

Getting started with MCP for AdminUI

AdminUI has been the leading administration tool for IdentityServer for over 8 years, focused on providing a UI for managing Users and IdentityServer configuration. The AI landscape is causing a UX shift from clicking through various menus to using natural language to get the job done. This ability has been made possible by Large Language Models (LLMs) and the Model Context Protocol (MCP). MCP clients leverage the MCP protocol to discover tools, combine that with understanding natural language, and a prompt can now do tasks on your behalf. So while you might have asked an admin to add a user or ensure clients are all configured to company best practices, you can ask an MCP client to do that for you in the same way.

We are delighted to announce that AdminUI 12.0 ships with MCP support, allowing you to query and configure your identity server configuration using natural language. In this article, I will walk through how to configure the VSCode MCP client to work with the AdminUI MCP tool set and discuss the security approach we took to reduce the risk of the AI going rogue. 

If you want to experiment with AdminUI MCP outside your normal dev/test environments, the quickest way is to use our AllInOne Docker image.

docker run -it -p 3000:3000 --name allinone rocksolidknowledge/identityserver-dev-sso:dev

When running the Docker image, when prompted to enter a license key, just press enter to use an evaluation key. Access AdminUI from your browser via http://localhost:3000/admin. The default username is  [email protected], and the password is Password123!. On first login, you will need to change it.

Assuming you now have an AdminUI up and running, either via Docker or your own instance, let's dive into MCP.

Kicking the MCP Tyres

First, verify that the MCP endpoints are available by visiting your AdminUI root URL and appending /mcp/.well-known/oauth-protected-resource
If you are using the Docker image, then this would be
 http://localhost:3000/mcp/.well-known/oauth-protected-resource

The result should look something like this.

{
  "resource": "http://localhost:3000/admin/mcp",
  "authorization_servers": [
    "http://localhost:3000/ids"
  ],
  "bearer_methods_supported": [
    "header"
  ],
  "scopes_supported": [
    "admin_mcp_access"
  ]
}

authorization_servers array: Defines the token service that is protecting the MCP tools.  

bearer_methods_supported: Indicates that AdminUI expects the token in the header, not the body or as a query argument.

scopes_supported: Is the set of scopes the MCP client requests from the token service before calling any MCP endpoints, including the tool discovery endpoints.

Moving to VSCode

Now that you've verified that AdminUI MCP is available, let's configure VSCode as an MCP client so we can manage our AdminUI configuration using natural language and the AdminUI MCP toolset.

Create an empty folder on your file system; this will be the root folder from which to launch VSCode. Create a subfolder named .vscode and, inside it, create a mcp.json file. The file will contain the connection details to AdminUI MCP. Replace the base URL ( http://localhost:3000/admin/ ) with the URL to your AdminUI if not using the Docker image.

{
  "servers": {
   "adminui": {
      "type": "http",
      "url": "http://localhost:3000/admin/mcp"
    }
  }
}

Once you have saved the file, VSCode will show a Start button next to the configuration. Press the start button, and VSCode will launch a pop-up to create and configure the OAuth client. Press the "Copy URIs & Proceed" button.

Show VSCode MCP tool configuration, and start button
VSCode MCP tool configuration and start button

Adding VSCode OAuth Client

You can skip this section if using the Docker image

  1. Open AdminUI
  2. Create a new web application client, set the client ID to "vscode"
  3. Set up the two callback URLS, but you can get away with just the first one.
  4. No Logout URI or Shared Secret are required.
  5. No Identity Scopes are required.
  6. Ensure you have Require Consent set.
  7. Add the "Access MCP" scope to the client and the scopes for the other tools that the VSCode MCP client can request on the user's behalf.

At the end of the wizard, you will see the following summary screen. Save the configuration.

MCP Client OAuth Client configuration
MCP Client OAuth Client configuration

Verifying the OAuth Client in Docker

If you are using the Docker image, in AdminUI, navigate to the "vscode" client, then to the Advanced section / Consent, and confirm that "require consent" is set.

Showing configuration setting to ensure consent
Configure Require Consent

Completing the VSCode Setup

Returning to VSCode, VSCode will prompt you to enter the client ID, enter "vscode". When prompted for the secret, press Enter, as the client does not have one. VSCode will now show a pop-up asking for permission to authenticate you against IdentityServer. Press "Allow"; you will be redirected to the IdentityServer login page for AdminUI using the credentials you want the MCP client to use to act on your behalf. Once successfully authenticated, IdentityServer will display a consent screen for you to confirm that you accept the MCP client accessing the metadata MCP endpoint on behalf of your user account. Confirm the consent, and IdentityServer will redirect you back to VSCode. 

VSCode configuration with start button and showing number of tools
VSCode configuration, ready to start

Configuring AdminUI

Now that you have configured the MCP client, it's time to give it a whirl. In the chat prompt in VSCode, ask it to 

"List all client names"

Once the MCP client has determined which tool to call, the client will send you back to the IdentityServer consent screen to grant access to the IDP Read scope.

Consent screen showing IDP Read scope
Allow client to access IDP Read tools

You will then confirm access to the scope, and IdentityServer will redirect you back to VSCode to execute the tool.  

Why Multiple Scopes

When we designed the MCP tool set, we could have had a single scope for all tools, but this would mean that, as an end user, you would grant the MCP client all your AdminUI access rights. To ensure the MCP client doesn't perform operations without end-user-specific consent. Instead, we created separate scopes for each tool area, plus read/write/delete actions.  This allows users to delegate safely to the MCP client. 

Going Further

The power of LLM + MCP tools is that you can implement some very high-level commands. Consider assigning a task to 

  • Set all your client access token lifetimes to 30 minutes. 
  • Which clients are not using PAR
  • Enable PAR for all my clients
  • Do I have any clients who are using implicit flow?
     

Using the AdminUI would require a lot of clicking, but now, with the power of LLM + MCP, it is as simple as delegating to a colleague.

Andrew Clymer He/him

Job Role
Managing Director
Company
Rock Solid Knowledge
Andrew is the Managing Director at Rock Solid Knowledge.