Enterprise Setup Guide

Deploy FAOS MCP integration across your organization with SSO, centralized configuration, and security controls.

Overview

Enterprise deployment involves:

SSO integration with your Identity Provider
Centralized MCP configuration management
Security policies and audit logging
Team onboarding and training

SSO Integration

Supported Identity Providers

Provider	Protocol	Status
Okta	SAML 2.0, OIDC	Supported
Azure AD	SAML 2.0, OIDC	Supported
Google Workspace	OIDC	Supported
OneLogin	SAML 2.0	Supported
Ping Identity	SAML 2.0, OIDC	Supported
Custom SAML	SAML 2.0	Supported

Okta Configuration

Step 1: Create SAML Application in Okta

Log in to Okta Admin Console
Navigate to Applications → Create App Integration
Select SAML 2.0
Configure:
- App name: "FAOS"
- Single sign on URL: https://api.faosx.ai/auth/saml/callback
- Audience URI: urn:faosx:saml
- Name ID format: EmailAddress

Attribute Statements:

email    → user.email
firstName → user.firstName
lastName  → user.lastName
groups    → user.groups (optional)

Download the IdP metadata XML

Step 2: Configure FAOS Admin Portal

Log in to FAOS Admin Portal
Navigate to Settings → Authentication → SSO
Upload Okta metadata XML
Configure attribute mappings
Enable SSO

Step 3: Configure MCP for SSO

{
  "servers": {
    "faos": {
      "command": "faos-mcp",
      "env": {
        "FAOS_API_URL": "https://api.yourcompany.faosx.ai",
        "FAOS_AUTH_METHOD": "sso",
        "FAOS_SSO_DOMAIN": "yourcompany.com",
        "FAOS_SSO_PROVIDER": "okta"
      }
    }
  }
}

Azure AD Configuration

Step 1: Register Application in Azure

Navigate to Azure Portal → Azure Active Directory
App registrations → New registration
Configure:
- Name: "FAOS MCP"
- Redirect URI: https://api.faosx.ai/auth/oidc/callback
- Supported account types: Single tenant
Note the Application (client) ID and Directory (tenant) ID
Create client secret:
- Certificates & secrets → New client secret
- Copy the secret value immediately

Step 2: Configure API Permissions

Add permissions:

openid
profile
email
User.Read

Grant admin consent.

Step 3: Configure FAOS

Provide to FAOS support:

Tenant ID
Client ID
Client Secret (securely)

Centralized Configuration

MDM/Configuration Management

Deploy MCP configuration via your configuration management tool.

macOS (Jamf Pro)

Create a configuration profile to deploy mcp.json to all managed devices.

Windows (Intune/GPO)

Deploy via registry or file:

# PowerShell deployment script
$configPath = "$env:APPDATA\claude\mcp.json"
$config = @{
    servers = @{
        faos = @{
            command = "faos-mcp"
            env = @{
                FAOS_API_URL = "https://api.yourcompany.faosx.ai"
                FAOS_AUTH_METHOD = "sso"
                FAOS_SSO_DOMAIN = "yourcompany.com"
            }
        }
    }
}
$config | ConvertTo-Json -Depth 10 | Set-Content $configPath

Environment-Based Configuration

For organizations with multiple environments:

{
  "servers": {
    "faos-prod": {
      "command": "faos-mcp",
      "env": {
        "FAOS_API_URL": "https://api.faosx.ai",
        "FAOS_AUTH_METHOD": "sso",
        "FAOS_SSO_DOMAIN": "yourcompany.com",
        "FAOS_TENANT_ID": "prod-tenant"
      }
    },
    "faos-staging": {
      "command": "faos-mcp",
      "env": {
        "FAOS_API_URL": "https://staging-api.faosx.ai",
        "FAOS_AUTH_METHOD": "sso",
        "FAOS_SSO_DOMAIN": "yourcompany.com",
        "FAOS_TENANT_ID": "staging-tenant"
      }
    }
  }
}

Security Policies

Network Security

Firewall Allowlist

Allow outbound HTTPS to:

api.faosx.ai (443)
*.faosx.ai (443) for CDN assets
Your SSO provider domains

Proxy Configuration

{
  "servers": {
    "faos": {
      "command": "faos-mcp",
      "env": {
        "FAOS_API_URL": "https://api.faosx.ai",
        "HTTPS_PROXY": "http://proxy.yourcompany.com:8080",
        "NO_PROXY": "localhost,127.0.0.1"
      }
    }
  }
}

Data Security

Data Residency

FAOS supports data residency requirements:

Region	API URL	Data Location
US	`api.faosx.ai`	us-east-1
EU	`api.eu.faosx.ai`	eu-west-1
APAC	`api.ap.faosx.ai`	ap-southeast-1

Encryption

All data encrypted in transit (TLS 1.3)
All data encrypted at rest (AES-256)
Customer-managed keys available (Enterprise+)

Access Control

Role-Based Access

Configure in FAOS Admin Portal:

Role	Agents	Workflows	Metrics	Graph
Developer	All	All	Read	Read
Analyst	analyst, pm	Read-only	All	All
Manager	All	All	All	All
Viewer	None	None	Read	Read

Team Scopes

Restrict access by team:

{
  "FAOS_TEAM_SCOPE": "engineering",
  "FAOS_PROJECT_FILTER": "mobile-*"
}

Audit Logging

What's Logged

All MCP tool invocations are logged:

User identity (from SSO)
Tool name and parameters
Response status
Timestamp and duration
Client metadata (app version, OS)

Accessing Audit Logs

Admin Portal

Navigate to Compliance → Audit Logs

Filter by:

User/team
Date range
Tool type
Status

API Export

# Export audit logs via API
curl -H "Authorization: Bearer $ADMIN_TOKEN" \
  "https://api.faosx.ai/admin/audit/export?start=2026-01-01&end=2026-01-31" \
  -o audit-jan-2026.json

SIEM Integration

Forward logs to your SIEM:

SIEM	Integration
Splunk	HTTP Event Collector
Datadog	Log forwarding API
Elastic	Logstash input
Azure Sentinel	Azure Functions

Configuration in Admin Portal: Integrations → Log Forwarding

Onboarding

Deployment Checklist

Training Resources

Resource	Audience	Duration
Quick Start Video	All users	10 min
Agent Workshop	Power users	1 hour
Admin Training	IT/Admins	2 hours

Support Escalation

Issue Level	Contact	Response Time
P1 (Outage)	Dedicated Slack	1 hour
P2 (Blocking)	support@faosx.ai	4 hours
P3 (Question)	support@faosx.ai	24 hours

Compliance

Certifications

SOC 2 Type II
ISO 27001
GDPR compliant
HIPAA compliant (Healthcare add-on)

Data Processing Agreement

Contact legal@faosx.ai for DPA execution.

Security Questionnaire

Pre-filled SIG Lite available on request.

Support

Enterprise Support:

Dedicated Slack channel
Named support engineer
Quarterly business reviews

Contact: enterprise@faosx.ai

Overview​

SSO Integration​

Supported Identity Providers​

Okta Configuration​

Step 1: Create SAML Application in Okta​

Step 2: Configure FAOS Admin Portal​

Step 3: Configure MCP for SSO​

Azure AD Configuration​

Step 1: Register Application in Azure​

Step 2: Configure API Permissions​

Step 3: Configure FAOS​

Centralized Configuration​

MDM/Configuration Management​

macOS (Jamf Pro)​

Windows (Intune/GPO)​

Environment-Based Configuration​

Security Policies​

Network Security​

Firewall Allowlist​

Proxy Configuration​

Data Security​

Data Residency​

Encryption​

Access Control​

Role-Based Access​

Team Scopes​

Audit Logging​

What's Logged​

Accessing Audit Logs​

Admin Portal​

API Export​

SIEM Integration​

Onboarding​

Deployment Checklist​

Training Resources​

Support Escalation​

Compliance​

Certifications​

Data Processing Agreement​

Security Questionnaire​

Support​