---
title: "CitC Identity Provider MCP"
type: "MCP Server"
slug: "citc"
icon: "manage_accounts"
category: "Identity & Access"
tags: ["Identity", "Auth", "Roles", "Organizations", "Parameters", "OIDC"]
installs: "0"
author: "Medisolv Platform Team"
authorInitial: "M"
lastUpdated: "2026-03-26"
popularity: "5.0/5"
reviewCount: "New"
platformTags: ["v1.3", "Internal"]
securityBadges:
  - label: "Auth"
    status: "Bearer Token or Browser OAuth"
  - label: "Scope"
    status: "Internal Use Only"
installLabel: "mcp.json"
installCredentials:
  - key: CITC_BASE_URL
    label: "CitC Base URL"
    placeholder: "<CITC_BASE_URL>"
    description: "Base URL of your CitC instance, e.g. https://concert.medisolvcloud.com"
    secret: false
---

Real-time access to Medisolv's Concert Identity Provider (CitC) — the authoritative source for users, organizations, roles, application access, and configuration parameters across every Medisolv product.

## What is CitC?

CitC (Concert Identity Provider) is Medisolv's custom implementation of an OpenID Connect identity provider. Every application in the Medisolv ecosystem uses it to:

- **Authenticate** users (who are you?)
- **Authorize** access (what can you do?)
- **Configure** per-organization parameters (how should the app behave for your org?)

This MCP server gives AI agents read-only visibility into that data — without needing direct database access.

## When to Use

Use this MCP when your agent needs to:

- Look up a user by email or user ID, including their roles and org memberships
- Discover which organizations have access to a given application
- Read configuration parameters set for a specific org or application
- Audit recent login and access events
- Answer support questions like "why can't user X log in to Application Y?"

## Prerequisites

- **Python 3.11+** and `pip` installed
- An **Application Insights connection string** that includes `ApplicationId=<guid>`
- An **Application Insights API key** with **Read telemetry** permission

Upgrade `pip` and install the Azure Artifacts keyring helpers from public PyPI:

```powershell
pip install keyring artifacts-keyring
```

Then install the MCP package locally before configuring Augment. This avoids first-run timeouts caused by downloading packages during MCP startup:

```powershell
python -m pip install --user citc-mcp --index-url https://pypi.org/simple --extra-index-url "https://medisolv.pkgs.visualstudio.com/ai-discovery-portal/_packaging/ai-discovery/pypi/simple/"
```

The first install may open an Azure DevOps sign-in flow through `artifacts-keyring`. Sign in with an account that has access to the `ai-discovery` feed.

## Installation

After you install the package locally, add the following snippet to your AI tool's MCP config.

```json
{
  "mcpServers": {
    "citc": {
      "command": "python",
      "args": ["-m", "server"],
      "env": {
        "CITC_BASE_URL": "<CITC_BASE_URL>",
      }
    }
  }
}
```

This configuration assumes the same `python` on your `PATH` is the one where you ran `python -m pip install --user citc-mcp ...`. If you use multiple Python installations, replace `"python"` with the full path to the correct interpreter.

### Browser auth mode (OAuth auth-code flow)

If your CitC instance uses interactive SSO instead of a long-lived bearer token, use `CITC_AUTH_MODE=browser`. On startup, the MCP launches your default browser, completes an OAuth authorization-code flow with PKCE, stores the returned `access_token` and `refresh_token`, and refreshes the access token automatically when it expires.

Then set in your MCP config:
```json
{
  "mcpServers": {
    "citc": {
      "command": "python",
      "args": ["-m", "server"],
      "env": {
        "CITC_BASE_URL": "<CITC_BASE_URL>"
      }
    }
  }
}
```

Browser-mode configuration:

- `CITC_BASE_URL` is the only env var you need to provide.
- The callback URL, client ID, client secret, scopes, and token cache path are hardcoded in `mcps/citc/server.py`.

## Available Tools

| Tool | Description |
|------|-------------|
| `citc_list_applications` | List all registered applications |
| `citc_get_application` | Get details for a specific application |
| `citc_get_organizations_for_application` | List orgs with access to an application |
| `citc_list_organizations` | List all organizations |
| `citc_get_organization` | Get org details + sub-orgs + apps |
| `citc_get_organization_users` | List users in an organization |
| `citc_get_user` | Get full user profile + roles |
| `citc_lookup_users_by_email` | Look up users by email address(es) |
| `citc_get_users_for_application` | List all users for an application |
| `citc_list_roles` | List all defined roles |
| `citc_get_user_roles` | Get all roles for a specific user |
| `citc_get_parameters_for_organization` | Get config parameters for an org |
| `citc_get_parameter_by_key` | Get a specific parameter by key name |
| `citc_get_parameters_for_application` | Get config parameters for an app |
| `citc_get_audit_logs` | Get audit logs for a date range |
| `citc_get_audit_types` | List all available audit event types |
| `citc_get_stats` | System-wide statistics |
| `citc_get_invites_for_organization` | List pending invitations for an org |
| `citc_get_environments` | List registered environments |

## Example Prompts

Once installed, you can ask your AI:

> "Look up the CitC user for will@medisolv.com and tell me what roles they have."

> "Which organizations have access to the MIPS application in CitC?"

> "What configuration parameters are set for organization ORG-123 in CitC?"

> "Show me the CitC audit log for January 2025."

> "Why might a user not be able to log in? Check their CitC status by email."

## Security Notes

- This MCP is **read-only** by default. No write operations (invite, disable, remove) are exposed.
- Your bearer token should be scoped to the minimum permissions needed.
- Never commit your `.env` file. It is already listed in `.gitignore`.
- In browser mode the MCP will refresh the access token automatically when a refresh token is available.

## Troubleshooting

| Error | Likely Cause | Fix |
|-------|-------------|-----|
| `Request timed out` during MCP startup | Augment is waiting while the package is still downloading/installing | Run the one-time `python -m pip install --user citc-mcp ...` command first, then configure Augment to use `python -m server` |
| `No module named server` | The package is not installed in the Python interpreter Augment is using | Run `python -m pip install --user citc-mcp ...` with the same Python you will reference in MCP config, or point `command` to that interpreter explicitly |
| `401 Unauthorized` while installing | `artifacts-keyring` is missing or your Azure DevOps session does not have feed access | Run `python -m pip install --user keyring artifacts-keyring` and sign in to Azure DevOps with access to the `ai-discovery` feed |
| `CITC_BASE_URL is required` | Env var not set | Ensure `CITC_BASE_URL` is in your MCP config's `"env"` block |
| `CitC API error 401` | Invalid, expired, or missing token | Refresh your `CITC_BEARER_TOKEN`, or re-run browser login with `citc_refresh_session` |
| `CitC API error 403` | Insufficient permissions | Ensure your service account has read access |
| `AbortError` | Request timeout | Increase `CITC_TIMEOUT_MS` or check network connectivity |
| `Unable to load OIDC discovery metadata` | The discovery document is unavailable or the base URL is not the OIDC issuer root | Verify `CITC_BASE_URL` points at the CitC issuer root and that `<base>/.well-known/openid-configuration` is reachable |