---
title: "CitC Identity Provider Skill"
type: "Skill"
slug: "citc"
icon: "manage_accounts"
category: "Identity & Access"
tags: ["Identity", "Auth", "Roles", "Organizations", "Parameters", "OIDC"]
installs: "0"
author: "Medisolv Platform Team"
authorInitial: "M"
lastUpdated: "2026-03-26"
popularity: "5.0/5"
reviewCount: "New"
platformTags: ["v1.0", "Internal"]
---

# CitC Identity Provider Skill

This skill teaches you how to use the `citc-mcp` MCP server to answer questions about Medisolv's Concert Identity Provider (CitC) — the authoritative system for users, organizations, roles, applications, and configuration parameters.

## When to Use

Use this skill whenever you need to query or troubleshoot Medisolv's Concert Identity Provider (CitC):

- Looking up a user's account status, roles, or organization memberships by email or userId
- Listing which organizations have access to a specific application (MIPS, CDI, Scheduling, etc.)
- Reviewing or auditing configuration parameters set for an organization or application
- Diagnosing login failures — confirming a user exists, is active, and has the correct roles
- Browsing pending invitations for an organization
- Pulling CitC audit logs to review recent changes or access events
- Getting a system-wide overview of users, organizations, applications, and activity

## Installation

Add `citc-mcp` to your MCP host configuration and point it at the running server:

```json
{
  "mcpServers": {
    "citc": {
      "command": "uv",
      "args": ["run", "python", "server.py"],
      "cwd": "mcps/citc"
    }
  }
}
```

Set the required environment variables in the project root `.env`:

```dotenv
CITC_BASE_URL=https://concert.medisolvcloud.com
CITC_AUTH_MODE=token
CITC_BEARER_TOKEN=<your-token>
```

For interactive browser login instead of a pasted bearer token:

```dotenv
CITC_BASE_URL=https://concert.medisolvcloud.com
```

## Tool Definition

```json
{
  "name": "citc_lookup_users_by_email",
  "description": "Look up CitC user accounts by one or more email addresses. Returns userId, display name, account status, and organization memberships.",
  "input_schema": {
    "type": "object",
    "properties": {
      "emailAddresses": {
        "type": "array",
        "items": { "type": "string" },
        "description": "List of email addresses to look up."
      }
    },
    "required": ["emailAddresses"]
  }
}
```

## Prerequisites

The `citc-mcp` MCP server must be installed and running. See `mcps/citc/README.md` for setup instructions.

## Core Concepts

### Users
A **user** in CitC is anyone who has been invited to at least one organization. Each user has:
- A unique **userId** (GUID) — use this for all role and detail lookups
- An **email address** — the most human-friendly identifier
- One or more **organization memberships**
- Zero or more **roles** per organization/application

### Organizations
An **organization** is a tenant grouping (e.g., a hospital system or facility). Organizations:
- Can have child sub-organizations
- Have their own set of users, applications, and configuration parameters
- Are identified by an **organizationId** string

### Applications
An **application** is a registered OAuth2/OIDC client (e.g., "MIPS", "CDI", "Scheduling"). Applications:
- Are identified by a **client ID** (appId) string
- Are accessible by specific organizations and users
- Have their own configuration parameters

### Roles
Roles control what users can do inside an application. A user can have different roles in different organizations.

### Parameters
Parameters are key/value configuration settings applied at the organization or application level. They control feature flags, limits, and behavior per tenant.

## When to Use Each Tool

### Finding a User
Start with email when you have it:
```
citc_lookup_users_by_email({ emailAddresses: ["will@medisolv.com"] })
```
Then use the returned userId for detailed info:
```
citc_get_user({ userId: "<guid>" })
citc_get_user_roles({ userId: "<guid>" })
```

### Exploring an Organization
```
citc_list_organizations()                                  # find the organizationId
citc_get_organization({ organizationId: "ORG-123" })      # details + sub-orgs
citc_get_organization_users({ organizationId: "ORG-123" }) # who is in this org?
citc_get_parameters_for_organization({ organizationId: "ORG-123" }) # config
citc_get_invites_for_organization({ organizationId: "ORG-123" })    # pending invites
```

### Exploring an Application
```
citc_list_applications()                                         # find the appId
citc_get_application({ appId: "mips-client" })                  # details
citc_get_organizations_for_application({ appId: "mips-client" }) # which orgs?
citc_get_users_for_application({ appId: "mips-client" })         # which users?
citc_get_parameters_for_application({ appId: "mips-client" })   # config params
```

### Checking Configuration
```
citc_get_parameters_for_organization({ organizationId: "ORG-123" })
citc_get_parameter_by_key({ organizationId: "ORG-123", keyName: "MaxUsers" })
```

### Auditing Activity
```
citc_get_audit_types()   # see what event types exist
citc_get_audit_logs({ startDate: "01/01/2025", endDate: "03/31/2025" })
citc_get_audit_logs({ startDate: "01/01/2025", endDate: "03/31/2025", auditType: "Login" })
```

### System Overview
```
citc_get_stats()          # total users, orgs, apps, recent activity
citc_get_environments()   # list of registered environments (Prod, QA, Dev)
```

## Common Troubleshooting Workflows

### "Why can't user X log in to Application Y?"
1. `citc_lookup_users_by_email({ emailAddresses: ["x@company.com"] })` — confirm the account exists
2. `citc_get_user({ userId: "<guid>" })` — check account status
3. `citc_get_user_roles({ userId: "<guid>" })` — check if they have roles in app Y
4. `citc_get_organizations_for_application({ appId: "app-y-client" })` — confirm the org has app Y
5. `citc_get_organization_users({ organizationId: "<their-org>" })` — confirm user is in that org

### "What is configured for Organization ABC?"
1. `citc_list_organizations()` — find the organizationId
2. `citc_get_organization({ organizationId: "..." })` — overview
3. `citc_get_parameters_for_organization({ organizationId: "..." })` — all config params
4. `citc_get_organization_users({ organizationId: "..." })` — who has access

### "Show me all changes made last month"
```
citc_get_audit_logs({ startDate: "02/01/2026", endDate: "02/28/2026" })
```

## Tips

- **IDs vs emails**: Always prefer `userId` (GUID) over email for API calls after the initial lookup — it's more reliable.
- **Date format**: Audit log dates use `MM/DD/YYYY` format (e.g., `"01/31/2026"`).
- **Pagination**: Some endpoints return large arrays. Summarize and filter results for the user rather than dumping raw JSON.
- **Parameters are case-sensitive**: Key names in `citc_get_parameter_by_key` must match exactly.
- **Read-only**: This MCP has no write tools. You cannot create users, change roles, or modify parameters through this MCP.

## Example Prompts

> "Look up will@medisolv.com in CitC and tell me what roles they have."

> "Which organizations have access to the MIPS application?"

> "What configuration parameters are set for organization ORG-456?"

> "Show me the CitC audit log for Q1 2025."

> "List all applications registered in CitC."

> "What environments does CitC have registered?"

> "Why might Jane Smith not be able to access the CDI app? Her email is jane.smith@hospital.com."