modelcontextprotocol
diff --git a/‎README.md‎
Lines changed: 61 additions & 0 deletions b/‎README.md‎
Lines changed: 61 additions & 0 deletions
@@ -31,6 +31,67 @@ For more information about MCP:
 - [Protocol Specification](https://modelcontextprotocol.io/specification/)
 - [GitHub Organization](https://github.com/modelcontextprotocol)
 
+## Enterprise Auth / Enterprise Managed Authorization (SEP-990)
+
+The SDK provides Enterprise Auth utilities for the Identity Assertion Authorization Grant flow (SEP-990),
+enabling enterprise SSO scenarios where users authenticate once via their enterprise Identity Provider and
+access MCP servers without per-server authorization prompts.
+
+The flow consists of two token operations:
+1. **RFC 8693 Token Exchange** at the IdP: ID Token → JWT Authorization Grant (JAG)
+2. **RFC 7523 JWT Bearer Grant** at the MCP Server: JAG → Access Token
+
+### Using the Layer 2 utilities directly
+
+```csharp
+using ModelContextProtocol.Authentication;
+
+// Step 1: Exchange ID token for a JAG at the enterprise IdP
+var jag = await EnterpriseAuth.DiscoverAndRequestJwtAuthorizationGrantAsync(
+    new DiscoverAndRequestJwtAuthGrantOptions
+    {
+        IdpUrl = "https://company.okta.com",
+        Audience = "https://auth.mcp-server.example.com",
+        Resource = "https://mcp-server.example.com",
+        IdToken = myIdToken, // obtained via SSO/OIDC login
+        ClientId = "idp-client-id",
+    });
+
+// Step 2: Exchange JAG for an access token at the MCP authorization server
+var tokens = await EnterpriseAuth.ExchangeJwtBearerGrantAsync(
+    new ExchangeJwtBearerGrantOptions
+    {
+        TokenEndpoint = "https://auth.mcp-server.example.com/token",
+        Assertion = jag,
+        ClientId = "mcp-client-id",
+    });
+```
+
+### Using the EnterpriseAuthProvider (Layer 3)
+
+```csharp
+var provider = new EnterpriseAuthProvider(new EnterpriseAuthProviderOptions
+{
+    ClientId = "mcp-client-id",
+    AssertionCallback = async (context, ct) =>
+    {
+        return await EnterpriseAuth.DiscoverAndRequestJwtAuthorizationGrantAsync(
+            new DiscoverAndRequestJwtAuthGrantOptions
+            {
+                IdpUrl = "https://company.okta.com",
+                Audience = context.AuthorizationServerUrl.ToString(),
+                Resource = context.ResourceUrl.ToString(),
+                IdToken = myIdToken,
+                ClientId = "idp-client-id",
+            }, ct);
+    }
+});
+
+var tokens = await provider.GetAccessTokenAsync(
+    resourceUrl: new Uri("https://mcp-server.example.com"),
+    authorizationServerUrl: new Uri("https://auth.mcp-server.example.com"));
+```
+
 ## License
 
 This project is licensed under the [Apache License 2.0](LICENSE).