Enterprise Managed Authorization - Clarify Account Linking #22
Description
The current specification states the following in section 4.3 Identity Assertion JWT Authorization Grant
The IdP might want to also include additional user information, such as an email address, which it should do as a new email claim. This may allow the MCP Client application to properly link existing user accounts to the sub identifier used within the enterprise context for SSO.
I believe MCP Client is the wrong term here - identity linking using the ID-JAG would be performed by either the MCP Server (or alternatively, the MCP Server's Authorization Server - the two roles are somewhat mixed in this section).