Connect to the MCP Trust Layer

Follow this guide to connect your AI assistant to the Ataccama ONE Model Context Protocol (MCP) server. The MCP server is hosted remotely in your Ataccama ONE environment — no local installation or package manager is required.

For an overview of what the MCP trust layer is and the tools it contains, see MCP Trust Layer for External AI Agents.

Prerequisites

Before you connect, gather the following information from your Ataccama administrator.

You do not need to install Python, Node.js, or any local packages. The MCP server is fully hosted.

The MCP trust layer supports two authentication methods: single sign-on (SSO) and machine-to-machine (M2M).

Item Description

Item	Description
Ataccama environment name	Your organization’s environment identifier. Used to construct the server URL: `https://{your-environment}.ataccama.one/private/api/mcppublic/mcp`
Ataccama identity provider (IDP) realm (SSO only)	Your organization’s realm name in the Ataccama identity provider, used for SSO authentication URLs. Typically in the format `instance-environment`.
Ataccama account (SSO only)	A valid Ataccama ONE user account for interactive login.
Client ID and client secret (M2M only)	Pre-generated credentials for machine-to-machine authentication. See Create an API client (M2M) for setup instructions.

Ataccama environment name

Your organization’s environment identifier. Used to construct the server URL:

https://{your-environment}.ataccama.one/private/api/mcppublic/mcp

Ataccama identity provider (IDP) realm (SSO only)

Your organization’s realm name in the Ataccama identity provider, used for SSO authentication URLs.

Typically in the format instance-environment.

Ataccama account (SSO only)

A valid Ataccama ONE user account for interactive login.

Client ID and client secret (M2M only)

Pre-generated credentials for machine-to-machine authentication. See Create an API client (M2M) for setup instructions.

Create an API client (M2M)

If you plan to use machine-to-machine (M2M) authentication, create an API client in your Ataccama ONE environment.

The client secret is displayed only once during creation. Copy and securely store the client ID and secret immediately.

If you lose the client secret, you need to create a new API client.

Log in to the Ataccama Cloud Portal.
Go to your environment.
Go to the Settings tab.
In the API Clients section, select Create API Client.
Provide a name for your API client.
Select Create.
Copy and securely store the generated credentials. The Client ID and Client Secret are displayed on screen.

See also Create an API Client in the REST API authentication documentation.

Claude Desktop / claude.ai

Claude Desktop and claude.ai support SSO authentication only via the built-in Connectors feature. M2M authentication is currently not available for this client.

A paid Claude plan is required to add custom MCP connectors.

Open your Claude Desktop app or claude.ai.
In the left-hand menu, find the toolbox icon labeled Customize.
Go to Connectors.
Select the plus icon.
Select Add custom connector.
Give the connector a name (for example, Ataccama MCP) and enter the following as the Remote MCP server URL:
```
https://{your-environment}.ataccama.one/private/api/mcppublic/mcp
```
Select Connect. This redirects you to the Ataccama ONE login page.
Log in with your Ataccama credentials.
After authentication, you are redirected back to Claude. The available Ataccama MCP tools are listed under the connector.

Claude Code

Claude Code supports both SSO and M2M authentication.

SSO / OAuth 2.0
Client ID and client secret

Run the following command in your terminal:

claude mcp add-json {name-for-the-mcp} '{
    "type": "http",
    "url": "https://{your-environment}.ataccama.one/private/api/mcppublic/mcp"
}'

Replace {name-for-the-mcp} with a name of your choice (for example, ataccama) and {your-environment} with your Ataccama environment name.

On first use, you are prompted to authenticate via your browser.

Run the following command in your terminal:

claude mcp add-json {name-for-the-mcp} '{
    "type": "http",
    "url": "https://{your-environment}.ataccama.one/private/api/mcppublic/mcp",
    "headers": {
        "X-Client-Id": "{your-client-id}",
        "X-Client-Secret": "{your-client-secret}"
    }
}'

Replace the placeholders with your actual environment name, client ID, and client secret.

Microsoft Copilot Studio

Microsoft Copilot Studio supports both SSO and M2M authentication.

The M2M method passes credentials via Swagger headers in Power Automate. The SSO method uses the built-in OAuth 2.0 flow.

Client ID and client secret
SSO / OAuth 2.0

Go to Microsoft Copilot Studio.
In the left-hand menu, select Agents.
Select Create Blank Agent in the upper-right corner of the screen.
Give your agent a name and description.
Select the model you want to use.
Select Tools from the upper menu.
Select Add Tool.
Select Model Context Protocol.
Name the server and give it a description.

Enter the Server URL:

https://{your-environment}.ataccama.one/private/api/mcppublic/mcp

Select None as Authentication (authentication is handled via Swagger headers in a later step).
Select Create.
Select Not connected.
Select Create new connection and then select Create.
Select Add and configure.
In the left-hand menu, go to Tools.
Select the name you gave to the MCP. You are redirected to Power Automate to the connector.
Enable Swagger editor in the toolbar.

Paste the following YAML block under the description of your Ataccama MCP tool:

parameters:
  - name: X-Client-Id
    in: header
    required: true
    type: string
    default: {Your-Client-ID}
    x-ms-visibility: internal
  - name: X-Client-Secret
    in: header
    required: true
    type: string
    default: {Your-Client-Secret}
    x-ms-visibility: internal

Replace {Your-Client-ID} and {Your-Client-Secret} with your actual credentials.

Select Update Connector in the toolbar.
To verify the connection, go to Agents > <your agent> > Tools > <your MCP> and locate the Tools section. You should see the connector in the tools listed.
Test your agent using the Test environment.

Go to Microsoft Copilot Studio.
In the left-hand menu, select Agents.
Select Create Blank Agent in the upper-right corner of the screen.
Give your agent a name and description.
Select the model you want to use.
In the left-hand menu, select Tools.
Select Add Tool.
Select Model Context Protocol.
Name the server and give it a description.

Enter the Server URL:

https://{your-environment}.ataccama.one/private/api/mcppublic/mcp

Select OAuth 2.0 as Authentication and select Manual.

Fill in the following OAuth fields.

Replace {your-environment} and {realm} with your organization’s values.

Field Value

Field	Value
Client ID	`mcppublic-dcr-client`
Client Secret	`x`
Authorization URL	`https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/auth`
Token URL	`https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/token`
Refresh URL	`https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/token`
Scopes	`profile email`

Client ID

mcppublic-dcr-client

Client Secret

x

Authorization URL

https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/auth

Token URL

https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/token

Refresh URL

https://{your-environment}.ataccama.one/auth/realms/{realm}/protocol/openid-connect/token

Scopes

profile email

Select Create and then select Next.
Select Not connected.
Select Create new connection and then select Create.

You are redirected to the Ataccama ONE login page.
Log in with your Ataccama credentials.
After redirecting back, select Add and configure.
Scroll down to confirm the available tools are listed in the Tools section.

Amazon Bedrock

Amazon Bedrock supports M2M authentication only, via AgentCore Gateways.

Go to Amazon Bedrock AgentCore > Identity.
Find Outbound Auth and select Add OAuth Client / API key.
Select Add OAuth Client.
Name the client and select Custom provider.
Set Configuration type to Discovery URL.
Enter your Client ID and client secret in the corresponding fields.

Set the Discovery URL:

https://{your-environment}.ataccama.one/auth/realms/{realm}/.well-known/openid-configuration

Replace {your-environment} and {realm} with your organization’s values.

Select Add OAuth Client.
Navigate to Amazon Bedrock AgentCore > Gateways.
Select Create Gateway.
Configure the gateway settings as needed for your use case.
Find the Target section.
Give the target a name and description.
For Target type, select MCP Server.

Enter the MCP endpoint:

https://{your-environment}.ataccama.one/private/api/mcppublic/mcp

For Outbound Auth configurations, select OAuth client.
In the OAuth client field, select the identity you created earlier.
Select Create Gateway.

Test connection with curl

Test the connection using the Gateway resource URL:

curl -X POST "{your-gateway-resource-url}" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'

A successful response lists all available Ataccama MCP tools.

Verify setup in AI client

After completing the setup for your client, verify that the connection works by asking your AI assistant a simple question:

"What Ataccama tools are available?"
"Search for catalog items related to customers."
"What data quality dimensions are configured?"

If the assistant returns results from your Ataccama environment, the connection is working correctly.

Troubleshooting MCP trust layer connection

Connection refused or timed out

If your AI client cannot reach the Ataccama MCP server:

Verify the server URL is correct: https://{your-environment}.ataccama.one/private/api/mcppublic/mcp.
Ensure you are on your organization’s network or VPN if required.
Check that your firewall or security software is not blocking outbound HTTPS connections.

Authentication failed (SSO)

If the login page appears but authentication fails after entering credentials:

Confirm your Ataccama credentials are valid by logging in directly to your Ataccama ONE environment.
Verify the IDP realm name is correct (case sensitive).
Check that your user account has the necessary permissions.

Authentication failed (M2M)

This occurs when the MCP server rejects your client ID and secret.

Confirm your client ID and client secret are correct. Re-copy them from your Ataccama admin.
Ensure the credentials have not expired or been revoked.
For Copilot Studio: Verify the Swagger YAML is correctly pasted under the MCP tool description and that x-ms-visibility: internal is set for both headers.

No tools visible after connecting

If the connection appears successful but no tools are listed:

Ensure your user account or API client has API access enabled in Ataccama ONE.
Try disconnecting and reconnecting the MCP server.
For Claude Desktop: Check that your Claude plan supports custom connectors (not supported in the free tier).
For Copilot Studio: Refresh the Tools page and ensure you selected Add and configure after creating the connection.

Tools listed in Copilot Studio but not responding

If the tools are visible in the Copilot Studio but return errors when called:

For M2M: Verify the Swagger header parameters are formatted correctly and that the connector was updated after pasting them.
For SSO: Re-authenticate by creating a new connection if the session has expired.

Was this page useful?