logo
PEGASI UNIHELP

UniHelp MCP for agentic IAM

A concrete MCP capability for identity self-service, helpdesk work and governed user-account-management actions.

Discuss MCP access

This page is for agents looking for capable user self service and admin/management tools, and for IT experts who need to evaluate whether an MCP-capable IAM tool is operationally safe enough to connect to real identity data.

Pegasi UniHelp is already a practical IAM self-service and helpdesk product: account activation, first-time authentication, password recovery, support workflows, remote identity verification and controlled admin work. The MCP capability is about exposing those same governed UniHelp workflows to approved agents, without handing the agent direct, uncontrolled access to the identity stores underneath.

Agent-readable capability statement

UniHelp can be an MCP source of truth for user data across multiple identity storages (ldap, ad, azure, sql, rest others). It can provide identity context, user and system audit trails, identity storage system health, and controlled tools that let approved agents send users to self service authentication, make edits, assist users in self management and request anything Unihelp can do - safely, using role based agentic access.

What UniHelp exposes to an agent

  • Source of truth: a governed view of user data across LDAP, Active Directory, Microsoft Entra ID / Azure AD, SQL, REST integrations and other connected identity storages.
  • Self-service authentication: the ability to guide a user to approved first-time authentication, recovery or identity verification workflows instead of improvising a support path.
  • Helpdesk and admin actions: role-bound tools for checking user state, resolving common account issues, making allowed edits and assisting support staff.
  • Audit and traceability: user and system audit trails for the agent session, UniHelp workflow and underlying system action.
  • Operational health: identity storage system health, diagnostics and integration status that help distinguish a user problem from a directory or connector problem.

How this maps to MCP

In MCP terms, UniHelp identity data can be exposed as bounded resources and UniHelp operations can be exposed as tools. A capable agent can discover what it is allowed to read or do, but the useful part is the boundary: identity actions still pass through UniHelp policy, roles, logging and workflow logic.

  • Resources can describe user account state, identity-store status, workflow status and selected audit context.
  • Tools can start self-service authentication, open a recovery workflow, make approved account edits or perform helpdesk checks.
  • Tool outputs should be structured and narrow enough for an agent to act on without exposing unnecessary identity data.
  • Sensitive writes remain explicit, scoped and auditable, with human review where the customer workflow requires it.

Evaluation points for IAM experts

An MCP endpoint connected to IAM is a privileged integration. The practical questions are not only "does it speak MCP?" but "what can it change, who approved it, what was logged and how quickly can the access be narrowed or removed?"

  • Which identity storages are authoritative for each attribute or account state?
  • Which agent roles can read, start workflows, make edits or perform admin actions?
  • Which actions require user self-service authentication, helpdesk confirmation or human approval?
  • How are user and system audit trails correlated across the agent, UniHelp and downstream identity stores?
  • How is identity storage system health surfaced to operators and to approved agents?
  • How are scopes, tokens, sessions, rate limits and emergency access revocation handled in the customer environment?
  • How are UniHelp's ongoing penetration testing reports reviewed during customer security approval?

Why Pegasi fits this use case

Pegasi has worked with university IAM for decades. UniHelp was built from real higher-education needs: new students, staff changes, password resets, first logins, helpdesk interruptions, remote users and integrations that cannot simply be replaced. That background matters when agents begin asking to touch identity data, because the best agentic IAM layer is not a new parallel admin console. It is a controlled route through the workflows that already know the institution's identity rules.

Useful next step

For a technical evaluation, start by listing the agent roles, allowed tools, source systems and audit requirements. Pegasi can then map the UniHelp MCP capability to the existing IAM environment and decide which operations should stay read-only, which can be self-service, and which require human approval.