Labsco
DelineaXPM logo

delinea-mcp

โ˜… 46

from DelineaXPM

Official Delinea MCP server for the Delinea Secret Server and Platform APIs

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

DelineaMCP

MCP server for the Delinea Secret Server and Platform APIs


Features

  • Automatic authentication against Secret Server
  • Extensive Secret Server tool set for managing folders, secrets, users, groups and roles. Includes inbox and access request helpers and coding agent utilities.
  • ChatGPT compatibility tools (search and fetch) for controlled AI interactions.
  • Optional Delinea Platform user management tools
  • Supports either Server Sent Events or STDIO transport modes
  • OAuth 2.0 with dynamic client registration per the MCP specification
  • TLS support for secure connections
  • Ready-to-run Docker image and development server entry point
  • Tested with ChatGPT, Claude Desktop, remote Claude connector, VSCode Copilot and openwebui

MCP Tools

The server exposes several MCP tools for interacting with Secret Server:

  • run_report(sql_query, report_name=None) - create and execute a temporary report.
  • ai_generate_and_run_report(description) - generate SQL using Azure OpenAI and run it. Requires the Azure OpenAI variables.
  • list_example_reports() - list sample queries and table information.
  • get_secret(id, summary=False) - retrieve a secret or summary details.
  • get_folder(id) - fetch folder metadata and children.
  • search_users(query) - search active users.
  • search_secrets(query, lookup=False) - search or look up secrets.
  • search_folders(query, lookup=False) - search or look up folders.
  • get_secret_environment_variable(secret_id, environment) - output a script for fetching secret credentials in the specified shell.
  • check_secret_template(template_id) - fetch secret template details.
  • check_secret_template_field(template_id, field_id) - check if a template contains a field.
  • get_secret_template_field(field_id) - retrieve details about a specific secret template field by ID.
  • handle_access_request(request_id, status, response_comment, start_date=None, expiration_date=None) - approve or deny an access request.
  • get_pending_access_requests() - list pending access requests.
  • get_inbox_messages(read_status_filter=None, take=20, skip=0) - retrieve inbox messages.
  • mark_inbox_messages_read(message_ids, read=True) - mark messages as read or unread.
  • user_management(action, user_id=None, data=None, skip=0, take=20, is_exporting=False) - unified user operations. action accepts get, create, update, delete, list_sessions, reset_2fa, reset_password or lock_out. Provide user_id when required and supply the request body via data for create, update and password reset actions. Example: user_management("reset_password", user_id=42, data={"newPassword": "Pa$$w0rd"}).
  • role_management(action, role_id=None, data=None, params=None) - manage roles. action may be list, get, create or update. Pass optional query parameters with params when listing roles. Example: role_management("update", role_id=3, data={"name": "New Role"}).
  • user_role_management(action, user_id, role_ids=None) - assign or remove roles from a user. action is get, add or remove and role_ids is a list of role identifiers for add/remove operations.
  • group_management(action, group_id=None, data=None, params=None) - handle groups. action may be get, list, create or delete. Provide group_id for get/delete and data when creating a group.
  • folder_management(action, folder_id=None, data=None, params=None) - manage folders. action may be get, list, create, update or delete. Provide folder_id for get, update or delete and supply data when creating or updating a folder.
  • user_group_management(action, user_id, group_ids=None) - manage group membership for a user. action is get, add or remove. Supply a list of group_ids when adding or removing membership.
  • group_role_management(action, group_id, role_ids=None) - control roles on a group. Use list, add or remove actions. Provide role_ids when adding or removing.
  • health_check() - query the Secret Server health check endpoint and return the current service status.

Use the server configuration variables described above to authenticate. The AI tool is automatically disabled if the Azure OpenAI variables are missing. Only the tool names listed in config.json will be registered. An empty list enables every tool.

Use Cases

The documentation covers several workflows for connecting tools to the server:

Example Scripts

The manual_secret_request.py script shows how to retrieve an OAuth token for a specific secret ID:

python scripts/manual_secret_request.py <Secret_ID>

Set the environment variables SECRET_USERNAME_<id> and SECRET_PASSWORD_<id> for the secret before running the script. Optionally set DELINEA_BASE_URL to override the default https://localhost/SecretServer.

Repository Layout

  • delinea_mcp/ - package containing MCP tools.
  • server.py - thin entry point that registers everything with the MCP server.
  • docs/ - project documentation and the generated delinea-secret-server-openapi-spec.json.
  • scripts/ - helper examples including manual_secret_request.py.

Security Considerations

The included OAuth endpoints are intended for development and testing. The /oauth/authorize route accepts any redirect_uri and will redirect the user without validation. Deployments must restrict this value to approved callback URLs; otherwise attackers could supply a malicious URL and capture authorization codes. See Open Redirection for background.

Release Notes

See docs/release_notes.md for a summary of the latest features and roadmap items.

Roadmap

  1. Passthrough authentication
  2. Streaming HTTP transport support
  3. Expand tool coverage on the Delinea Platform and add other Delinea products