MCP & Federated Enterprise Search

9 min read Module 6 of 9 Topic 18 of 25

What you'll learn

  • Explain what MCP standardizes and why it ended the custom-connector era
  • Build an MCP server that exposes your retrieval stack as a governed tool
  • Decide per source between central indexing and live federated search using freshness, scale, and permission criteria
  • Avoid the confused-deputy failure mode when an MCP server acts on a user's behalf
Building this at your company? For enterprise and company teams taking this to production: book a 30-minute session with our AI engineers for architecture guidance, code review, and a rollout plan for your use case.
Book a Team Session

Your retrieval stack, built carefully across the previous five modules, is now genuinely good, and it has a distribution problem. The sales team wants it available inside their chat app. Engineers want it inside their IDE. A new internal agent platform wants it exposed as a callable tool. Meanwhile your own agent, from Lesson 17, wants to reach systems you’ll never fully index: live ticket status, today’s Slack messages, the CRM’s current state. In the pre-2025 world, every single one of those pairings required a bespoke, hand-built integration, and platform teams routinely drowned under the resulting N-by-M connector matrix, where N systems needing to talk to M other systems meant N times M separate integration efforts to build and maintain.

The Model Context Protocol collapsed that matrix into something far more tractable. Anthropic open-sourced it in November 2024; through 2025 it was adopted by the other major model vendors and a long tail of developer tools, and by 2026, “do you have an MCP server?” has become the standard way enterprise software is asked “can my AI actually talk to you?”

What MCP actually standardizes

MCP is a client-server protocol in which servers expose three kinds of things to any compliant client: tools (callable functions described by JSON schemas), resources (readable content a client can fetch), and prompts (reusable prompt templates a server can offer). Clients, meaning assistants like Claude, IDEs, and various agent frameworks, discover what a given server offers at connection time, and the underlying model decides when to invoke what’s been discovered. Authentication matured significantly through 2025 into OAuth-based flows built into the protocol itself, which turns out to matter enormously for the permissions story covered in detail below.

For a RAG platform team specifically, MCP cuts usefully in both directions simultaneously, and both directions are worth actively building toward rather than picking just one:

  • You as server: your carefully tuned two-stage, ACL-filtered, contextually enriched retrieval stack becomes a tool called search_knowledge_base, available identically across every MCP-compliant client the company happens to run. The many hours spent getting reranking right in Module 4 now silently improves the answer quality of an IDE assistant you’ve personally never even configured.
  • You as client: your own agentic loop from Lesson 17 gains access to get_ticket, search_slack, query_crm, tools built and maintained by other teams entirely, reaching genuinely live data that your own index will never hold, no matter how good your sync pipeline gets.

Exposing the stack: a minimal server

# kb_server.py: your retrieval stack as an MCP server.
# pip install "mcp[cli]"  (the official Python SDK's FastMCP)

from mcp.server.fastmcp import FastMCP, Context

mcp = FastMCP("company-knowledge")

@mcp.tool()
async def search_knowledge_base(
    query: str,
    source: str = "any",     # confluence | drive | jira | any
    ctx: Context = None,
) -> str:
    """Search company knowledge. Returns top passages with
    titles, dates, and links. Refine and retry if results
    miss the target."""

    # THE line that keeps this from becoming a leak API:
    # resolve the END USER from the authenticated session,
    # never a service account. The user's ACL tags flow into
    # the same filtered retrieval as every other path.
    user = await resolve_user(ctx.session)

    chunks = await retrieve_and_rerank(
        query=query,
        source=None if source == "any" else source,
        acl=user.permission_tags,
        final_k=6,
    )
    if not chunks:
        return "No results. Try different terms or check source."

    return "\n\n".join(
        f"[{c.doc_title} > {c.section}]({c.url}) "
        f"(updated {c.updated_at:%Y-%m-%d})\n{c.text}"
        for c in chunks
    )

Twenty lines of adapter code, and it’s worth noting exactly what those twenty lines are an adapter onto: the identical retrieve_and_rerank function used by every other entry point covered elsewhere in this course. One single retrieval implementation, one single permission model, many different doors leading in. The moment a team forks off a “special” retrieval path specifically for MCP clients, quality and security both start drifting apart from the main path silently, usually without anyone noticing until much later.

The quiz’s warning above deserves body text too, since it’s the single most common way this pattern goes wrong in real deployments: the classic mistake is running this server under a shared service identity with broad read access across the whole corpus. Every client then effectively searches with the service’s eyes, not the actual asking user’s eyes, silently bypassing the entire permission model built in Module 7. MCP’s OAuth flows exist precisely so resolve_user can reliably bind the active session to a real, specific person; refuse to ship this server into production until that binding genuinely works end to end.

Federation versus central index: a per-source decision

With MCP normalizing access to essentially everything, you now get to choose per individual source, not as one blanket architectural decision, between two distinct modes of access:

flowchart TD
    A["Agent + router"] --> KB["search_knowledge_base\n(central index: wiki, Drive,\ncontracts, policies)"]
    A --> T1["get_ticket / search_jira\n(live MCP tool)"]
    A --> T2["search_slack\n(live MCP tool, recent)"]
    A --> T3["query_crm\n(live MCP tool)"]
    KB --> SYN["Synthesis with citations"]
    T1 --> SYN
    T2 --> SYN
    T3 --> SYN

    style A fill:#EEF0F7,stroke:#6366F1,color:#0F172A
    style KB fill:#f0fdf9,stroke:#0D9488,color:#0F172A
    style T1 fill:#fff7ed,stroke:#f59e0b,color:#0F172A
    style T2 fill:#fff7ed,stroke:#f59e0b,color:#0F172A
    style T3 fill:#fff7ed,stroke:#f59e0b,color:#0F172A
    style SYN fill:#f0fdf9,stroke:#0D9488,color:#0F172A

Central indexing, everything built across Modules 2 through 4, buys real ranking quality: hybrid search, contextual enrichment, cross-encoder reranking, and clean cross-source fusion, all of it. It costs real sync infrastructure to maintain and accepts a window of minutes-to-hours of staleness by design. It wins clearly for large, relatively stable, ranking-hungry corpora: wikis, document stores, contracts, formal policies.

Federation, live MCP tools reaching source systems directly, buys genuinely perfect freshness and requires zero sync infrastructure at all, and it delegates permission enforcement entirely to the source system itself, since the source API simply won’t return data the authenticated user isn’t allowed to see in the first place. It costs query-time latency for each call, per-source rate limits that can throttle a busy agent, and meaningfully weaker ranking quality in practice, since most SaaS search APIs underneath these tools are fairly basic keyword engines that would compare unfavorably against the hybrid-plus-rerank stack built across this course. It wins clearly for volatile, point-lookup data: tickets, live message threads, CRM records, anywhere “as of right now” is a genuine hard requirement rather than a nice-to-have.

The failure pattern worth actively avoiding is going all-federation: “we’ll just hand the agent twelve MCP tools and skip building an index entirely.” Twelve mediocre keyword searches, executed serially and each individually rate-limited, with no coherent cross-source ranking tying results together, produce a slow assistant that reliably misses relevant results; teams who tried exactly this approach through 2025 mostly ended up rebuilding a proper central index within a couple of quarters once the pattern’s limits became clear in production. The architecture that actually holds up combines both deliberately: index whatever genuinely benefits from careful ranking, federate whatever genuinely demands live freshness, and let the router established in earlier modules, together with the agent’s own judgment, choose the right tool per individual question rather than committing to one approach for everything.

Module 6 is now complete: generation you can genuinely audit, agentic loops that dig deeper when needed, and standardized doors connecting to essentially everything a user might need answered from. Which makes the next module urgent rather than merely thorough, because every door opened in this module is, by definition, also a door for something to go wrong through: permissions, injection attacks, and the security engineering that keeps a knowledge system from quietly becoming a breach. That’s Module 7.

Knowledge Check

4 questions to test your understanding

1 MCP's core value proposition for an enterprise RAG platform is:

2 Ticket status and this week's Slack threads should usually be FEDERATED (live tools) rather than centrally indexed because:

3 The riskiest failure mode when an MCP client queries your knowledge-base server on behalf of a user is:

4 A team gives their agent twelve separate MCP tools, one per live SaaS source, and skips building a central index entirely, reasoning that federation alone is simpler. What commonly goes wrong at scale?

Discussion

Questions and notes from learners on this topic

Loading discussion…

Go further with expert guidance

Ready to build production AI?
Talk to our R&D team.

These courses give you the foundation. Our embedded AI teams take you from prototype to production in 30–90 days, with your team, your codebase, your goals. Book a free strategy call to see how we can accelerate your AI initiative.

30 minutes · No obligation · Expert AI engineers, not sales reps

AI Architecture Review

Audit your current stack and identify high-impact improvements

Project Review

Get expert feedback on your AI implementation and codebase

Team Mentoring

Upskill your engineers with hands-on AI coaching sessions

AI Strategy

Define your AI roadmap, prioritization, and implementation plan