Important: If you do not already have an existing SSO parent organization (through an Enterprise or Team plan), you will need to reach out to our Sales team to enable this feature before gaining access to the Console Identity settings page.
Domain Capture, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enable Claude Console organizations to enhance authentication security and streamline user access to console.anthropic.com. This guide assumes that:
You are an Admin on your Console account.
You control the DNS settings for your company's email address domain.
You control the SSO Identity Provider your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.).
If #2 and #3 are not true, please contact your organization's IT Administrator to continue.
Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List.
Understanding parent organizations
Our Single Sign-On feature introduces the concept of a “parent organization.” This is an entity that stores SSO settings for an organization. For multiple organizations to share the same SSO configuration, each organization needs to be linked to the same parent organization. The way your parent organization originates depends on your plan:
Enterprise plan organizations are created with a parent organization by default.
For Team plan organizations, the parent organization will be created when SSO is enabled for the first time.
Claude Console organizations do not automatically have this feature when they’re set up.
Important: If you’re part of an Enterprise or Team organization that already has SSO configured, your Console organization may already be linked to the same parent organization. You can verify this by checking if the Identity and access settings page is accessible at platform.claude.com/settings/identity.
If your organization does have an Enterprise or Team plan and you’d like to tie the organization’s Claude Console account to the same SSO settings/parent organization, an Owner can initiate a merge to link them together. Refer to the instructions here: How to merge a Team or Console organization to an existing parent organization.
If your organization does not have an Enterprise or Team plan and you’re hoping to create a new parent organization specifically for your organization’s Claude Console account to configure SSO settings:
Note that Console accounts are not created with parent organizations by default.
To request that a parent organization is created for your organization’s Console account, please fill out our Contact Sales form.
Once the parent organization is created, the Identity settings page will appear in your Console account and you can continue with the SSO setup process.
Key points about parent organizations
Domain verification is stored at the parent organization level - once one parent organization verifies a domain, other organizations cannot verify or claim that domain.
Multiple Claude Console organizations can be linked under the same parent organization.
Once merged, organizations can share the same SSO configuration as their parent organization.
Advanced Group Mappings allow you to control user access to specific organizations under your parent organization.
Verifying your domain(s)
“Domain Capture” proves that you own your company's domain. Once you have confirmed that you own your domain, we can intercept login attempts for emails on your domain and require your employees to sign in via SSO.
Follow these steps to verify your domain:
Navigate to platform.claude.com/settings/identity
This section will not appear in your Console account if you haven't done one of the following:
Worked with our Sales team to enable the SSO feature for your Console organization.
Completed a merge proposal to link your Console to an Enterprise organization.
Click "Add Domain"
Follow the instructions to add your TXT record.
Note: if you're using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com).
Wait up to 10 minutes for your DNS change to propagate. When you see the green "Verified" badge, you can close the instructions page.
Back on platform.claude.com/settings/identity, you should see your domain added to the page. If you do not see it, try refreshing your page.
If your domain is listed as "Pending", click the button next to the word "Pending" to refresh your domain status.
Your domain should now be listed as "Verified."
Viewing your domain memberships
To view or download information about your verified domains and their usage across Claude organizations:
Navigate to claude.ai/admin-settings/identity
Click "View Domain Memberships" in the Domain management section.
Review the information or download your domain membership details in CSV or JSON format.
Adding SSO
After capturing your domain, you can connect your SSO provider to your Console organization so users will be able to log in securely using that provider.
Navigate to platform.claude.com/settings/identity
Click the "Add SSO" button
Follow the steps provided for your SSO provider
Once you've completed the steps for your SSO provider, navigate back to platform.claude.com/settings/identity for further configuration options.
Note: Turning on SSO will end all current sessions of your users. They will need to log back in through SSO.
Testing SSO login
Before inviting your teammates, verify that everything works correctly.
Log out of your account by navigating to platform.claude.com/logout
Try logging in again with your email address. You should be directed to your SSO provider. If you’re already logged in via your SSO provider, you may be immediately redirected and logged in to platform.claude.com.
If you use Google Workspace on your domain, try logging in with Google. This should fail and users should be required to log in via SSO.
Adding and removing users
Managing team members in your organization depends on whether you're using Single Sign-On (SSO) or not. Once SSO is enabled, your Identity Provider (IdP) becomes the primary controller for adding members, while removal involves steps in both your IdP and Console.
Before SSO is enabled
Adding members
Navigate to platform.claude.com/settings/members
Click the “Invite” button to add new team members.
Removing members
Find the user you want to remove.
Click the trash icon on the row with their name.
Select "Remove"
After SSO is enabled
Adding members
Ensure that the member is part of your SSO organization and has access to the Console application.
When the user logs in for the first time, an account will be created for them (JIT provisioning) and that account will be a member of your organization.
Removing members
First, revoke the user's access to Claude Console in your SSO provider
Then, go to platform.claude.com/settings/members
Find the user you want to remove
Click the trash icon next to their name
Select "Remove"
Note that the user will remain logged in to console.anthropic.com until you click "Remove"
SCIM
Note: SCIM is not available for Console organizations joined with a Team plan’s parent organization.
Using SCIM, you can have group members added or deleted based on automatic updates from your IdP. This is the ideal setup for full control of group memberships.
Adding members
Add users to the SSO application in your IdP.
Removing members
Remove users from the SSO application in your IdP.
If you have multiple organizations under a single parent organization, then it's strongly advised that you enable “Advanced Group Mappings” for each organization. This will allow you to use IdP groups to control exactly which organizations accounts are given access to.
When Advanced Group Mappings is toggled within an organization's settings page, we'll show special "anthropic-" prefixed group names that can be added in your IdP. When members are added to these groups, they will then automatically be provisioned for access.
Manually syncing your directory
SCIM directory syncing happens automatically, but you can prompt a manual sync if needed:
From your Identity and access settings, click "Sync Now" under the Directory sync (SCIM) section.
Advanced Group Mappings
Important: To enable Advanced Group Mappings, you must be an Admin on your Console account. If you can’t access the Identity settings page, contact your Console administrator to add you as an Admin first.
Assigning user roles with advanced group mappings
As mentioned above, advanced group mappings can be used to provide not just access to your Claude organization but also role assignment. To achieve this, we provide you with pre-defined group names and the role that they map to in our product. Users assigned to these groups in your IdP will receive the matching role in our product.
In the example above, users that are assigned to the “anthropic-console-7397b822-admin” group in the IdP would get the Admin role while users with the “anthropic-console-7397b822-user” role would get the User role. This will allow users assigned to that group in the IdP to be provisioned with the correct role.
In addition to the default groups shown above, it's possible to define custom groups within your IdP. Create a custom group and ensure it appears in your Console SSO settings by prepending your custom group name with the anthropic-console-<orgID> prefix (copy the first eight digits of your org ID from Settings > Organization). You can name the group whatever you want, as long as it starts with that prefix.
While users assigned to the default groups will be automatically provisioned with those roles, any custom groups will need to be associated with a role in your SSO settings for role assignment to occur. Click "Add" next to the selected role, then choose the custom group from the drop-down:
The custom group will then appear under Group Names next to its assigned role. If a user is not assigned to any group in your organization’s IdP, they will not receive access to the Console organization.
Note: The group names displayed in this article are just examples; your organization will have different names.
As an example, we'll outline how to set this up in Okta.
SAML
For JIT based provisioning, Advanced Group Mappings will be shared at login time via your IdP’s SAML response. To have Okta share groups on login, you will need to edit the SAML section of your SSO Application.
Under “Applications” select the SSO Application you configured for Anthropic
Select “Edit” on your SAML settings
Create a “Group Attribute Statement” to share all groups prefixed with “anthropic-” to Anthropic on login.
Hereafter, all members of group names that start with “anthropic-” will be shared with Anthropic at login time.
Assign members to relevant groups in Okta before turning on Advanced Group Mapping in order to prevent lockout.
Where to edit SAML Settings:
On the second page of the SAML integration page:
Sharing groups by prefix:
SCIM
Note: SCIM is not available for Console organizations joined with a Team plan’s parent organization.
Important: After enabling SCIM with Advanced Group Mappings, you must assign users to the correct IdP groups or all existing members will be removed from the organization, including other Admins. If this happens, you can fix it by adding yourself back to the organization from your IdP, and assigning the appropriate groups and access to the Anthropic app.
Sharing groups via SCIM is through a different mechanism. In Okta, these are referred to as Push Groups.
Visit the Push Groups page for the SSO Application
Click the “+ Push Groups” button
Create a rule to push all groups starting with the “anthropic-” prefix
Creating a rule-based push group:
Troubleshooting Common Scenarios
My Enterprise or Team organization has SSO already; how can we set this up on our Console organization?
You will need to add Claude Console access with different user groups:
Verify your organizations are linked: Check if you can access platform.claude.com/settings/identity. If you can't see this page, follow these instructions to link your Claude Console organization to your existing parent organization.
Ensure you're a Console Admin: You must be added as an Admin on the Console side to enable Advanced Group Mappings. Have an existing Console Admin add you, or contact your Account Manager if no Console admins exist.
Enable Advanced Group Mappings: Once you're a Console admin, navigate to platform.claude.com/settings/identity and toggle on "Advanced Group Mappings."
Copy the group names: Copy the Console-specific group names that appear after enabling Advanced Group Mappings.
Configure your IdP: Add these new Console groups to your existing SSO application alongside your Enterprise or Team groups.
Assign users: Add Console users to the appropriate Console groups in your IdP without requiring them to have Enterprise or Team group membership.
I linked my Enterprise/Team and Console organizations together; why is IdP-initiated login no longer working for my Claude Console account?
We don't currently support IdP-initiated login for Claude Console organizations that share SSO settings with another plan organization. It's expected that users will be redirected to claude.ai with IdP-initiated login if both organization types are linked to the same parent organization. As a workaround, create a bookmark called "Claude Console" in your IdP that links out to console.anthropic.com/login?sso=true. This way, users are redirected to Claude Console for SP-initiated login.