Single sign-on (SSO) is available to Team and Enterprise plans, as well as Claude Console organizations. See Console-specific setup instructions here: Setting up Single Sign-On on the Claude Console.
Domain verification, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enable Team and Enterprise plan organizations to enhance authentication security and streamline user access to Claude. This guide assumes that:
You are an Owner or Primary Owner of your organization's Team or Enterprise plan.
You control the DNS settings for your company's email address domain.
You control the SSO Identity Provider (IdP) your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.).
If #2 and #3 are not true, please contact your organization's IT Administrator to continue.
Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List.
Understanding parent organizations
Our Single Sign-On feature introduces the concept of a “parent organization.” This is an entity that stores SSO settings for an organization. For multiple organizations to share the same SSO configuration, each organization needs to be linked to the same parent organization. Note the following information about parent organizations depending on your plan:
Enterprise plan organizations are created with a parent organization by default.
For Team plan organizations, the parent organization will be created when SSO is enabled for the first time.
Claude Console organizations do not automatically have this feature when they’re set up.
Key points about parent organizations
Domain verification is stored at the parent organization level - once one parent organization verifies a domain, other organizations cannot verify or claim that domain. An Owner of the parent organization will need to merge the new organization in order to share SSO configurations across that domain.
Multiple organizations (including Team plans and Claude Console organizations) can be linked under the same parent organization to share the same SSO configuration.
Advanced group mappings allow you to control user access to specific organizations under your parent organization.
How to merge an organization into an existing parent organization
Team or Enterprise organizations can initiate a proposal for new organizations to join their existing parent organization in order to share their SSO configuration.
Requirements:
The Team or Enterprise organization initiating the proposal must have verified domains in their parent organization.
All members in the new organization must have email addresses matching those verified domains.
An Admin / Owner for each of the new organizations needs to approve the merge.
The Owner needs to complete these steps:
Navigate to Admin settings > Identity and access
Click "Invite" under Merge Organizations.
Select the correct organization in the modal that appears and click "Next."
You'll see a pop-up with the number of members in the organization you're merging; click "Invite."
The merge proposal will be sent to Console Admins or organization Owners and must be approved within 14 days.
If the Owner following these steps is also an Admin/ Owner on the invited organization, only one approval is required.
If merging a Console organization, once the merge is complete, the organization will gain access to platform.claude.com/settings/identity to configure SSO login options, and can enable features like “Advanced Group Mappings."
If your organization does not have a Team or Enterprise plan, and you’re hoping to create a new parent organization specifically for your organization’s Console account to configure SSO settings:
Note that Claude Console accounts are not created with parent organizations by default.
To request that a parent organization is created for your organization’s Console account, please fill out our Contact Sales form.
Once the parent organization is created, the Identity settings page will appear in your Console account and you can continue with the SSO setup process.
Note that you can link all of your Claude Console (platform.claude.com) organizations to the same parent organization. See our Console-specific instructions to configure SSO.
Verifying your domain(s)
Domain verification proves that you own your company's domain. Once you have confirmed that you own your domain, you can start configuring SSO for accounts with your company's domain.
Note: Verifying your domain by itself will not impact the ability for existing employees to access our products. This will only happen once SSO is set up and explicitly enforced.
Follow these instructions to verify your domain:
Navigate to claude.ai/admin-settings/identity.
Click the "Add domain" button.
Follow the instructions to add your TXT record.
Note: If you're using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com).
Wait up to 10 minutes for your DNS change to propagate. When you see the green "Verified" badge, you can close the instructions page.
Back on claude.ai/admin-settings/identity, you should see your domain with status "Verified."
If you do not see it, try refreshing your page.
If your domain is listed as "Pending", try using the "Refresh" button.
Viewing your domain memberships
To view or download information about your verified domains and their usage across Claude organizations:
Navigate to claude.ai/admin-settings/identity.
Click "View Domain Memberships" in the Domain management section.
Review the information or download your domain membership details in CSV or JSON format.
Disabling creation of new organizations
Once your organization's domains are verified, Owners and above will see a "Disable new organization creation" toggle on the Identity and access admin settings page. Toggle this on to prevent users from creating new Claude or Console organizations -- including personal accounts -- using any of your verified domains.
Setting up SSO
Before setting up SSO, we recommend taking a look at Important Considerations Before Enabling SSO.
Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.
Navigate to your Identity and access admin settings.
Click the “Setup SSO” button.
Follow the steps provided for your SSO provider.
Once you’ve completed the steps for your SSO provider, navigate back to Identity and access, where you should now see the option to enforce SSO for our Console and Claude product surfaces.
Important: SSO enforcement might result in users being unable to log in if they are not correctly assigned to the Anthropic app in the IdP. We recommend testing that SSO login works correctly prior to enabling SSO enforcement.
User provisioning and management
Once you have SSO configured, you will be able to configure the provisioning behavior in your organization. You will see the following options:
Manual
Just in time (JIT)
Enterprise organizations will also see the option to enable SCIM. Console organizations will also see this option if they have their own parent organization or share one with an Enterprise organization.
Note: SCIM is not available for Team plan organizations or Console organizations joined with a Team’s parent organization.
JIT and SCIM provisioning allow you to enable “Advanced group mappings." This feature lets you control which roles users are provisioned with.
Please refer to the table below for an overview of how these options affect provisioning and user management:
Provisioning mode | Provisioning | Role changes | Removal |
Manual | Users are manually added in claude.ai/admin-settings/organization | User roles are manually changed in claude.ai/admin-settings/organization | Users are manually removed in claude.ai/admin-settings/organization |
JIT | Users assigned to your Anthropic IdP app will get provisioned at login time. They will receive the user role | User roles are manually changed in claude.ai/admin-settings/organization | Users that are removed from your Anthropic IdP app will no longer be able to login. However, they will still appear in the Claude user list until they attempt to log in or are removed manually in claude.ai/admin-settings/organization |
JIT + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned at login time. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships of the pre-defined groups used for advanced group mapping. Users will retrieve updated roles on their next login. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will no longer be able to login. However, they will still appear in the Claude user list until they attempt to log in or are removed manually in claude.ai/admin-settings/organization |
SCIM | Users that are assigned to your Anthropic IdP app will automatically get provisioned when they’re assigned in the IdP. | User roles are manually changed in claude.ai/admin-settings/organization | Users that are removed from your Anthropic IdP app will automatically get removed from your Claude organization. |
SCIM + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned automatically. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships defined in advanced group mappings. Role changes are automatically propagated. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will be automatically removed from your Claude organization. |
Note: Microsoft Entra only pushes SCIM changes every 40 minutes, so there might be a delay before changes appear in Claude.ai.
Advanced group mappings
Important: To enable Advanced Group Mappings, you must be an Owner or Primary Owner of your Team or Enterprise plan organization. If you can’t access the Identity and access admin settings page, contact an Owner or Primary Owner to add you as a member or change your role.
Assigning user roles with advanced group mappings
As mentioned above, advanced group mappings can be used to provide not just access to your Claude organization but also role assignment. To achieve this, we provide you with pre-defined group names and the role that they map to in our product. Users assigned to these groups in your IdP will receive the matching role in our product.
In the example above, users that are assigned to the “anthropic-claudeai-468ca80f-owner” group in the IdP would get the owner role while users with the “anthropic-claudeai-468ca80f-user” role would get the user role. This will allow users assigned to that group in the IdP to be provisioned with the correct role.
In addition to the default groups shown above, it's possible to define custom groups within your IdP. Create a custom group and ensure it appears in your Claude SSO settings by prepending your custom group name with the anthropic-claudeai-<orgID> prefix (copy the first eight digits of your org ID from Admin settings > Organization). You can name the group whatever you want, as long as it starts with that prefix.
While users assigned to the default groups will be automatically provisioned with those roles, any custom groups will need to be associated with a role in your SSO settings for role assignment to occur. Click "Add" next to the selected role, then choose the custom group from the drop-down:
The custom group will then appear under Group Names next to its assigned role. If a user is not assigned to any group in your organization’s IdP, they will not receive access to the Claude organization.
Note: The group names displayed in this article are just examples; your organization will have different names.
Seen state
The “seen” column tells you if our systems have seen the pre-defined groups from your IdP. Enabling advanced group mappings before the groups have been detected is not recommended as it could result in you getting locked out from your Claude.ai organization.
If you are not seeing the groups marked as “seen”, please make sure that you are propagating the user groups appropriately:
If you’re using JIT, please make sure that you’re using a SAML group attribute statement that shares all groups with the “anthropic-” prefix. Logout and log back in to allow our systems to detect new groups.
If you’re using SCIM, groups are propagated via push groups. Please make sure you add a rule to propagate all push groups with the “anthropic-” prefix. Click the “Sync Now” button next to the Directory sync (SCIM) section to allow our system to detect new groups.
Troubleshooting Common Scenarios
I linked my Team/Enterprise and Console organizations together; why is IdP-initiated login no longer working for my Claude Console account?
We don't currently support IdP-initiated login for Claude Console organizations that share SSO settings with another Team or Enterprise plan organization. It's expected that users will be redirected to claude.ai with IdP-initiated login if both organization types are linked to the same parent organization. As a workaround, create a bookmark called "Claude Console" in your IdP that links out to console.anthropic.com/login?sso=true. This way, users are redirected to Claude Console for SP-initiated login.
How can I create separate user groups for my Team/Enterprise and Claude Console organizations?
To individually provision user access to your Team/Enterprise and Console organizations:
Enable Advanced Group Mappings in both your Claude Identity and access admin settings and Console Identity settings.
Configure separate groups in your IdP. For example:
Enterprise groups: anthropic-claudeai-[org-id]-owner, anthropic-claudeai-[org-id]-user
Console groups: anthropic-console-[org-id]-admin, anthropic-console-[org-id]-member
Assign users appropriately in your IdP based on which organization they need access to.