Domain verification, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enable Claude for Work Enterprise organizations to enhance authentication security and streamline user access to Claude. This guide assumes that:
You are the Primary Owner or Owner of your organization's Enterprise plan.
You control the DNS settings for your company's email address domain.
You control the SSO Identity Provider (IdP) your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.).
If #2 and #3 are not true, please contact your organization's IT Administrator to continue.
Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List.
Understanding parent organizations
Our Single Sign-On feature introduces the concept of a “parent organization.” This is an entity that stores SSO settings for an organization. For multiple organizations to share the same SSO configuration, each organization needs to be linked to the same parent organization.
Enterprise Claude for Work organizations are created with a parent organization by default. Note that Claude Console organizations do not automatically have this feature when they’re set up.
Key points about parent organizations
Domain verification is stored at the parent organization level - once one parent organization verifies a domain, other organizations cannot verify or claim that domain.
When your Enterprise organization was created, a parent organization was also created that the Enterprise org points to.
Multiple organizations (including Claude Console organizations) can be linked under the same parent organization to share the same SSO configuration.
Advanced group mappings allow you to control user access to specific organizations under your parent organization.
How to merge a Console organization to an Enterprise parent organization
If you want to tie your Enterprise plan organization’s SSO settings/parent organization to a Claude Console account, an Enterprise Owner can merge them together.
Requirements:
The Enterprise organization must have verified domains in their parent organization.
All Console organization members must have email addresses matching those verified domains.
An Admin / Owner for each of the organizations needs to approve the merge.
An Enterprise Owner needs to complete these steps:
Navigate to Admin settings > Identity and access
Click "Invite" under Merge API Organizations.
Select the correct organization in the modal that appears and click "Next."
You'll see a pop-up with the number of members in the organization you're merging; click "Invite."
The merge proposal will be sent to Console Admins and must be approved within 14 days.
If the Enterprise Owner following these steps is also a Console Admin on the invited organization, only one approval is required.
Once the merge is complete, the incoming Console organization will gain access to platform.claude.com/settings/identity to configure SSO login options, and can enable features like “Advanced Group Mappings."
If your organization does not have an Enterprise Claude for Work account, and you’re hoping to create a new parent organization specifically for your organization’s API Console account to configure SSO settings:
Note that Claude Console accounts are not created with parent organizations by default.
To request that a parent organization is created for your organization’s Console account, please fill out our Contact Sales form.
Once the parent organization is created, the Identity settings page will appear in your Console account and you can continue with the SSO setup process.
Note that you can link all of your Claude Console (platform.claude.com) organizations to the same parent organization. See our Console-specific instructions to configure SSO.
Verifying your domain(s)
Domain verification proves that you own your company's domain. Once you have confirmed that you own your domain, you can start configuring SSO for accounts with your company's domain.
Note: Verifying your domain by itself will not impact the ability for existing employees to access our products. This will only happen once SSO is set up and explicitly enforced.
Follow these instructions to verify your domain:
Navigate to claude.ai/admin-settings/identity.
Click the "Add domain" button.
Follow the instructions to add your TXT record.
Note: If you're using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com).
Wait up to 10 minutes for your DNS change to propagate. When you see the green "Verified" badge, you can close the instructions page.
Back on claude.ai/admin-settings/identity, you should see your domain with status "Verified."
If you do not see it, try refreshing your page.
If your domain is listed as "Pending", try using the "Refresh" button.
Viewing your domain memberships
To view or download information about your verified domains and their usage across Claude organizations:
Navigate to claude.ai/admin-settings/identity.
Click "View Domain Memberships" in the Domain management section.
Review the information or download your domain membership details in CSV or JSON format.
Disabling creation of new organizations
Once your organization's domains are verified, Owners and above will see a "Disable new organization creation" toggle on the Identity and access admin settings page. Toggle this on to prevent users from creating new Claude or Console organizations -- including personal accounts -- using any of your verified domains.
Setting up SSO
Before setting up SSO, we recommend taking a look at Important Considerations Before Enabling SSO.
Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.
Navigate to your Identity and access admin settings.
Click the “Setup SSO” button.
Follow the steps provided for your SSO provider.
Once you’ve completed the steps for your SSO provider, navigate back to Identity and access, where you should now see the option to enforce SSO for our Console and Claude product surfaces.
Important: SSO enforcement might result in users being unable to log in if they are not correctly assigned to the Anthropic app in the IdP. We recommend testing that SSO login works correctly prior to enabling SSO enforcement.
User provisioning and management
Once you have SSO and optionally SCIM configured, you will be able to configure the provisioning behavior in your organization. You will see the following options:
Manual
Just in time (JIT)
SCIM
Additionally, JIT and SCIM provisioning allows you to enable “Advanced group mappings." This feature allows you to not only configure provisioning, but also determine which roles users are provisioned with.
Please refer to the table below for an overview of how these options affect provisioning and user management:
Provisioning mode | Provisioning | Role changes | Removal |
Manual | Users are manually added in claude.ai/admin-settings/organization | User roles are manually changed in claude.ai/admin-settings/organization | Users are manually removed in claude.ai/admin-settings/organization |
JIT | Users assigned to your Anthropic IdP app will get provisioned at login time. They will receive the user role | User roles are manually changed in claude.ai/admin-settings/organization | Users that are removed from your Anthropic IdP app will no longer be able to login. However, they will still appear in the Claude user list until they attempt to log in or are removed manually in claude.ai/admin-settings/organization |
JIT + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned at login time. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships of the pre-defined groups used for advanced group mapping. Users will retrieve updated roles on their next login. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will no longer be able to login. However, they will still appear in the Claude user list until they attempt to log in or are removed manually in claude.ai/admin-settings/organization |
SCIM | Users that are assigned to your Anthropic IdP app will automatically get provisioned when they’re assigned in the IdP.
| User roles are manually changed in claude.ai/admin-settings/organization | Users that are removed from your Anthropic IdP app will automatically get removed from your Claude organization. |
SCIM + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned automatically. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships defined in advanced group mappings. Role changes are automatically propagated. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will be automatically removed from your Claude organization. |
Note: Microsoft Entra only pushes SCIM changes every 40 minutes, so there might be a delay before changes appear in Claude.ai.
Advanced group mappings
Important: To enable Advanced Group Mappings, you must be an Owner or Primary Owner of your Enterprise plan organization. If you can’t access the Identity and access admin settings page, contact an Owner or Primary Owner to add you as a member or change your role.
As mentioned above, advanced group mappings can be used to provide not just access but also role assignment. To achieve this, we provide you pre-defined group names and the role that they map to in our product. Users assigned to these groups in your IdP will receive the matching role in our product.
In the example above, users that are assigned to the “anthropic-claudeai-9c9b0ada-owner” group in the IdP would get the owner role while users with the “anthropic-claudeai-9c9b0ada-user” role would get the user role. If a user is not assigned any of the pre-defined groups, they would not receive access to the claude.ai organization.
Note: The group names displayed here are just examples; your organization will have different names.
Seen state
The “seen” column tells you if our systems have seen the pre-defined groups from your IdP. Enabling advanced group mappings before the groups have been detected is not recommended as it could result in you getting locked out from your Claude.ai organization.
If you are not seeing the groups marked as “seen”, please make sure that you are propagating the user groups appropriately:
If you’re using JIT, please make sure that you’re using a SAML group attribute statement that shares all groups with the “anthropic-” prefix. Logout and log back in to allow our systems to detect new groups.
If you’re using SCIM, groups are propagated via push groups. Please make sure you add a rule to propagate all push groups with the “anthropic-” prefix. Click the “Sync Now” button next to the Directory sync (SCIM) section to allow our system to detect new groups.
Troubleshooting Common Scenarios
I linked my Enterprise and Console organizations together; why is IdP-initiated login no longer working for my Claude Console account?
We don't currently support IdP-initiated login for Claude Console organizations that share SSO settings with another Enterprise plan organization. It's expected that users will be redirected to claude.ai with IdP-initiated login if both organization types are linked to the same parent organization. As a workaround, create a bookmark called "Claude Console" in your IdP that links out to console.anthropic.com/login?sso=true. This way, users are redirected to Claude Console for SP-initiated login.
How can I create separate user groups for my Enterprise and Claude Console organizations?
To individually provision user access to your Enterprise and Console organizations:
Enable Advanced Group Mappings in both your Enterprise Identity and access admin settings page and Console Identity settings.
Configure separate groups in your IdP. For example:
Enterprise groups: anthropic-claudeai-[org-id]-owner, anthropic-claudeai-[org-id]-user
Console groups: anthropic-console-[org-id]-admin, anthropic-console-[org-id]-member
Assign users appropriately in your IdP based on which organization they need access to.