Skip to main content

Setting up Console single sign-on with Claude Code role auto-provisioning

Updated this week

This guide is intended to help new Claude Code users facilitate API Console account and single sign-on (SSO) configuration with the support of an IT administrator or other individual with access to your organization’s DNS settings and Identity Provider (IdP). After completing these steps, users will be automatically granted the Claude Code User role when they sign in to the Console using SSO.

Prerequisites

For the new Claude Code user:

  • An API Console organization. If you don’t have one yet, navigate to console.anthropic.com and enter your work email address to get started.

For the IT administrator:

  • Admin access to your Console account (see Step 1).

  • Control over your company's DNS settings.

  • Access to your company's SSO Identity Provider (e.g., Okta, Google Workspace).

Important: API Console organizations do not include SSO capabilities by default. If your organization does not also have a Claude for Work Enterprise plan, please contact our Sales team to enable SSO and grant access to the Console Identity settings page before proceeding.

Step 1: Grant IT Administrator Access

For the new Claude Code user: Before your IT administrator can configure SSO, you need to add them as a member to your Console account with Admin permissions. Follow these steps:

  1. Log in to your Console account.

  2. Navigate to Settings > Members.

  3. Click the "+ Invite" button in the upper right corner to open an Invite Members modal.

  4. Enter your IT administrator's email address and select "Admin" from the Role menu.

  5. Click “Send Invites” to send an invitation email to your administrator.

  6. The invite will show on the Members list as “Pending.”

  7. Notify your IT administrator that you invited them.

Step 2: Accept the invitation and create an Admin Console account

For the IT administrator: Once the Console account creator sends you the invitation email, follow these steps:

  1. Find the invite in your email inbox. You can search by the subject line (“Your invitation to Claude, from Anthropic”) or check your spam folder if you’re having trouble finding it.

  2. Click this link in the email: “Click here to accept your invitation.”

  3. You’ll land on the Console login page with your email address prepopulated – you can click “Continue with email” or “Continue with Google” to move forward.

    1. The “Continue with email” option sends you another email, this time with a login link. The subject line is “Secure link to log in to Anthropic Console.” Click “Sign in to Anthropic Console.”

    2. “Continue with Google” uses Google authentication, if applicable.

  4. Once you've accepted the invitation and logged in, continue with Step 3.

Step 3: Create Your Parent Organization

For the new Claude Code user: If you’ve already worked with our Sales team to enable SSO for your Console account, you can skip this step. Not sure? If you’re logged in with your Admin account and unable to access this link, it means you do not have a parent organization and need to complete this step.

What is a parent organization?

A parent organization is an entity that stores SSO settings for your organization. Once a parent organization is created, multiple separate organizations (including both API Console and Enterprise organizations) are allowed to share the same SSO configuration.

API Console accounts don't have parent organizations by default, so you'll need to have one provisioned before moving forward with SSO configuration.

  1. Fill out our Contact Sales form to request a parent organization for your API Console account.

  2. Once created, an Identity settings page will be added to your Console organization

  3. Verify you can access this page before continuing to Step 4.

Step 4: Verify Your Domain

Domain verification proves you own your company's domain and enables SSO interception.

For the IT administrator: Follow the below steps to verify your organization’s domain.

  1. Navigate to console.anthropic.com/settings/identity

  2. Click "Add Domain."

  3. Follow the instructions to add your TXT record.

    1. Note: if you're using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com).

  4. Wait up to 10 minutes for your DNS change to propagate. When you see the green "Verified" badge, you can close the instructions page.

  5. Back on the Identity settings page, you should see your domain added to the page. If you aren’t seeing it, try refreshing your page.

  6. If your domain is listed as "Pending,” click the button next to the word "Pending" to refresh your domain status, but note that it should take 24-48 hours for this to update.

  7. Your domain should now be listed as "Verified."

Step 5: Configure SSO

For the IT administrator: Follow the below steps to configure single sign-on for your organization.

  1. On the Identity settings page, click the "Add SSO" button.

  2. Follow the steps provided for your SSO provider.

  3. Once you've completed the steps for your SSO provider, navigate back to your Identity settings for further configuration options.

Note: Turning on SSO will end all current sessions of your users. They will need to log back in through SSO.

Identity provider-initiated login

While many applications support launching directly from your identity provider (e.g., clicking an app tile in Okta), Claude does not enable this flow due to security considerations. However, to provide a smoother experience for employees who are accustomed to launching apps from their identity provider:

  1. When configuring the SSO application in your identity provider, set the login URL to https://claude.ai/login?sso=true instead of https://claude.ai/login.

  2. When employees click the “Claude” tile in your identity provider, they will be directed to a clear login page that guides them to authenticate via SSO.

Step 6: Enable Advanced Group Mappings

For the IT administrator: Enabling Advanced Group Mappings is crucial for automatic Claude Code role assignment. When this feature is toggled on within an organization's settings page, we'll show special "anthropic-" prefixed group names that can be added in your IdP. When members are added to these groups, they will then automatically be provisioned API Console accounts with their assigned role.

  1. While still on the Identity settings page, toggle on "Advanced Group Mappings."

  2. Note the special group names that appear (prefixed with "anthropic-").

  3. Look for the group that corresponds to the Claude Code User role.

  4. Copy this exact group name - you'll need it in the next step.

Step 7: Configure Your Identity Provider

For the IT administrator: IdP configuration varies by provider; we’ve provided an example below using Okta.

Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List. See this WorkOS documentation for other provider-specific instructions.

SAML with Just-in-Time (JIT) Provisioning

For JIT-based provisioning, Advanced Group Mappings will be shared at login time via your IdP’s SAML response. To have Okta share groups on login, you will need to edit the SAML section of your SSO Application. Follow these steps:

  1. Under “Applications” select the SSO Application you configured for Anthropic.

  2. Select “Edit” on your SAML settings.

  3. Create a “Group Attribute Statement” to share all groups prefixed with “anthropic-” to Anthropic on login.

    1. Ensure the Claude Code group you noted in Step 6 is included.

  4. Hereafter, all members of group names that start with “anthropic-” will be shared with Anthropic at login time.

  5. Assign members to relevant groups in Okta before turning on “Advanced Group Mapping” in order to prevent lockout.

Where to edit SAML Settings:

On the second page of the SAML integration page:

Sharing groups by prefix:

SCIM

Sharing groups via SCIM uses a different mechanism. In Okta, these are referred to as Push Groups. Follow these steps to set this up:

  1. Visit the Push Groups page for the SSO Application.

  2. Click the “+ Push Groups” button.

  3. Create a rule to push all groups starting with the “anthropic-” prefix.

    1. Ensure the Claude Code group you noted in Step 6 is included.

  4. Add users who should have Claude Code access to this group.

Creating a rule-based push group:

Step 8: Provision Claude Code users

For the IT administrator: Add any users you want to provision with Claude Code roles to the correct group in your IdP.

JIT provisioning with Advanced Group Mappings

For new Claude Code users:

  1. Navigate to console.anthropic.com

  2. Enter your work email address and click “Continue with email.”

  3. Check your inbox to find an email with the subject line is “Secure link to log in to Anthropic Console.”

  4. Click “Sign in to Anthropic Console.”

  5. You will be provisioned with the Claude Code role in your Console organization and can start using Claude Code and the Workbench.

SCIM provisioning with Advanced Group Mappings

For the IT administrator: The next time the directory sync runs, users in this group will be provisioned with the Claude Code role in your Console organization. Alternatively, find Directory sync (SCIM) and click “Sync Now” to run this manually:

For new Claude Code users:

After accounts are provisioned via SCIM, users can navigate to console.anthropic.com to log in.

Next Steps

Once setup is complete:

  • Document the process for your team.

  • Test with a small group before rolling out organization-wide.

  • Consider setting up additional role-based groups as needed.

  • Review API Console Roles and Permissions for other available roles.

Related Articles
What is the Claude Enterprise plan?
Setting up Single Sign-On on the Enterprise plan
Setting up Single Sign-On on the API Console
Using Claude Code with your Pro or Max plan
Who owns and manages the data of my Claude for Education account?
Did this answer your question?