Domain verification, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enables Claude for Work Enterprise organizations to enhance authentication security and streamline user access to claude.ai. This guide assumes that:
You are the Primary Owner or Owner of your Claude Enterprise Plan
You control the DNS settings for your company’s email address domain
You control the SSO Identity Provider your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.)
If #2 and #3 are not true, please contact your organization’s IT Administrator to continue.
Please note: WorkOS is Anthropic’s provider for domain verification and SSO set up. More details can be found in Anthropic’s Subprocessor List at https://www.anthropic.com/subprocessors.
Verifying your Domain(s)
Domain verification proves that you own your company’s domain. Once you have confirmed that you own your domain, you can start configuring SSO for accounts with your company’s domain.
Please note: Verifying your domain by itself will not impact the ability for existing employees to access our products. This will only happen once SSO is set up and explicitly enforced.
To verify your domain:
Navigate to claude.ai/settings/identity
Click “Add Domain”
Follow the instructions to add your TXT record
Note: if you’re using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com)
Wait up to 10 minutes for your DNS change to propagate. When you see the green “Verified” badge, you can close the instructions page
Back on claude.ai/settings/identity, you should see your domain with status “Verified”
If you do not see it, try refreshing your page
If your domain is listed as “Pending”, try using the “Refresh” button
Domain Memberships
To view or download information about your verified domains and their usage across Anthropic organizations:
Navigate to claude.ai/settings/identity
Click "View Domain Memberships" in the "Domain management" section
Review the information or download your domain membership details in CSV or JSON format
Setting up SSO
Before setting up SSO, we recommend taking a look at Important Considerations Before Enabling SSO.
Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.
Navigate to claude.ai/settings/identity
Click the “Setup SSO” button
Follow the steps provided for your SSO provider
Once you’ve completed the steps for your SSO provider, navigate back to claude.ai/settings/identity, where you should now see the option to enforce SSO for our console and claude.ai product surfaces.
Please note: SSO enforcement might result in users being unable to log in if they are not correctly assigned to the Anthropic app in the IdP. We recommend testing that SSO login works correctly prior to enabling SSO enforcement.
User provisioning & management
Once you have SSO and optionally SCIM configured, you will be able to configure the provisioning behavior in your organization. You will see the following options:
Manual
Just in time (JIT)
SCIM
Additionally, JIT and SCIM provisioning allows you to enable “Advanced group mappings”. This feature allows you to not only configure provisioning, but also determine which roles users are provisioned with.
Please refer to the table below for an overview of how these options affect provisioning and user management:
Provisioning mode | Provisioning | Role changes | Removal |
Manual | Users are manually added in claude.ai/settings/team | User roles are manually changed in claude.ai/settings/team | Users are manually removed in claude.ai/settings/team |
JIT | Users assigned to your Anthropic IdP app will get provisioned at login time. They will receive the user role | User roles are manually changed in claude.ai/settings/team | Users that are removed from your Anthropic IdP app will no longer be able to login. However, they will still appear in the claude.ai user list until they attempt to log in or are removed manually in claude.ai/settings/team |
JIT + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned at login time. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships of the pre-defined groups used for advanced group mapping. Users will retrieve updated roles on their next login. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will no longer be able to login. However, they will still appear in the claude.ai user list until they attempt to log in or are removed manually in claude.ai/settings/team |
SCIM | Users that are assigned to your Anthropic IdP app will automatically get provisioned when they’re assigned in the IdP.
| User roles are manually changed in claude.ai/settings/team | Users that are removed from your Anthropic IdP app will automatically get removed from claude.ai. |
SCIM + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned automatically. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships defined in advanced group mappings. Role changes are automatically propagated. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will be automatically removed from your claude.ai organization. |
Please note: Microsoft Entra only pushes SCIM changes every 40 minutes, so there might be a delay before changes appear in claude.ai.
Advanced group mappings
As mentioned above, “Advance group mappings” can be used to provide not just access but also role assignment. To achieve this, we provide you pre-defined group names and the role that they map to in our product. Users assigned to these groups in your IdP will receive the matching role in our product.
In the example above, users that are assigned to the “anthropic-claudeai-9c9b0ada-owner” group in the IdP would get the owner role while users with the “anthropic-claudeai-9c9b0ada-user” role would get the user role. If a user is not assigned any of the pre-defined groups, they would not receive access to the claude.ai organization.
Please note: the group names displayed here are just an example and your organization will have different names.
Seen state
The “seen” column tells you if our systems have seen the pre-defined groups from your IdP. Enabling advanced group mappings before the groups have been detected is not recommended as it could result in you getting locked out from your claude.ai organization.
If you are not seeing the groups marked as “seen”, please make sure that you are propagating the user groups appropriately:
If you’re using JIT, please make sure that you’re using a SAML group attribute statement that shares all groups with the “anthropic-” prefix. Logout and log back in to allow our systems to detect new groups.
If you’re using SCIM, groups are propagated via push groups. Please make sure you add a rule to propagate all push groups with the “anthropic-” prefix. Click the “sync now” button next to the “Directory sync (SCIM)” section to allow our system to detect new groups.
Parent Organizations
SSO Settings are stored at a “Parent Organization” level. This is an entity that can tie together multiple individual organizations to give shared SSO settings. Domain verification for example is something stored at the “Parent Organization” level: once one Parent Organization verifies a domain, no other organization may also join the domain.
When your Enterprise Organization was created, a Parent Organization was also created that the Enterprise Organization points to. To have other organizations join this Parent Organization, you can reach out to your Account Manager or contact Sales to help create a merge proposal. This proposal is emailed to administrators for the existing parent organization, as well as the incoming organization. When approved by an administrator on both sides, the merge will complete, and the incoming organization will now also exist under the same parent organization. At this point, the incoming organization can also configure SSO login options within its settings page, and can have features like “Advanced Group Mappings”.
In particular, note that you can add all of your API (console.anthropic.com) organizations to the same Parent Organization.
To better understand all organizations under your domains, open the “View Domain Memberships” panel under claude.ai/settings/identity after you have completed domain verification. This will show detailed information for all accounts and organizations under your verified domains.