Skip to main content
Setting up Single Sign-On on the Enterprise plan
Updated over 2 weeks ago

Domain Capture, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enables Claude for Work Enterprise organizations to enhance authentication security and streamline user access to claude.ai. This guide assumes that:

  1. You are the Primary Owner or Owner of your Claude Enterprise Plan

  2. You control the DNS settings for your company’s email address domain

  3. You control the SSO Identity Provider your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.)

If #2 and #3 are not true, please contact your organization’s IT Administrator to continue.

Please note: WorkOS is Anthropic’s provider for domain verification and SSO set up. More details can be found in Anthropic’s Subprocessor List at https://www.anthropic.com/subprocessors.

Capturing your Domain

“Domain Capture” proves that you own your company’s domain. Once you have confirmed that you own your domain, Anthropic can intercept login attempts for emails on your domain and require your employees to sign in via SSO.

  1. Click “Add Domain”

  2. Follow the instructions to add your TXT record

    • Note: if you’re using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com)

  3. Wait up to 10 minutes for your DNS change to propagate. When you see the green “Verified” badge, you can close the instructions page

  4. Back on claude.ai/settings/identity, you should see your domain added to the page. If you do not see it, try refreshing your page

  5. If your domain is listed as “Pending”, click the button next to the word “Pending” to refresh your domain status

  6. Your domain should now be listed as “Verified”

Adding SSO

Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.

  • Click the “Add SSO” button

  • Follow the steps provided for your SSO provider

  • Once you’ve completed the steps for your SSO provider, navigate back to claude.ai/settings/identity, where you will you will see a checkmark next to “Single Sign-On”

  • Note: Turning on SSO will end all current sessions of your users. They will need to log back in through SSO

Identity Provider-Initiated Login: While many applications support launching directly from your identity provider (e.g., clicking an app tile in Okta), Claude does not enable this flow due to security considerations. However, to provide a smoother experience for employees who are accustomed to launching apps from their identity provider:

  1. When configuring the SSO application in your identity provider, set the login URL to https://claude.ai/login?sso=true instead of https://claude.ai/login

  2. When employees click the Claude tile in your identity provider, they will be directed to a clear login page that guides them to authenticate via SSO

Testing SSO log-in

Before inviting your teammates, verify that everything works correctly. If you run into any issues, please contact Support.

  1. Log out of your account by navigating to claude.ai/logout

  2. Try logging in again with your email address. You should be directed to your SSO provider. If you’re already logged in via your SSO provider, you may be immediately redirected and logged in to Claude.ai.

  3. If you use Google Workspace on your domain, try logging in with Google. This should fail and users should be required to log in via SSO.

Adding & Removing Users

Managing team members in your organization depends on whether you're using Single Sign-On (SSO) or not. Once SSO is enabled, your Identity Provider (IdP) becomes the primary controller for adding members, while removal involves steps in both your IdP and Claude.ai.

Before SSO is Enabled

Adding members

  1. Click the Add Member button to add new team members

Removing members

  1. Find the user you want to remove

  2. Click the "..." menu on the row with their name

  3. Select "Remove from team"

More information on member management without SSO can be found here.

After SSO is Enabled

Adding members

  1. Ensure that the member is part of your SSO organization and has access to the Claude application.

  2. When the user logs in for the first time, an account will be created for them (JIT provisioning) and that account will be a member of your organization.

Removing members

  1. First, revoke the user's access to Claude in your SSO provider

  2. Find the user you want to remove

  3. Click the "..." menu next to their name

  4. Select "Remove from team"

Important note: The user will remain logged into Claude.ai until you complete step 5 ("Remove from team" on claude.ai).

SCIM

Using SCIM, you can have group members added or deleted based on automatic updates from your IdP. This is the ideal setup for full control of group memberships.

Adding Members

  1. Add users to the SSO application in your IdP

Removing Members

  1. Remove users from the SSO application in your IdP

If you have multiple organizations under a single Parent Organization, then it’s strongly advised that you enable Advanced Group Mappings for each organization. This will allow you to use IdP groups to control exactly which organizations accounts are given access to.

When “Advance Group Mappings” is toggled within an organization’s settings page, we’ll show special “anthropic-” prefixed group names that can be added in your IdP. When members are added to these groups, they will then automatically be provisioned for access.

Advanced Group Mappings

As mentioned above, “Advance Group Mappings” can be used to provide not just access but also role assignment. These groups will be sent to Anthropic from your identity provider, and some of the configuration options are IdP specific. As an example, we’ll outline how to set this up in Okta.

SAML

For JIT based provisioning, Advanced Group Mappings will be shared at login time via your IdP’s SAML response. To have Okta share groups on login, you will need to edit the SAML section of your SSO Application.

  1. Under “Applications” select the SSO Application you configured for Anthropic

  2. Select “Edit” on your SAML settings

  3. Create a “Group Attribute Statement” to share all groups prefixed with “anthropic-” to Anthropic on login.

  4. Hereafter, all members of group names that start with “anthropic-” will be shared with Anthropic at login time.

  5. Assign members to relevant groups in Okta before turning on Advanced Group Mapping in order to prevent lockout.

Where to edit SAML Settings

On the second page of the SAML integration page

Sharing groups by prefix

SCIM

Sharing groups via SCIM is through a different mechanism. In Okta, these are referred to as Push Groups

  1. Visit the Push Groups page for the SSO Application

  2. Click the “+ Push Groups” button

  3. Create a rule to push all groups starting with the “anthropic-” prefix

Creating a rule based push group

Parent Organizations

SSO Settings are stored at a “Parent Organization” level. This is an entity that can tie together multiple individual organizations to give shared SSO settings. Domain verification for example is something stored at the “Parent Organization” level: once one Parent Organization verifies a domain, no other organization may also join the domain.

When your Enterprise Organization was created, a Parent Organization was also created that the Enterprise Organization points to. To have other organizations join this Parent Organization, you can reach out to your Account Manager or contact Sales to help create a merge proposal. This proposal is emailed to administrators for the existing parent organization, as well as the incoming organization. When approved by an administrator on both sides, the merge will complete, and the incoming organization will now also exist under the same parent organization. At this point, the incoming organization can also configure SSO login options within its settings page, and can have features like “Advanced Group Mappings”.

In particular, note that you can add all of your API (console.anthropic.com) organizations to the same Parent Organization.

To better understand all organizations under your domains, open the “View Domain Memberships” panel under claude.ai/settings/identity after you have completed domain verification. This will show detailed information for all accounts and organizations under your verified domains.

Did this answer your question?