Domain Capture, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enables Claude for Work Enterprise organizations to enhance authentication security and streamline user access to claude.ai. This guide assumes that:
You are the Primary Owner or Owner of your Claude Enterprise Plan
You control the DNS settings for your company’s email address domain
You control the SSO Identity Provider your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.)
If #2 and #3 are not true, please contact your organization’s IT Administrator to continue.
Please note: WorkOS is Anthropic’s provider for domain verification and SSO set up. More details can be found in Anthropic’s Subprocessor List at https://www.anthropic.com/subprocessors.
Capturing your Domain
“Domain Capture” proves that you own your company’s domain. Once you have confirmed that you own your domain, Anthropic can intercept login attempts for emails on your domain and require your employees to sign in via SSO.
Navigate to claude.ai/settings/identity
Click “Add Domain”
Follow the instructions to add your TXT record
Note: if you’re using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com)
Wait up to 10 minutes for your DNS change to propagate. When you see the green “Verified” badge, you can close the instructions page
Back on claude.ai/settings/identity, you should see your domain added to the page. If you do not see it, try refreshing your page
If your domain is listed as “Pending”, click the button next to the word “Pending” to refresh your domain status
Your domain should now be listed as “Verified”
Adding SSO
Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.
Navigate to claude.ai/settings/identity
Click the “Add SSO” button
Follow the steps provided for your SSO provider
Once you’ve completed the steps for your SSO provider, navigate back to claude.ai/settings/identity, where you will you will see a checkmark next to “Single Sign-On”
Note: Turning on SSO will end all current sessions of your users. They will need to log back in through SSO
Testing SSO log-in
Before inviting your teammates, verify that everything works correctly. If you run into any issues, please contact Support.
Log out of your account by navigating to claude.ai/logout
Try logging in again with your email address. You should be directed to your SSO provider. If you’re already logged in via your SSO provider, you may be immediately redirected and logged in to Claude.ai.
If you use Google Workspace on your domain, try logging in with Google. This should fail and users should be required to log in via SSO.
Adding & Removing Users
Managing team members in your organization depends on whether you're using Single Sign-On (SSO) or not. Once SSO is enabled, your Identity Provider (IdP) becomes the primary controller for adding members, while removal involves steps in both your IdP and Claude.ai.
Before SSO is Enabled
Adding members
Navigate to claude.ai/settings/team
Click the Add Member button to add new team members
Removing members
Go to claude.ai/settings/team
Find the user you want to remove
Click the "..." menu on the row with their name
Select "Remove from team"
More information on member management without SSO can be found here.
After SSO is Enabled
Adding members
Ensure that the member is part of your SSO organization and has access to the Claude application.
When the user logs in for the first time, an account will be created for them (JIT provisioning) and that account will be a member of your organization.
Removing members
First, revoke the user's access to Claude in your SSO provider
Then, go to claude.ai/settings/team
Find the user you want to remove
Click the "..." menu next to their name
Select "Remove from team"
Important note: The user will remain logged into Claude.ai until you complete step 5 ("Remove from team" on claude.ai).