Domain verification, Single Sign-On (SSO), and Just-in-Time Provisioning (JIT) enable Claude for Work Enterprise organizations to enhance authentication security and streamline user access to Claude.ai. This guide assumes that:
You are the Primary Owner or Owner of your Claude Enterprise plan
You control the DNS settings for your company's email address domain
You control the SSO Identity Provider your company uses to log in to third-party applications (e.g. Okta, Google Workspace, etc.)
If #2 and #3 are not true, please contact your organization's IT Administrator to continue.
Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List.
Understanding Parent Organizations
Our Single Sign-On feature introduces the concept of a “Parent Organization.” This is an entity that stores SSO settings for an organization. For multiple organizations to share the same SSO configuration, each organization needs to be linked to the same parent organization.
Enterprise Claude for Work organizations are created with a parent organization by default.
Note that API Console accounts do not automatically have this feature when they’re set up.
Key points about parent organizations:
Domain verification is stored at the parent organization level - once one parent organization verifies a domain, other organizations cannot verify or claim that domain.
When your Enterprise organization was created, a parent organization was also created that the Enterprise org points to.
Multiple organizations (including API Console organizations) can be linked under the same parent organization to share the same SSO configuration.
Advanced group mappings allow you to control user access to specific organizations under your parent organization.
In particular, note that you can link all of your API Console (console.anthropic.com) organizations to the same parent organization. See our Console-specific instructions to configure SSO.
Verifying your Domain(s)
Domain verification proves that you own your company's domain. Once you have confirmed that you own your domain, you can start configuring SSO for accounts with your company's domain.
Note: Verifying your domain by itself will not impact the ability for existing employees to access our products. This will only happen once SSO is set up and explicitly enforced.
Follow these instructions to verify your domain:
Navigate to claude.ai/settings/identity
Click "Add Domain"
Follow the instructions to add your TXT record
Note: if you're using a subdomain (e.g. subdomain.yourcompany.com), you should set your new TXT record on that subdomain (e.g. _acme-challenge.subdomain.yourcompany.com)
Wait up to 10 minutes for your DNS change to propagate. When you see the green "Verified" badge, you can close the instructions page
Back on claude.ai/settings/identity, you should see your domain with status "Verified"
If you do not see it, try refreshing your page
If your domain is listed as "Pending", try using the "Refresh" button
Domain Memberships
To view or download information about your verified domains and their usage across Anthropic organizations:
Navigate to claude.ai/settings/identity
Click "View Domain Memberships" in the "Domain management" section.
Review the information or download your domain membership details in CSV or JSON format.
Setting up SSO
Before setting up SSO, we recommend taking a look at Important Considerations Before Enabling SSO.
Once you connect your SSO provider to your Claude organization, users will be able to log in securely with your SSO provider.
Navigate to your Identity and access settings
Click the “Setup SSO” button
Follow the steps provided for your SSO provider
Once you’ve completed the steps for your SSO provider, navigate back to claude.ai/settings/identity, where you should now see the option to enforce SSO for our Console and claude.ai product surfaces.
Important: SSO enforcement might result in users being unable to log in if they are not correctly assigned to the Anthropic app in the IdP. We recommend testing that SSO login works correctly prior to enabling SSO enforcement.
User provisioning and management
Once you have SSO and optionally SCIM configured, you will be able to configure the provisioning behavior in your organization. You will see the following options:
Manual
Just in time (JIT)
SCIM
Additionally, JIT and SCIM provisioning allows you to enable “Advanced group mappings." This feature allows you to not only configure provisioning, but also determine which roles users are provisioned with.
Please refer to the table below for an overview of how these options affect provisioning and user management:
Provisioning mode | Provisioning | Role changes | Removal |
Manual | Users are manually added in claude.ai/settings/team | User roles are manually changed in claude.ai/settings/team | Users are manually removed in claude.ai/settings/team |
JIT | Users assigned to your Anthropic IdP app will get provisioned at login time. They will receive the user role | User roles are manually changed in claude.ai/settings/team | Users that are removed from your Anthropic IdP app will no longer be able to login. However, they will still appear in the claude.ai user list until they attempt to log in or are removed manually in claude.ai/settings/team |
JIT + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned at login time. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships of the pre-defined groups used for advanced group mapping. Users will retrieve updated roles on their next login. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will no longer be able to login. However, they will still appear in the claude.ai user list until they attempt to log in or are removed manually in claude.ai/settings/team |
SCIM | Users that are assigned to your Anthropic IdP app will automatically get provisioned when they’re assigned in the IdP.
| User roles are manually changed in claude.ai/settings/team | Users that are removed from your Anthropic IdP app will automatically get removed from claude.ai. |
SCIM + advanced group mappings | Users assigned to your Anthropic IdP app that are members of at least one of the pre-defined groups used for advanced group mappings will get provisioned automatically. They will receive the highest permissioned role of the mapped groups that they are a member of | User roles are managed in your IdP via the group memberships defined in advanced group mappings. Role changes are automatically propagated. | Users that are removed from your IdP app (or no longer have access to at least one of the pre-defined groups used for advanced group mappings) will be automatically removed from your claude.ai organization. |
Note: Microsoft Entra only pushes SCIM changes every 40 minutes, so there might be a delay before changes appear in claude.ai.
Advanced group mappings
Important: To enable Advanced Group Mappings, you must be an Owner or Primary Owner of your Claude Enterprise organization. If you can’t access the Identity and access page, contact an Owner or Primary Owner to add you as a member or change your role.
As mentioned above, "Advanced group mappings" can be used to provide not just access but also role assignment. To achieve this, we provide you pre-defined group names and the role that they map to in our product. Users assigned to these groups in your IdP will receive the matching role in our product.
In the example above, users that are assigned to the “anthropic-claudeai-9c9b0ada-owner” group in the IdP would get the owner role while users with the “anthropic-claudeai-9c9b0ada-user” role would get the user role. If a user is not assigned any of the pre-defined groups, they would not receive access to the claude.ai organization.
Note: The group names displayed here are just examples; your organization will have different names.
Seen state
The “seen” column tells you if our systems have seen the pre-defined groups from your IdP. Enabling advanced group mappings before the groups have been detected is not recommended as it could result in you getting locked out from your claude.ai organization.
If you are not seeing the groups marked as “seen”, please make sure that you are propagating the user groups appropriately:
If you’re using JIT, please make sure that you’re using a SAML group attribute statement that shares all groups with the “anthropic-” prefix. Logout and log back in to allow our systems to detect new groups.
If you’re using SCIM, groups are propagated via push groups. Please make sure you add a rule to propagate all push groups with the “anthropic-” prefix. Click the “Sync Now” button next to the Directory sync (SCIM) section to allow our system to detect new groups.
Troubleshooting Common Scenarios
My organization also uses a Console account; how can I link this to my Enterprise SSO?
If you have an Enterprise organization with SSO already configured and want to add a Console organization using the same SSO settings:
Contact your Account Manager or Sales: Request to create a merge proposal to add your Console organization(s) to your existing Parent Organization.
Approve the merge proposal: Both your Enterprise Owners and Console Admins will receive email proposals. Approve these to complete the merge.
Verify Console access: Once merged, Console Admins should be able to access console.anthropic.com/settings/identity to configure SSO options.
Set up separate access controls: Use Advanced Group Mappings in both Enterprise and Console to create distinct groups for each organization.
How can I create separate user groups for my Enterprise and API Console organizations?
To individually provision user access to your Enterprise and Console organizations:
Enable Advanced Group Mappings in both your Enterprise Identity and access settings and Console Identity settings.
Configure separate groups in your IdP. For example:
Enterprise groups: anthropic-claudeai-[org-id]-owner, anthropic-claudeai-[org-id]-user
Console groups: anthropic-console-[org-id]-admin, anthropic-console-[org-id]-member
Assign users appropriately in your IdP based on which organization they need access to.