Important considerations before enabling single sign-on (SSO) and JIT/SCIM provisioning (original) (raw)

Before setting up SSO for your Claude or Claude Console organization, review this guide to understand key concepts, plan your approach, and complete any prerequisite steps.

Understanding parent organizations

Our single sign-on feature uses the concept of a "parent organization." This is an entity that stores SSO settings that can be shared across multiple Claude or Console organizations. Your plan type determines whether or not you have a parent organization by default:

Key things to know

What this means for you

You will need to check the parent organization dynamic depending on your plan:

Merge organizations

Team or Enterprise organizations can invite other orgs to join an existing parent organization and share SSO configuration.

Requirements for merging

To initiate a merge proposal

To approve a merge proposal

Once a Console organization is merged, it will gain access to the Identity and access page, in the Organization settings, to configure SSO and provisioning settings.

Authentication

You'll find settings you can use to configure SSO in the Authentication section. This is where you configure the primary SSO connection and policies that apply across multiple joined Claude or Console organizations.

Restrict new organization creation

Once your organization's domains are verified, owners will see a Restrict organization creation toggle under Security on the Organization and access page. Toggle this on to prevent users from creating new Claude or Console organizations—including personal accounts—using any of your verified domains.

Provisioning options

Once SSO is configured, you can choose how users are provisioned to your organization.

What happens to existing users when SSO is enabled

After enabling SSO for your organization, there are two distinct scenarios to consider for users who have individual accounts associated with your verified company domain:

Users with existing Free/Pro/Team/Max accounts who ARE added to your SSO application

These users will maintain access to their existing Free/Pro/Team/Max accounts. They will have the ability to toggle between the Team or Enterprise plan account and their previous accounts by clicking the profile icon with their initials in the bottom left corner.

Users with existing Free/Pro/Team/Max accounts who are NOT added to your SSO application

How to view existing Claude / Console accounts associated with your verified domain

To view or download information about your verified domains and their usage across Claude organizations:

Communicate clearly with your team

Plan for a smooth transition

Taking time to test, communicate, and plan before enabling domain capture and SSO will help ensure a successful transition and positive experience for your organization.

Next steps

Once you've reviewed these considerations and completed any necessary prerequisite steps (such as merging organizations), proceed to Set up single sign-on (SSO) for detailed implementation instructions.

Related Articles

Set up single sign-on (SSO)Set up JIT or SCIM provisioningGoogle Workspace SSO setupOkta SSO setupOneLogin SSO setup