Set up single sign-on (SSO) (original) (raw)

This guide covers the steps to configure SSO for Team and Enterprise plans, and Claude Console organizations.

Step 1: Review prerequisites and important considerations

Before proceeding with SSO setup, complete the following:

Confirm you have the required role:

Confirm you have access to the following:

Please contact your organization's IT Administrator if you do not have permissions to manage Claude or company DNS settings.

Step 2: Verify your domain(s)

Domain verification proves that you own your company's domain. Once verified, you can configure SSO for accounts with your company's domain.

You can verify multiple domains for a single organization, but all domains must be managed through a single IdP. We don't support verifying domains from separate IdPs within the same organization.

Step 3: Set up SSO with your Identity Provider

For IdP-specific setup instructions, see:

Step 4: Choose to require SSO

You can now choose to toggle on Require SSO for Console and/or Require SSO for Claude, on the Organization and access page, under the Authentication section:

When SSO is required, users must use the “Continue with SSO” option to log in to their Claude/Console accounts. When SSO is not required, they will have the option to choose “Continue with SSO” or “Continue with email.”

Step 5: Choose your provisioning approach

Once SSO is enabled, you need to decide how users will be added to your organization by choosing an option within the User provisioning section of your Organization and access settings.

Just-in-Time (JIT) provisioning can be enabled to automatically provision users when they first log in. By default, users assigned to your Anthropic IdP app first login, they will receive the User role. This is the simplest automated option and requires no additional configuration beyond selecting "Just-in-Time (JIT)" as your provisioning mode.

Enable group mappings - when to configure additional provisioning features

Updating your SSO certificate

When your Identity Provider's X.509 signing certificate expires or is rotated, you'll need to update it in Claude or Console to maintain SSO functionality.

Turning off SSO

You can toggle Require SSO for Claude or Require SSO for Console off at any time. This will make SSO optional for all users.

To fully disconnect SSO, click “Manage SSO” then “Reset connection.” This will end all users’ sessions and require them to sign back in via email login link.

Related Articles

Important considerations before enabling single sign-on (SSO) and JIT/SCIM provisioningGoogle Workspace SSO setupOkta SSO setupPing Identity SSO setupSSO login