Set up JIT or SCIM provisioning (original) (raw)

This guide covers how to configure user provisioning and role assignment for your Claude or Claude Console organization.

Before you begin: This guide assumes you have already completed the steps in Set up single sign-on (SSO), including domain verification and SSO configuration with your Identity Provider (IdP), and you have an Admin (Console) or Owner (Claude) role.

Step 1: Choose your provisioning mode

Once SSO is configured, you need to decide how users will be provisioned to your organization. This is controlled via the User provisioning section in Organization settings > Organization and access.

Provisioning options

Invite only is the default. Users are added and removed directly in Claude or Console settings.

Just-in-time (JIT): Users assigned to your Anthropic IdP app are automatically provisioned when they first log in. This option is available to all plans.

SCIM directory sync: Users are automatically provisioned and deprovisioned based on assignments in your IdP, without requiring them to log in first. SCIM is available for Enterprise plans and Console organizations with their own parent organization or joined to an Enterprise parent organization. SCIM is not available for Team plans or Console organizations joined to a Team plan's parent organization.

Provisioning behavior overview

Use this table to help decide which provisioning mode is right for your organization:

Both JIT and SCIM can be combined with Enable group mappings to control role or seat tier assignment based on IdP group membership. If you select either of these options for your provisioning mode, Enable group mappings will appear within the User provisioning section:

Available roles and seat tiers

For information on purchasing seats or adjusting your plan's seat allocation, see our guides for Team plans and Enterprise plans.

Step 2: Set up SCIM directory sync (if using SCIM)

If you chose SCIM as your provisioning mode, you need to establish the connection between your Identity Provider and Anthropic before enabling it.

‼️ When you reach the IdP Group step, pause to review Steps 3 and 4 of this guide, alongside the other guides.

For IdP-specific JIT / SCIM setup instructions, see:

Once your IdP is connected, continue to Step 3.

Step 3: Configure provisioning mode and enable group mappings

Step 4: Configure groups in your Identity Provider and map groups to roles and seat types

How the Primary Owner role works with SCIM

Troubleshooting

Users assigned correctly and showing in the directory but aren’t being added to the Claude as members?

Verify you have enough seats purchased and available to add members to your org.

Users aren't being provisioned with the correct role

I lost Admin/Owner access after enabling group mappings

This happens when the person configuring group mappings isn't assigned to a group mapped to an Admin or Owner role, causing their permissions to be downgraded to User.

To fix this:

Option 1: Have another Admin/Owner reinstate your role

Option 2: Fix via your Identity Provider

Related Articles

Important considerations before enabling single sign-on (SSO) and JIT/SCIM provisioningSet up single sign-on (SSO)Switching to a different Identity Provider (IdP)How SCIM sync works for Enterprise organizationsSet up SCIM in Claude for Government