Google Workspace SSO/SCIM email mismatch (original) (raw)
- All Collections
- Identity management (SSO, JIT, SCIM)
- Troubleshooting by identity provider
- Google Workspace SSO/SCIM email mismatch
Claude uses email as the primary identifier to match SSO logins to provisioned seats. In Google Workspace, SCIM auto-provisioning and SAML SSO can send different email values—especially when people have email aliases—causing a mismatch that blocks access.
Symptoms
People may experience one or more of the following when attempting to access your organization via SSO:
How this happens
Google Workspace accounts have a primary email and may have multiple aliases. SCIM provisioning and SAML SSO are configured separately in the Google Admin console and can pull from different address fields:
The most common mismatch: SCIM is configured to send an alias address while SAML sends the primary email (or vice versa). Since aliases and primary emails are different strings, Claude cannot match them. Claude requires an exact string match.
Common confusion: In Google Admin, SCIM auto-provisioning settings and SAML attribute mapping are on separate tabs within the same app. Admins sometimes update one and miss the other. Verify both locations.
Diagnostic steps
Step 1 — Confirm the mismatch
Step 2 — Identify the scope of the problem
Step 3 — Check Name ID in SAML configuration
Resolution
Align both mappings to primaryEmail
Google Workspace's primaryEmail is the most reliable source for both SCIM and SAML.
Trigger a full re-sync
Critical — Full sync required: An incremental sync will not update existing records after you change an attribute mapping. You must trigger a full restart of the provisioning cycle.
Post-fix cleanup
After correcting the attribute mapping and completing the full sync:
Verification
Common issues
When to contact Support
Contact our Support team with your organization's domain, the affected person's email, and screenshots of your attribute mappings when:
Related Articles
Microsoft Entra ID SSO/SCIM email mismatchOkta SSO/SCIM email mismatchOneLogin SSO/SCIM email mismatchPing Identity SSO/SCIM email mismatchGoogle Workspace SSO setup