Set up SCIM in Claude for Government (original) (raw)

System for Cross-domain Identity Management (SCIM) lets your identity provider automatically manage user accounts in Claude for Government. With SCIM, your IdP controls who has access, what role they hold, and what seat tier they're assigned—without manual intervention in the Claude admin console.

How SCIM differs for Claude for Government

Claude for Government uses a first-party SCIM implementation hosted within the FedRAMP-authorized environment. The commercial Claude Enterprise plan uses a different SCIM backend.

Prerequisites

Before setting up SCIM, you must complete:

How provisioning works with and without SCIM

Without SCIM, Claude for Government uses just-in-time (JIT) provisioning: any user who authenticates through SSO is automatically assigned a seat, as long as licenses are available. You control who can authenticate by managing membership in the SAML application within your IdP.

With SCIM, login and provisioning are separate. Your IdP tells Anthropic who should have access and at what role/tier. SSO is used only for authentication. This gives you fine-grained control over roles, seat tiers, and offboarding.

Step 1: Generate a SCIM API key

Step 2: Configure SCIM in your Identity Provider

Step 3: Verify sync status

After enabling the integration in your IdP:

Step 4: Map groups to roles and seat tiers

SCIM provisioning uses IdP groups to assign roles and seat tiers within Claude for Government.

If you manage multiple organizations under a single parent (see below), each organization maintains its own role and seat tier mappings. Switch between organizations using the organization selector in the bottom-left corner of the page.

Parent organizations (multi-org setups)

Every Claude for Government organization belongs to a parent organization. For most customers, this is transparent—a parent is created automatically during provisioning and contains a single child organization.

Parent organizations become relevant when multiple organizations share a login domain. Common scenarios include:

In a multi-org setup:

Related Articles

Set up single sign-on (SSO)Set up JIT or SCIM provisioningPing Identity SSO/SCIM email mismatchHow SCIM sync works for Enterprise organizationsModel availability in Claude for Government