SSO & Access Controls

Last verified: 14 April 2026 | Applies to: Team (SSO), Enterprise (SSO/SCIM)

In 30 seconds

SSO (SAML and OIDC) is available on both Team and Enterprise plans. SCIM for automated user provisioning is Enterprise-only. If you need centralised identity lifecycle management (automatic provisioning and deprovisioning), you need Enterprise. But Team plans can use SSO for authentication.

What’s available by plan

Feature	Team	Enterprise
Admin dashboard	✓	✓
Invite/remove users	✓	✓
Assign seat types	✓	✓
Provision plugins	✓	✓
SSO (SAML/OIDC)	✓	✓
SCIM provisioning	—	✓
Role-based access	—	✓
Custom domains	—	✓

SSO setup (Team and Enterprise)

SSO supports SAML 2.0 and OIDC on both Team and Enterprise plans. Compatible with:

Okta
Azure AD / Entra ID
Google Workspace
OneLogin
Any SAML 2.0-compliant identity provider

Setup process:

Contact Anthropic’s enterprise team to enable SSO for your organisation
Configure your identity provider with the SAML metadata provided by Anthropic
Map user attributes (email, display name, department)
Test with a pilot group
Enable for the full organisation
Optionally enforce SSO (block email/password login)

SCIM provisioning (Enterprise)

graph LR
    A[Identity provider] --> B{User change}
    B -- "Added to group" --> C[Auto-provision in Claude]
    B -- "Attributes changed" --> D[Sync name and dept]
    B -- "Removed from group" --> E[Revoke Claude access]
    C --> F[Active Claude seat]
    D --> F
    E --> G[Access removed]

SCIM automates user lifecycle management:

Create: When a user is added to a group in your IdP, they’re automatically provisioned in Claude
Update: Attribute changes (name, department) sync automatically
Deactivate: When removed from the group, access is automatically revoked

This eliminates manual user management and ensures access is always current with your identity provider.

Team plan admin controls

Team plans include SSO but not SCIM. Additional admin controls:

SSO (SAML/OIDC). Centralised authentication for your team.
Invite by email. Add team members individually.
Seat management. Assign Standard or Premium seats.
Plugin provisioning. Install plugins for the organisation.
Connector management. Approve or restrict connectors.
Remove users. Revoke access immediately.

SSO is available on Team and Enterprise. Both plans support SAML and OIDC. You do not need Enterprise just for SSO.
SCIM is Enterprise only. If your organisation requires automated user provisioning and deprovisioning via your identity provider, you need Enterprise.
SCIM requires IdP configuration. Work with your IT team to set up the SCIM integration with your identity provider.
Seat type assignment is separate from SSO. Users authenticate via SSO, but their seat type (Standard/Premium) is still managed in the Claude admin dashboard. Both seat types include the same features (including Claude Code). The difference is usage volume.
Enterprise is self-serve. Sign up with a minimum of 20 seats on annual billing, no sales call required. Self-serve Enterprise includes SSO, SCIM, audit logs, and all enterprise features.

Admin Setup: full deployment guide
Security & Compliance: data handling and compliance
Choosing a Plan: Team vs Enterprise comparison

Something wrong or outdated? Let us know →

Get weekly workflows: subscribe to the newsletter.