SSO
Available for Team and Enterprise plans. It ties Claude login to the customer's identity provider after domain verification.
Identity guide
Claude SSO, JIT, and SCIM setup guide
A buyer-friendly guide to Claude SSO, domain verification, JIT provisioning, SCIM directory sync, group mapping, and Team versus Enterprise identity choices.
JIT
Available for Team and Enterprise plans. It provisions users when they log in through the IdP.
SCIM
Enterprise-only for Claude plans. It syncs users and groups from the IdP for stronger lifecycle control.
The identity decision tree
The right identity setup depends on how much lifecycle control the customer needs on day one. BlueSky keeps the decision explicit so Team customers do not wait for Enterprise-only features and Enterprise customers do not launch without access controls.
Email or invite-only
Best when speed matters and the team is small enough for manual member management.
SSO plus JIT
Best when the customer wants IdP login control without full SCIM lifecycle automation.
SSO plus SCIM
Best for Enterprise programs that need automatic provisioning, deprovisioning, and group-based administration.
Evidence that prevents rework
Identity work should leave behind proof that the setup is ready. That proof helps security reviewers, customer admins, and BlueSky operators avoid repeating the same discovery.
Domain proof
Capture DNS ownership and Claude domain verification status before SSO changes are enforced.
Login proof
Record successful admin and pilot-user test logins before expanding beyond the initial group.
Provisioning proof
For JIT or SCIM, document which groups are assigned, which users appear in Claude, and who owns rollback.
Implementation checklist
These are the decisions BlueSky wants settled before a rollout becomes harder than it needs to be.
- 1Confirm Owner or Primary Owner access.
- 2Confirm DNS access for the customer email domain.
- 3Choose email login, SSO plus JIT, or SSO plus SCIM.
- 4Keep Claude and the IdP setup flow open side by side.
- 5Align SSO email claim with provisioning email attributes.
- 6Assign at least one admin and pilot group before enforcement.
- 7Capture test login, group assignment, and rollback evidence.
Common questions
Is SCIM available on Claude Team?
No. Anthropic documents SCIM directory sync for Enterprise plans and eligible Console organizations. Claude Team can use invite-only or JIT provisioning.
Why does domain verification come before SSO?
Domain verification proves ownership of the email domain and is required before Claude can safely bind sign-in behavior to the customer's identity provider.
What is the most common SSO or SCIM mistake?
A common issue is mismatched identity attributes. The email claim used for SSO should align with the email attribute used for provisioning.
References and next steps
Official Claude documentation remains the source of truth for current plan capabilities and setup screens.