How to Intermediate · 3 min read

Claude Enterprise SSO setup

Quick answer

To set up Single Sign-On (SSO) for Claude Enterprise, configure your identity provider (IdP) with SAML 2.0 or OIDC and then integrate it via the Claude Enterprise admin console. Use the provided metadata URLs and certificates from your IdP to complete the setup and enable secure, centralized authentication for your organization.

PREREQUISITES

Access to Claude Enterprise admin console
Configured Identity Provider (IdP) supporting SAML 2.0 or OIDC
SSO metadata URL or XML file from IdP
Admin privileges in your IdP and Claude Enterprise

Setup prerequisites

Before configuring SSO for Claude Enterprise, ensure you have the following:

An Identity Provider (IdP) that supports SAML 2.0 or OIDC (e.g., Okta, Azure AD, OneLogin).
Admin access to your IdP to create an application integration.
Access to the Claude Enterprise admin console to configure SSO settings.
SSO metadata URL or XML file from your IdP for integration.

Step by step SSO configuration

Follow these steps to enable SSO in Claude Enterprise:

Log in to the Claude Enterprise admin console.
Navigate to the Security or SSO Settings section.
Select your SSO protocol: SAML 2.0 or OIDC.
Upload the IdP metadata XML file or enter the metadata URL.
Configure the required fields such as Entity ID, Assertion Consumer Service (ACS) URL, and Single Logout URL as provided by Claude Enterprise.
Download the Service Provider (SP) metadata from Claude Enterprise and upload it to your IdP to complete the trust relationship.
Test the SSO login flow to verify users can authenticate via your IdP.

python

import os
import requests

# Example: Fetch IdP metadata XML from URL
idp_metadata_url = os.environ.get("IDP_METADATA_URL")
response = requests.get(idp_metadata_url)
if response.status_code == 200:
    with open("idp_metadata.xml", "wb") as f:
        f.write(response.content)
    print("IdP metadata downloaded successfully.")
else:
    print(f"Failed to download IdP metadata: {response.status_code}")

output

IdP metadata downloaded successfully.

Common variations

Depending on your IdP and organizational needs, consider these variations:

OIDC vs SAML: Use OIDC for modern OAuth2-based flows or SAML 2.0 for legacy compatibility.
Just-in-time provisioning: Enable user provisioning on first login if supported.
Attribute mapping: Map IdP attributes (email, name, groups) to Claude Enterprise user fields.
Multi-tenant setups: Configure separate SSO settings per tenant if your enterprise uses multiple domains.

Troubleshooting tips

If you encounter issues during SSO setup, try the following:

Login failures: Verify the Entity ID and ACS URL exactly match between IdP and Claude Enterprise.
Metadata errors: Ensure the metadata XML is well-formed and accessible.
Certificate problems: Confirm the signing certificates are current and correctly uploaded.
Attribute mismatches: Check that required user attributes are sent by the IdP and correctly mapped.
Logs: Review Claude Enterprise and IdP logs for detailed error messages.

✅

Key Takeaways

Configure your IdP with SAML 2.0 or OIDC and obtain metadata for Claude Enterprise integration.
Upload IdP metadata and configure SP settings in Claude Enterprise admin console to establish trust.
Test SSO login thoroughly and map user attributes correctly for seamless authentication.
Use troubleshooting tips like verifying URLs, certificates, and logs to resolve common issues.

Verified 2026-04 · claude-3-5-sonnet-20241022

Verify ↗