Claude Enterprise with SSO providers
Claude Enterprise with SSO providers, configure your identity provider (IdP) such as Okta, Azure AD, or Google Workspace to integrate via SAML 2.0 or OIDC. Then, in the Claude Enterprise admin console, set up the SSO connection by providing metadata URLs or certificates from your IdP to enforce secure authentication.PREREQUISITES
Access to Claude Enterprise admin consoleConfigured SSO provider with SAML 2.0 or OIDC supportAdmin privileges on your identity providerBasic knowledge of SSO protocols (SAML/OIDC)
Setup
Before integrating Claude Enterprise with your SSO provider, ensure you have administrative access to both your Claude Enterprise account and your identity provider (IdP) such as Okta, Azure Active Directory, or Google Workspace. Prepare the IdP metadata URL or XML file, and gather necessary certificates for secure communication.
Install any required CLI tools or SDKs if you plan to automate configuration, though most setup is done via the web admin console.
pip install requests
# No direct SDK needed for SSO setup; use web console or API if available$ pip install requests Requirement already satisfied: requests in /usr/local/lib/python3.10/site-packages (2.31.0)
Step by step
Follow these steps to configure SSO for Claude Enterprise:
- Log in to the
Claude Enterpriseadmin console. - Navigate to the Authentication or SSO Settings section.
- Select your SSO protocol:
SAML 2.0orOIDC. - Enter the IdP metadata URL or upload the metadata XML file.
- Provide the necessary certificates or keys as required.
- Configure user attribute mappings (e.g., email, name) to match your IdP claims.
- Save and test the connection by initiating an SSO login.
Once successful, users can authenticate via your SSO provider seamlessly.
import os
import requests
# Example: Verify IdP metadata URL is reachable
idp_metadata_url = os.environ.get("IDP_METADATA_URL")
response = requests.get(idp_metadata_url)
if response.status_code == 200:
print("IdP metadata is accessible and valid.")
else:
print(f"Failed to access IdP metadata: {response.status_code}")IdP metadata is accessible and valid.
Common variations
You can configure Claude Enterprise SSO with different providers and protocols:
- Okta: Use SAML 2.0 with Okta metadata URL and configure attribute statements.
- Azure AD: Supports both SAML and OIDC; use Azure portal to generate metadata.
- Google Workspace: Typically uses SAML; download metadata XML from Google Admin console.
- OIDC providers: Use client ID, client secret, and discovery URL for configuration.
Automation via API may be available depending on your Claude Enterprise plan; otherwise, use the admin UI.
| SSO Provider | Protocol | Key Setup Details |
|---|---|---|
| Okta | SAML 2.0 | Metadata URL, X.509 certificate, attribute mappings |
| Azure AD | SAML 2.0 / OIDC | Metadata URL or OIDC discovery, client credentials |
| Google Workspace | SAML 2.0 | Metadata XML upload, attribute mappings |
| Generic OIDC | OIDC | Client ID, Client Secret, Discovery URL |
Troubleshooting
If SSO login fails, check these common issues:
- Metadata URL inaccessible: Verify network connectivity and URL correctness.
- Certificate mismatch: Ensure the IdP certificate matches what is uploaded in Claude Enterprise.
- Attribute mapping errors: Confirm user attributes like email are correctly mapped.
- Clock skew: Check system clocks on both IdP and Claude Enterprise for synchronization.
- SSO protocol mismatch: Confirm you selected the correct protocol (SAML vs OIDC).
Consult your IdP logs and Claude Enterprise support for detailed diagnostics.
Key Takeaways
- Configure your IdP metadata and certificates before setting up Claude Enterprise SSO.
- Use the Claude Enterprise admin console to input SAML or OIDC details and map user attributes.
- Test SSO login after setup to verify connectivity and correct configuration.
- Common SSO providers like Okta, Azure AD, and Google Workspace are fully supported.
- Troubleshoot by checking metadata accessibility, certificates, attribute mappings, and protocol selection.