Skip to content
Veraproof Veraproof Docs

Claude Integration

Claude Integration

Scimify enables SCIM provisioning for Claude organization users, allowing you to invite members and manage organization roles through your identity provider.

Overview

This integration (de)provisions users in your Claude organization using the Anthropic Organization Admin API. Scimify accepts standard SCIM requests from your IdP and translates them into organization user and invite API calls.

Key behaviors:

  • User-only — no group provisioning
  • Invite-based provisioning — new users are invited to the organization (they are not created as active members until they accept)
  • Role management — optional claude_role SCIM attribute maps to Claude organization roles
  • Deprovisioning — removing access deletes the organization member or cancels a pending invite

Workspace membership management is not included in this connector.

Prerequisites

  • A Claude organization with organization administration access
  • An Admin API key with permission to manage organization users and invites
  • Your IdP configured for SCIM provisioning (see Okta SCIM Configuration)
  • A Claude user provisioning mode compatible with API-based invites (see SSO and JIT provisioning below)

For API details, see the Claude API overview.

Configuration Steps

1. Generate a Claude Admin API Key

  1. Sign in to the Claude Console
  2. Open API keys (or your organization’s key management settings)
  3. Create an Admin API key scoped for organization user management
  4. Copy the key and store it securely

Use an organization Admin API key, not a standard project API key. The integration calls organization endpoints such as /v1/organizations/users and /v1/organizations/invites.

2. Configure the Integration in Scimify

  1. Navigate to the Integrations page in your Scimify admin console
  2. Create a new Claude integration instance
  3. Set an instance display name (for example, Production Claude Org) so you can distinguish multiple Claude connections
  4. Enter your Admin API Key
  5. Save the configuration and use Test connection to verify API access
  6. Generate or copy the Scimify SCIM endpoint and API key for your IdP

Only the Admin API key is required in the integration config. Claude uses a fixed API host (https://api.anthropic.com); your organization is determined by the API key, not by a separate instance hostname.

3. Configure Organization Role Management (Optional)

To assign Claude organization roles via SCIM, add the claude_role custom attribute to your IdP user profile and map it into the SCIM user payload.

If claude_role is omitted, Scimify assigns the default role user.

4. Configure Okta SCIM

Follow the Okta SCIM Configuration guide to connect Okta to your Scimify Claude instance, then assign users to the SCIM app.

If your Claude organization uses Just-in-time (JIT) provisioning, configure the Okta app to skip user creation (see SSO and JIT provisioning).

SSO and JIT provisioning

Claude organizations with SSO enabled can choose how users join in Organization settings → Organization and access. Scimify creates users by calling the Claude Admin API to send organization invites. That API path is not available when Claude is set to Just-in-time (JIT) provisioning, because Claude adds members automatically when they first sign in via SSO.

If provisioning mode is Just-in-time (JIT), user create/invite requests from Scimify fail with:

Claude API bad request: Your organization's SSO configuration automatically manages members. You cannot provision users via the API.

Choose one of the following approaches:

Option A: Use Invite only provisioning (full Scimify create/update/deprovision)

Switch Claude to Invite only provisioning so Scimify can invite users via the Admin API:

  1. In Claude, open Organization settings → Organization and access (Claude) or Settings → Identity and access (Console)
  2. Under User provisioning, select Invite only
  3. Save changes
  4. Assign users in your IdP SCIM app as usual — Scimify will create organization invites on assignment

See Anthropic’s guide: Set up JIT or SCIM provisioning.

Note: Invite only is the default mode. Users are added and removed through Claude settings or via API invites; SSO alone does not auto-provision members.

Option B: Keep JIT provisioning (updates and deprovisioning only)

If you want Claude to provision users at first SSO login (JIT), do not have Scimify create users. Use Scimify for imports, role updates, and deactivations instead:

  1. Leave Claude on Just-in-time (JIT)
  2. In your Okta SCIM app, disable user creation (for example, turn off Create users under To App provisioning, or equivalent in your IdP)
  3. Keep Update user attributes and Deactivate users enabled so Scimify can sync roles and remove members when users are unassigned
  4. Rely on JIT login to add new members; use Scimify Refresh users or IdP import to align existing members before updates

This pattern fits teams on Team or Console plans that already use JIT for initial access but still want IdP-driven role changes and offboarding through Scimify.

How It Works

User Provisioning

When a user is assigned in your IdP:

  1. Scimify checks whether the email already exists as an organization member
  2. If not, Scimify checks for an existing pending invite for that email
  3. If neither exists, Scimify creates a new organization invite with the requested role

The invited user must accept the invite before they appear as an active organization member in Claude.

User Updates

  • Active members — role changes are applied with the organization user update API
  • Pending invites — Claude does not support updating an invite in place; Scimify cancels the pending invite and creates a new invite with the updated role when claude_role changes
  • Profile fields — name and email are not updated through this integration; role is the supported update

User Deprovisioning

When a user is unassigned or deactivated in your IdP:

  • Active members are removed from the organization
  • Pending invites are deleted

This is a hard remove from the organization (not a soft disable in Claude).

Custom SCIM Attribute Configuration

To manage Claude organization roles from your IdP, configure the following custom attribute.

Attribute: claude_role

SettingValue
TypeString
External namespaceurn:ietf:params:scim:schemas:extension:custom:2.0:User
Attribute nameclaude_role
DescriptionClaude organization role for the invited or provisioned user
Defaultuser (if not sent in SCIM)

Valid values (provisionable via SCIM):

ValueDescription
userStandard organization user
developerDeveloper access
billingBilling-related access
claude_code_userClaude Code user role

Not supported via SCIM:

ValueNotes
adminOrganization admin cannot be assigned through Scimify; create admins directly in Claude

Scimify accepts claude_role in any of these common SCIM shapes:

  • Top-level field: claude_role
  • Extension key: urn:ietf:params:scim:schemas:extension:custom:2.0:User:claude_role
  • Nested extension object: urn:ietf:params:scim:schemas:extension:custom:2.0:User{ "claude_role": "developer" }

Suggested Okta profile attribute

  1. In Okta, add a user profile attribute for your Claude SCIM app:
    • Display name: Claude organization role
    • Variable name: e.g. claudeRole
    • Type: string
    • External namespace: urn:ietf:params:scim:schemas:extension:custom:2.0:User
    • External name: claude_role
  2. Restrict values to the supported list above (for example, using an enumerated profile field or lifecycle rule)
  3. Map the attribute in the Okta → Scimify provisioning profile so it is included on create and update

Mapping guidance

  • Set a sensible default (typically user) for standard employees
  • Use group rules or entitlements to set developer, billing, or claude_code_user where appropriate
  • Do not map admin — provisioning will fail with a clear error if admin is sent

Limitations and Behavior Notes

  • SSO provisioning mode — API invites require Invite only mode in Claude; Just-in-time (JIT) blocks Scimify user creation (see SSO and JIT provisioning)
  • Invite-only create — SCIM “create user” sends an organization invite; users are not fully active until they accept
  • Pending invite tracking — Scimify stores the invite ID until the user accepts; lookups fall back to invite APIs when needed
  • No group support — this connector does not create or sync groups
  • No workspace APIs — workspace membership is out of scope for this integration
  • Role-only updates — only claude_role is synchronized on update; other profile attributes are ignored
  • IdP instance naming — use the Scimify integration instance display name to label multiple Claude org connections; no separate Claude hostname is required

Troubleshooting

  • Your organization’s SSO configuration automatically manages members
    • Claude is set to Just-in-time (JIT), which disables Admin API user invites
    • Fix (full provisioning): Change Claude User provisioning to Invite only, then retry the Okta assignment
    • Fix (keep JIT): Disable Create users on the Okta → Scimify app; use Scimify only for updates and deactivations while JIT handles new members at first login
    • Reference: Set up JIT or SCIM provisioning
  • Authentication failed (401/403)
    • Confirm you are using an Admin API key with organization user management permissions
    • Regenerate the key in Claude Console and update the Scimify integration config
  • Invalid claude_role
    • Ensure the value is one of: user, developer, billing, claude_code_user
    • Do not send admin via SCIM
  • User already exists
    • Scimify returns the existing member or pending invite ID; this is expected idempotent behavior
  • User not removed after deprovision
    • Verify the user was unassigned from the Okta SCIM app and that provisioning ran successfully
    • Check Scimify audit logs for delete vs invite-delete operations

Additional Resources

Need Help?

If you encounter issues configuring claude_role mappings or Admin API access, contact [email protected] for assistance.