Capabilities
The Claude Enterprise connector syncs the following resources:| Resource | Sync | Provision |
|---|---|---|
| Accounts | Create, Delete | |
| Groups | Grant, Revoke |
Account creation fields
When provisioning a new Claude Enterprise user account, C1 prompts for the following field:| Field | Required | Description |
|---|---|---|
display_name | Yes | The user’s first and last name, space-separated (e.g., “Jane Smith”). The first word is used as the given name; the remainder is used as the family name. |
How this connector connects to Claude Enterprise
The connector runs in one of two modes depending on which credentials you provide. At least one of a Compliance Access Key or SCIM credentials is required.- Compliance API mode (recommended). When a Compliance Access Key is configured, Anthropic’s Compliance API (
/v1/compliance/*) is the source of truth — it sees every user and group across all linked organizations under your parent, both SCIM-synced and console-invited identities. SCIM 2.0 credentials (implemented by WorkOS) are optional here and enable provisioning of SCIM-managed users and groups. - SCIM-only mode (fallback). When no Compliance Access Key is set, the connector syncs users and groups directly from SCIM and provisions natively. Only SCIM-provisioned identities are visible — console-invited users and console-created groups will not appear. Adding a Compliance Access Key later is non-disruptive: SCIM-managed identities keep their SCIM ids, and console-only identities simply become visible for the first time.
Compliance API mode (recommended — source of truth)
The connector lists and reconciles directory data entirely from the Compliance API, so a console-invited user — or a group created directly in claude.ai — is synced just like a SCIM-provisioned one:| Synced | From |
|---|---|
| Users (every org member, SCIM- or console-provisioned) | organizations/{id}/users |
Organizations + built-in org-role grants (owner / admin / developer / …) | organizations, organizations/{id}/users |
| RBAC roles + group→role grants | organizations/{id}/roles, groups |
Groups (both direct and scim) + membership | groups, groups/{id}/members |
Activity feed (Compliance mode)
In Compliance mode the connector also streams Anthropic’s audit/activity feed (/v1/compliance/activities) as C1 usage events — each event records a user acting within an organization (for example, viewing a chat or file). These power last-active and dormant-access signals for access reviews, alongside the access state from the directory sync. The feed reads only when a Compliance Access Key is configured (it is absent in SCIM-only mode) and requires the read:compliance_activities scope on the key.
SCIM 2.0 (optional — provisioning only)
When SCIM credentials are configured, the connector can provision SCIM-managed resources:| Capability | Supported |
|---|---|
| Provision (create) user | |
| Deprovision (delete) user | |
| Add user to group | |
| Remove user from group |
SCIM-only mode (fallback)
If you cannot yet obtain a Compliance Access Key (the Compliance API is enabled on request and is in beta), configure only the SCIM credentials. The connector then syncs and provisions users and groups entirely through SCIM, keyed by their SCIM ids — the connector’s original behavior. Note this mode does not see console-invited identities; switch to Compliance mode once a key is available for full coverage.Gather Claude Enterprise credentials
Provide at least one of a Compliance Access Key (recommended) or SCIM credentials. Configuring both enables Compliance-canonical sync and provisioning.Compliance Access Key (recommended)
Request access to the Compliance API for your parent organization (it is enabled on request). Follow Anthropic’s guide at Get access to the Compliance API.
As the Primary Owner, go to claude.ai > Organization settings > Data and privacy, find Compliance access keys, and create a key with these scopes:
read:compliance_org_data(required)read:compliance_user_data(required)read:compliance_activities(for the activity feed)
read:compliance_activities is needed only for the activity feed; directory sync and provisioning work without it.SCIM credentials (provisioning, or the SCIM-only fallback)
Configure these if you want provisioning in Compliance mode, or if you have no Compliance Access Key and want to run the connector in SCIM-only mode. Skip them only when you have a Compliance Access Key and don’t need provisioning.Sign into claude.ai and navigate to Settings > Identity and access > Setup SCIM.
Configure the Claude Enterprise connector
- Cloud-hosted
- Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.Done. Your Claude Enterprise connector is now pulling access data into C1.
Choose how to set up the new Claude Enterprise connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Enter the configuration. Provide at least one of the Compliance Access Key or the SCIM credentials:
- SCIM Token (optional): Optional SCIM bearer token (claude.ai → Settings → Identity and access). Only needed to enable provisioning of SCIM-managed users and groups.
- SCIM URL (optional): Optional WorkOS SCIM endpoint URL (claude.ai > Settings > Identity and access). Only needed for provisioning; required together with scim-token.
- Compliance Access Key (optional): Anthropic Compliance Access Key (read:compliance_org_data + read:compliance_user_data). Source of truth when set; otherwise the connector syncs SCIM-only.