> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Claude Enterprise connector

> C1 provides identity governance and just-in-time provisioning for Claude Enterprise. Integrate your Claude Enterprise instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

## Capabilities

The Claude Enterprise connector syncs the following resources:

| Resource | Sync                                                          | Provision                                                                    |
| :------- | :------------------------------------------------------------ | :--------------------------------------------------------------------------- |
| Accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Create, Delete |
| Groups   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Grant, Revoke  |

**Additional functionality:**

<Icon icon="square-check" iconType="solid" color="#c937ae" /> Supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning)

#### Account creation fields

When provisioning a new Claude Enterprise user account, C1 prompts for the following field:

| Field          | Required | Description                                                                                                                                               |
| :------------- | :------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `display_name` | Yes      | The user's first and last name, space-separated (e.g., "Jane Smith"). The first word is used as the given name; the remainder is used as the family name. |

The user's email address is provided automatically by C1 and is used as the SCIM username. No password is required — Claude Enterprise authenticates users through SSO, so accounts are created without credentials.

## How this connector connects to Claude Enterprise

The connector runs in one of two modes depending on which credentials you provide. **At least one** of a Compliance Access Key or SCIM credentials is required.

* **Compliance API mode (recommended).** When a **Compliance Access Key** is configured, Anthropic's **Compliance API** (`/v1/compliance/*`) is the source of truth — it sees every user and group across all linked organizations under your parent, **both SCIM-synced and console-invited identities**. **SCIM 2.0** credentials (implemented by WorkOS) are optional here and enable provisioning of SCIM-managed users and groups.
* **SCIM-only mode (fallback).** When no Compliance Access Key is set, the connector syncs users and groups directly from SCIM and provisions natively. Only SCIM-provisioned identities are visible — console-invited users and console-created groups will not appear. Adding a Compliance Access Key later is non-disruptive: SCIM-managed identities keep their SCIM ids, and console-only identities simply become visible for the first time.

<Warning>
  **Add SCIM credentials freely, but don't remove them from an install that has them.** Whenever SCIM credentials are configured, SCIM-managed users and groups are keyed by their SCIM id — adding a Compliance Access Key on top is safe and changes no existing ids. If you instead *drop* the SCIM credentials and run Compliance-only, those identities re-key to their email address, and ConductorOne treats them as brand-new resources — resetting grant history, access-review trails, and account links.
</Warning>

### Compliance API mode (recommended — source of truth)

The connector lists and reconciles directory data entirely from the Compliance API, so a console-invited user — or a group created directly in claude.ai — is synced just like a SCIM-provisioned one:

| Synced                                                                         | From                                        |
| :----------------------------------------------------------------------------- | :------------------------------------------ |
| Users (every org member, SCIM- or console-provisioned)                         | `organizations/{id}/users`                  |
| Organizations + built-in org-role grants (`owner` / `admin` / `developer` / …) | `organizations`, `organizations/{id}/users` |
| RBAC roles + group→role grants                                                 | `organizations/{id}/roles`, `groups`        |
| Groups (both `direct` and `scim`) + membership                                 | `groups`, `groups/{id}/members`             |

### Activity feed (Compliance mode)

In Compliance mode the connector also streams Anthropic's audit/activity feed (`/v1/compliance/activities`) as C1 **usage events** — each event records a user acting within an organization (for example, viewing a chat or file). These power last-active and dormant-access signals for access reviews, alongside the access state from the directory sync. The feed reads only when a Compliance Access Key is configured (it is absent in SCIM-only mode) and requires the `read:compliance_activities` scope on the key.

### SCIM 2.0 (optional — provisioning only)

When SCIM credentials are configured, the connector can provision **SCIM-managed** resources:

| Capability                | Supported                                                     |
| :------------------------ | :------------------------------------------------------------ |
| Provision (create) user   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Deprovision (delete) user | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Add user to group         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Remove user from group    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

Provisioning resolves the target's SCIM id by email (users) or name (groups) at write time. **Console-native identities have no SCIM record and are read-only** — they sync, but cannot be created, deleted, or have membership changed through this connector. In Compliance mode without SCIM credentials the connector is sync-only.

### SCIM-only mode (fallback)

If you cannot yet obtain a Compliance Access Key (the Compliance API is enabled on request and is in beta), configure **only** the SCIM credentials. The connector then syncs and provisions users and groups entirely through SCIM, keyed by their SCIM ids — the connector's original behavior. Note this mode does **not** see console-invited identities; switch to Compliance mode once a key is available for full coverage.

## Gather Claude Enterprise credentials

Provide **at least one** of a Compliance Access Key (recommended) or SCIM credentials. Configuring both enables Compliance-canonical sync *and* provisioning.

<Warning>
  The **Primary Owner** of the Claude Enterprise organization must perform these tasks. The Compliance API and SCIM are Enterprise-plan features, and the Compliance API is enabled on request.
</Warning>

### Compliance Access Key (recommended)

<Steps>
  <Step>
    Request access to the Compliance API for your parent organization (it is enabled on request). Follow Anthropic's guide at [Get access to the Compliance API](https://platform.claude.com/docs/en/manage-claude/compliance-api-access).
  </Step>

  <Step>
    As the Primary Owner, go to **claude.ai > Organization settings > Data and privacy**, find **Compliance access keys**, and create a key with these scopes:

    * `read:compliance_org_data` (required)
    * `read:compliance_user_data` (required)
    * `read:compliance_activities` (for the activity feed)

    <Warning>
      `read:compliance_user_data` is required — listing org users and group members depends on it — and it also grants read access to chat, file, and project content across all linked organizations. Treat the key like a production database credential.
    </Warning>

    `read:compliance_activities` is needed only for the [activity feed](#activity-feed-compliance-mode); directory sync and provisioning work without it.
  </Step>

  <Step>
    Copy the **Compliance Access Key** (`sk-ant-api01-…`) and store it securely. Provide it as the `compliance-api-key` field during configuration.
  </Step>
</Steps>

### SCIM credentials (provisioning, or the SCIM-only fallback)

Configure these if you want provisioning in Compliance mode, or if you have no Compliance Access Key and want to run the connector in SCIM-only mode. Skip them only when you have a Compliance Access Key and don't need provisioning.

<Steps>
  <Step>
    Sign into [claude.ai](https://claude.ai) and navigate to **Settings** > **Identity and access** > **Setup SCIM**.
  </Step>

  <Step>
    Select **Custom SCIM** as the identity provider to get a raw SCIM endpoint and bearer token.
  </Step>

  <Step>
    Copy the **SCIM Endpoint URL** and **Bearer Token**. Provide both as the `scim-url` and `scim-token` fields (they are required together).
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Claude Enterprise connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * At least one of the Claude Enterprise **Compliance Access Key** (recommended) or the **SCIM credentials** generated above (both, if you want Compliance-canonical sync plus provisioning)
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Claude Enterprise** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Claude Enterprise connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the configuration. Provide at least one of the Compliance Access Key or the SCIM credentials:

        * **SCIM Token** (optional): Optional SCIM bearer token (claude.ai → Settings → Identity and access). Only needed to enable provisioning of SCIM-managed users and groups.
        * **SCIM URL** (optional): Optional WorkOS SCIM endpoint URL (claude.ai > Settings > Identity and access). Only needed for provisioning; required together with scim-token.
        * **Compliance Access Key** (optional): Anthropic Compliance Access Key (read:compliance\_org\_data + read:compliance\_user\_data). Source of truth when set; otherwise the connector syncs SCIM-only.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Claude Enterprise connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Claude Enterprise connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-claude-enterprise): For stable binaries (Windows/Linux/macOS) and container images.

    * [GitHub repository](https://github.com/conductorone/baton-claude-enterprise): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Claude Enterprise connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Claude Enterprise connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Claude Enterprise connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-claude-enterprise-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-claude-enterprise-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Provide at least one mode. Compliance Access Key (recommended) — when set,
      # it is the source of truth; otherwise the connector runs SCIM-only.
      BATON_COMPLIANCE_API_KEY: <sk-ant-api01-… Compliance Access Key>

      # SCIM credentials — provisioning in Compliance mode, or the SCIM-only fallback
      # (required together). At least one of the key above or this pair must be set.
      BATON_SCIM_TOKEN: <SCIM bearer token>
      BATON_SCIM_URL: <SCIM endpoint URL>
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-claude-enterprise.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-claude-enterprise
      labels:
        app: baton-claude-enterprise
    spec:
      selector:
        matchLabels:
          app: baton-claude-enterprise
      template:
        metadata:
          labels:
            app: baton-claude-enterprise
            baton: "true"
            baton-app: claude-enterprise
        spec:
          containers:
          - name: baton-claude-enterprise
            image: public.ecr.aws/conductorone/baton-claude-enterprise:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-claude-enterprise
            envFrom:
            - secretRef:
                name: baton-claude-enterprise-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Claude Enterprise connector to. Claude Enterprise data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Claude Enterprise connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  All versions of this connector are available at [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-claude-enterprise).
</Tip>
