> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Claude Enterprise connector

> C1 provides identity governance and just-in-time provisioning for Claude Enterprise. Integrate your Claude Enterprise instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

## Capabilities

The Claude Enterprise connector syncs the following resources:

| Resource | Sync                                                          | Provision                                                                    |
| :------- | :------------------------------------------------------------ | :--------------------------------------------------------------------------- |
| Accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Create, Delete |
| Groups   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Grant, Revoke  |

**Additional functionality:**

<Icon icon="square-check" iconType="solid" color="#c937ae" /> Supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning)

#### Account creation fields

When provisioning a new Claude Enterprise user account, C1 prompts for the following field:

| Field          | Required | Description                                                                                                                                               |
| :------------- | :------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `display_name` | Yes      | The user's first and last name, space-separated (e.g., "Jane Smith"). The first word is used as the given name; the remainder is used as the family name. |

The user's email address is provided automatically by C1 and is used as the SCIM username. No password is required — Claude Enterprise authenticates users through SSO, so accounts are created without credentials.

## SCIM-only connector

This connector uses the SCIM 2.0 API exclusively. Claude Enterprise does not currently offer an Admin API for managing users and groups, so SCIM is the only programmatic interface available.

### What this means in practice

* **Only SCIM-managed users and groups are visible.** Users or groups created directly through the Claude Enterprise UI will not appear in syncs. To get full visibility, all user management should flow through SCIM.
* **Groups are managed through SCIM only.** The connector can sync groups and grant or revoke group membership, but it cannot create or delete groups. Groups must be created outside of C1 (e.g., through your identity provider or directly via the SCIM API).
* **Claude Enterprise uses WorkOS under the hood** for its SCIM implementation. The SCIM endpoint URL provided during setup points to the WorkOS SCIM service.

### What SCIM provides

| Capability                      | Supported                                                     |
| :------------------------------ | :------------------------------------------------------------ |
| Provision (create) user         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Deprovision (delete) user       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Add user to group               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Remove user from group          | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Sync all users                  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Sync all groups and memberships | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Create or delete groups         |                                                               |
| Assign roles                    |                                                               |
| Manage workspace settings       |                                                               |

<Note>
  If Anthropic adds an Admin API in the future, the connector can be extended to support additional capabilities such as role management.
</Note>

## Gather Claude Enterprise credentials

Configuring the connector requires you to generate SCIM credentials in Claude Enterprise. Gather these credentials before you move on.

<Warning>
  The **Primary Owner** of the Claude Enterprise organization must perform this task. SCIM provisioning is only available on Enterprise plans.
</Warning>

<Steps>
  <Step>
    Sign into [claude.ai](https://claude.ai) and navigate to **Settings** > **Identity and access** > **Setup SCIM**.
  </Step>

  <Step>
    Select **Custom SCIM** as the identity provider to get a raw SCIM endpoint and bearer token.
  </Step>

  <Step>
    Copy the **SCIM Endpoint URL** and **Bearer Token** and save them securely. You will need both to configure the connector.
  </Step>
</Steps>

**Done.** Next, move on to the connector configuration instructions.

## Configure the Claude Enterprise connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the Claude Enterprise SCIM credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Claude Enterprise** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Claude Enterprise connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the required configuration:

        * **SCIM Token** (required): The SCIM bearer token for Claude Enterprise (from claude.ai > Settings > Identity and access).
        * **SCIM URL** (required): The SCIM endpoint URL provided during SCIM setup (from claude.ai > Settings > Identity and access). This is the WorkOS SCIM endpoint generated for your organization.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Claude Enterprise connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Claude Enterprise connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-claude-enterprise): For stable binaries (Windows/Linux/macOS) and container images.

    * [GitHub repository](https://github.com/ConductorOne/baton-claude-enterprise): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Claude Enterprise connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Claude Enterprise connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Claude Enterprise connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-claude-enterprise-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-claude-enterprise-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Claude Enterprise SCIM credentials
      BATON_SCIM_TOKEN: <SCIM bearer token>
      BATON_SCIM_URL: <SCIM endpoint URL>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-claude-enterprise.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-claude-enterprise
      labels:
        app: baton-claude-enterprise
    spec:
      selector:
        matchLabels:
          app: baton-claude-enterprise
      template:
        metadata:
          labels:
            app: baton-claude-enterprise
            baton: "true"
            baton-app: claude-enterprise
        spec:
          containers:
          - name: baton-claude-enterprise
            image: public.ecr.aws/conductorone/baton-claude-enterprise:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-claude-enterprise
            envFrom:
            - secretRef:
                name: baton-claude-enterprise-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Claude Enterprise connector to. Claude Enterprise data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Claude Enterprise connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  All versions of this connector are available at [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-claude-enterprise).
</Tip>