[BUG] Okta SSO login fails on second device: 'You haven't been added to your organization yet'

Resolved 💬 3 comments Opened Mar 10, 2026 by suisbuds Closed Apr 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Environment:

  • Claude Web (claude.ai) / Claude Code CLI (both share the same SSO authentication flow via browser)
  • SSO Provider: Okta (via WorkOS)
  • Organization Plan: Teams

Why this is relevant to Claude Code: Claude Code CLI authenticates through the browser-based OAuth/SSO flow on claude.ai. This SSO bug prevents users from authenticating on additional devices, which directly blocks Claude Code CLI usage on those machines.

Bug Description:

When using Okta SSO to log in to Claude, after successfully accepting the invitation link and logging in on one Mac and an iPhone, attempting to log in on a second Mac results in the following error:

Access managed by your organization You haven't been added to your organization yet. Contact your administrator for access.

Detailed Troubleshooting Results

The following steps were performed to isolate the root cause:

| # | Test | Result | What it rules out |
|---|------|--------|-------------------|
| 1 | Login on Mac A + iPhone | ✅ Success | Okta config is correct |
| 2 | Login on Mac B (different Mac) | ❌ Fails | — |
| 3 | Incognito mode on Mac B | ❌ Fails | Rules out browser cache/cookie issues |
| 4 | Different browser on Mac B | ❌ Fails | Rules out browser-specific issues |
| 5 | Log out of ALL devices (Mac A + iPhone), then retry Mac B | ❌ Fails | Rules out concurrent session limits |
| 6 | After step 5, retry on Mac A (previously working) | ❌ Also fails now | Proves the issue is backend state corruption |
| 7 | Admin removes user from team, re-adds | ✅ Temporarily fixes | Confirms backend membership state is the problem |

Critical finding from steps 5-6: After logging out of all devices, no device can log back in — including the ones that previously worked. This definitively proves:

  • ❌ Not a concurrent session limit issue
  • ❌ Not a browser/cookie issue
  • ❌ Not a device-binding issue
  • Claude's backend organization membership state becomes corrupted, and the corruption appears to be triggered by attempting to authenticate from a new device

Root Cause Analysis

The Okta SSO authentication succeeds on the IdP side — the error originates from Claude's WorkOS integration layer. When the same user initiates SSO authentication from a different device, something in the session association or organization membership validation logic corrupts the user's membership state. Once corrupted, the user cannot log in from any device until an admin removes and re-adds them to the team (which rebuilds the membership record).

Potentially related to #22895 (Okta SSO via WorkOS authentication failures).

Steps to Reproduce

  1. Set up Okta SSO for a Claude Teams organization
  2. Send an invitation to a user
  3. User accepts and logs in successfully on Device A
  4. User attempts to log in on Device B (different Mac) using the same Okta SSO credentials
  5. Device B shows "You haven't been added to your organization yet" error
  6. Log out of Device A → Device A also can no longer log in
  7. Only fix: admin removes and re-adds the user

Expected Behavior

The same user should be able to log in to Claude via Okta SSO from multiple devices without encountering organization membership errors.

Actual Behavior

Attempting to log in from a second device corrupts the user's organization membership state in Claude's backend, eventually causing all devices to lose access. The only recovery is for an admin to remove and re-add the user.

Current Workaround

Admin removes the user from the team and re-adds them. This temporarily restores access but the problem recurs when attempting multi-device login.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗