Sooua
登录
返回文章列表
Claude Code··6 分钟阅读

企业部署:SSO、审计、合规

graph TB

#Claude Code#AI 编程#Agent

目标:了解 Claude Code 的企业级部署方案,满足安全、合规、管理需求
预计时间:35 分钟
对应官方文档:Admin SetupServer-managed SettingsLegal and Compliance

企业部署架构

完整的生产级部署方案

用户认证

SSO 集成

支持标准身份协议:

  • SAML 2.0
  • OIDC(OpenID Connect)
  • SCIM 用户同步

配置示例(SAML)

# sso-config.yaml
idp:
  metadata_url: https://company.okta.com/app/xxx/sso/saml/metadata
  
sp:
  entity_id: claude-code-company
  acs_url: https://claude.company.com/auth/saml/callback
  
mapping:
  email: user.email
  name: user.firstName + " " + user.lastName
  groups: user.groups  # 用于团队权限

团队管理

# 创建团队
claude admin team create backend-team
 
# 添加成员
claude admin team add backend-team [email protected]
claude admin team add backend-team [email protected]
 
# 设置团队权限
claude admin team set-policy backend-team \
  --max-daily-cost 100 \
  --allowed-models sonnet,haiku \
  --require-approval-for auto-mode

策略管理

Server-managed Settings

管理员通过服务端配置文件统一管理所有客户端:

{
  "version": "1.0.0",
  "organization": "company-name",
  
  "authentication": {
    "require_sso": true,
    "session_duration": "8h",
    "mfa_required": true
  },
  
  "permissions": {
    "default_mode": "ask",
    "allow_auto_mode": false,
    "allowed_mcp_servers": [
      "postgres-internal",
      "jira",
      "slack"
    ],
    "denied_mcp_servers": [
      "*external*"
    ]
  },
  
  "plugins": {
    "required": ["security-guidance", "audit-logger"],
    "allowlist": ["company-*", "anthropic-*"],
    "denylist": ["*unsanctioned*"]
  },
  
  "usage_limits": {
    "daily_budget_per_user": 50,
    "monthly_budget_per_team": 2000,
    "alert_threshold": 0.8
  },
  
  "data_handling": {
    "zero_data_retention": false,
    "allowed_regions": ["us-east-1", "eu-west-1"],
    "audit_log_retention": "90d"
  }
}

自动推送配置

# 更新策略
claude admin settings push settings-v2.json
 
# 所有客户端自动获取最新策略

审计与合规

审计日志

记录所有操作:

{
  "timestamp": "2025-06-18T10:30:00Z",
  "user": "[email protected]",
  "team": "backend-team",
  "action": "file_write",
  "details": {
    "file": "src/auth.py",
    "session_id": "sess_abc123",
    "model": "claude-sonnet-4-6"
  },
  "cost": {
    "input_tokens": 4520,
    "output_tokens": 890,
    "estimated_usd": 0.027
  }
}

合规认证

Claude Code 支持以下合规框架:

认证说明
SOC 2 Type II服务组织控制
ISO 27001信息安全管理
GDPR欧盟数据保护
HIPAA医疗信息保护(需 BAA)
FedRAMP美国政府云安全

数据驻留

# 配置数据存储区域
data_residency:
  primary: eu-west-1      # 主存储
  backup: eu-central-1    # 备份
  
restrictions:
  - no_data_transfer_outside_eu: true
  - encryption_at_rest: AES-256
  - encryption_in_transit: TLS-1.3

网络配置

企业代理

# 系统级代理
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.internal
 
# Claude 专用配置
claude config set network.proxy.host proxy.company.com
claude config set network.proxy.port 8080
claude config set network.proxy.auth ntlm

自定义 CA

# 企业自签名证书
claude config set network.ssl.ca_cert /etc/ssl/certs/company-ca.pem
 
# mTLS 双向认证
claude config set network.ssl.client_cert /etc/ssl/certs/client.pem
claude config set network.ssl.client_key /etc/ssl/private/client.key

部署模式

模式一:云托管(最简单)

  • Anthropic 托管 Claude Code
  • 通过 SSO 集成企业身份
  • 适合中小团队

模式二:混合部署

  • 客户端本地运行
  • 策略和数据由企业服务管理
  • 适合大型企业

模式三:完全私有(Air-gapped)

  • 通过 AWS/GCP/Azure 私有部署
  • 无外网连接
  • 适合高安全要求场景

参考:Third-party Integrations

监控与告警

用量监控

# 查看团队用量
claude admin usage --team backend-team --last-month
 
# 导出详细报告
claude admin usage export --format csv --output usage.csv

异常检测

# alerts.yaml
alerts:
  - name: unusual-spending
    condition: "daily_cost > 200% of average"
    action: notify_admin
    
  - name: sensitive-file-access
    condition: "file_path matches '/etc/*' or '*/secrets/*'"
    action: block_and_alert
    
  - name: after-hours-usage
    condition: "hour < 7 or hour > 22"
    action: require_additional_auth

实战场景

场景 1:500 人研发团队统一接入

需求:

  • 全员 SSO(Azure AD)登录
  • 按团队分配预算和权限
  • 所有操作审计留痕
  • 敏感项目禁止 Auto 模式

部署配置:

// company-claude-config.json
{
  "schema_version": "2.0",
  "organization": {
    "name": "TechCorp Inc.",
    "id": "techcorp-prod"
  },
 
  "authentication": {
    "sso": {
      "provider": "azure_ad",
      "tenant_id": "${AZURE_TENANT_ID}",
      "client_id": "${AZURE_CLIENT_ID}",
      "client_secret": "${AZURE_CLIENT_SECRET}",
      "redirect_uri": "https://claude.techcorp.com/auth/callback"
    },
    "scim": {
      "enabled": true,
      "token": "${SCIM_TOKEN}",
      "sync_interval": "15m"
    },
    "mfa": {
      "required_for_roles": ["admin", "lead"],
      "methods": ["totp", "webauthn"]
    }
  },
 
  "teams": [
    {
      "name": "platform",
      "budget": { "daily": 200, "monthly": 4000 },
      "models": ["claude-sonnet", "claude-haiku"],
      "modes": ["ask", "auto-edits"],
      "mcp_allowlist": ["internal-jira", "internal-grafana"]
    },
    {
      "name": "security",
      "budget": { "daily": 100, "monthly": 2000 },
      "models": ["claude-opus", "claude-sonnet"],
      "modes": ["ask"],
      "require_approval_for": ["auto-edits", "auto"]
    },
    {
      "name": "interns",
      "budget": { "daily": 20, "monthly": 400 },
      "models": ["claude-haiku"],
      "modes": ["ask"],
      "readonly": true
    }
  ],
 
  "security": {
    "data_retention": "standard",
    "allowed_regions": ["us-east-1", "us-west-2"],
    "blocked_file_patterns": [
      "**/secrets/**",
      "**/*.pem",
      "**/*.key"
    ],
    "required_hooks": ["audit-logger", "security-scanner"]
  },
 
  "audit": {
    "retention_days": 365,
    "export_to_siem": true,
    "siem_endpoint": "https://splunk.techcorp.com:8088",
    "siem_token": "${SPLUNK_TOKEN}"
  }
}

部署脚本:

#!/bin/bash
# deploy-claude-enterprise.sh
 
set -e
 
echo "🚀 开始部署 Claude Code 企业版..."
 
# 1. 创建命名空间
kubectl create namespace claude-enterprise --dry-run=client -o yaml | kubectl apply -f -
 
# 2. 创建 Secret
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: claude-config
  namespace: claude-enterprise
type: Opaque
stringData:
  AZURE_TENANT_ID: "$AZURE_TENANT_ID"
  AZURE_CLIENT_ID: "$AZURE_CLIENT_ID"
  AZURE_CLIENT_SECRET: "$AZURE_CLIENT_SECRET"
  SCIM_TOKEN: "$SCIM_TOKEN"
  SPLUNK_TOKEN: "$SPLUNK_TOKEN"
EOF
 
# 3. 部署策略服务
kubectl apply -f k8s/policy-service.yaml
kubectl apply -f k8s/audit-service.yaml
 
# 4. 部署网关
kubectl apply -f k8s/gateway.yaml
 
# 5. 验证
kubectl wait --for=condition=ready pod -l app=claude-policy -n claude-enterprise --timeout=300s
echo "✅ 部署完成!"

场景 2:金融行业合规部署

需求:

  • 零数据保留(ZDR)
  • 所有操作实时审计
  • 敏感操作双人审批
  • 部署在私有 VPC

Terraform 配置:

# main.tf
module "claude_code" {
  source = "anthropic/claude-code/aws"
  version = "~> 1.0"
 
  vpc_id = module.vpc.vpc_id
  private_subnets = module.vpc.private_subnets
 
  # 合规配置
  compliance = {
    zdr_enabled = true
    soc2_scope = true
    audit_retention_years = 7
  }
 
  # 网络隔离
  network = {
    public_access = false
    vpn_required = true
    allowed_cidrs = ["10.0.0.0/8"]
  }
 
  # 审批工作流
  approval_workflows = {
    file_write = "single_approval"
    command_exec = "dual_approval"
    mcp_connect = "admin_approval"
  }
}

下一步

06. 安全加固与沙箱配置

分享

评论

登录 后参与讨论。

加载中…

相关文章

Claude Code··5 分钟

OpenTelemetry 监控与可观测性

在团队和企业环境中,你需要了解:

#Claude Code#AI 编程#Agent
Claude Code··6 分钟

CI/CD 集成:GitHub Actions / GitLab

graph LR

#Claude Code#AI 编程#Agent
Claude Code··5 分钟

安全加固与沙箱配置

graph LR

#Claude Code#AI 编程#Agent