Setting up SSO & SCIM
Windsurf Enterprise now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Entra, Okta, Google Workspaces, or some other identity provider that supports SAML, you will be able to use SSO with Windsurf.
Configure IDP Application
On the google admin console (admin.google.com) click Apps -> Web and mobile apps on the left.
Click on Add app, and then Add custom SAML app.
Fill out App name with Windsurf
, and click Next.
The next screen (Google Identity Provider details) on Google’s console page has data you’ll need to copy to Windsurf’s SSO settings on www.windsurf.com/team/team_settings.
-
Copy SSO URL from Google’s console page to Windsurf’s settings under SSO URL
-
Copy Entity ID from Google’s console page to Windsurf’s settings under Idp Entity ID
-
Copy Certificate from Google’s console page to Windsurf’s settings under X509 Certificate
-
Click Continue on Google’s console page
The next screen on Google’s console page requires you to copy data from Codeium’s settings page
- Copy Callback URL from Codeium’s settings page to Google’s console page under ACS URL
- Copy SP Entity ID from Codeium’s settings page to Google’s console page under SP Entity ID
- Change Name ID format to EMAIL
- Click Continue on Google’s console page
The next screen on Google’s console page requires some configuration
- Click on Add Mapping, select First name and set the App attributes to firstName
- Click on Add Mapping, select Last name and set the App attributes to lastName
- Click Finish
On Codeium’s settings page, click Enable Login with SAML, and then click Save. Make sure to click on Test Login to make sure login works as expected. All users now will have SSO login enforced.
Windsurf Enterprise now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Entra, Okta, Google Workspaces, or some other identity provider that supports SAML, you will be able to use SSO with Windsurf.
Configure IDP Application
On the google admin console (admin.google.com) click Apps -> Web and mobile apps on the left.
Click on Add app, and then Add custom SAML app.
Fill out App name with Windsurf
, and click Next.
The next screen (Google Identity Provider details) on Google’s console page has data you’ll need to copy to Windsurf’s SSO settings on www.windsurf.com/team/team_settings.
-
Copy SSO URL from Google’s console page to Windsurf’s settings under SSO URL
-
Copy Entity ID from Google’s console page to Windsurf’s settings under Idp Entity ID
-
Copy Certificate from Google’s console page to Windsurf’s settings under X509 Certificate
-
Click Continue on Google’s console page
The next screen on Google’s console page requires you to copy data from Codeium’s settings page
- Copy Callback URL from Codeium’s settings page to Google’s console page under ACS URL
- Copy SP Entity ID from Codeium’s settings page to Google’s console page under SP Entity ID
- Change Name ID format to EMAIL
- Click Continue on Google’s console page
The next screen on Google’s console page requires some configuration
- Click on Add Mapping, select First name and set the App attributes to firstName
- Click on Add Mapping, select Last name and set the App attributes to lastName
- Click Finish
On Codeium’s settings page, click Enable Login with SAML, and then click Save. Make sure to click on Test Login to make sure login works as expected. All users now will have SSO login enforced.
Windsurf Enterprise now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Azure AD, you will be able to use SSO with Windsurf.
Configure IDP Application
Create an Enterprise Application with your identity provider. Click on Add, and then Enterprise Application.
Click on Create your own application.
Name your application Windsurf, select Integrate any other application you don’t find in the gallery, and then click Create.
Configure your enterprise application with SAML
- Click on Set up single sign on in the new Windsurf application, and then Click on SAML
- Click on Edit under Basic SAML Configuration, and open up the Windsurf Teams SSO settings at https://www.codeium.com/team/team_settings
- On Entra’s SAML configuration form and Windsurf SSO settings page
- For Identifier (Entity ID), copy the SP Entity ID value in the SSO settings page
- For Reply URL (Assertion Consumer Service URL), copy the Callback URL value in the SSO settings page
- Click Save at the top
- Pick the SSO ID you want to use, which creates a login portal for your team. Note that this is not changeable after this is saved.
- Fill out IdP Entity ID in the settings page with the value in Entra ID under Set up Windsurf -> Microsoft Entra Identifier
- Fill out SSO URL in the settings page with the value in Entra ID under Login URL
- Download the SAML certificate (Base64), get the text content of the file, and paste it to X509 Certificate on the Windsurf settings page
- Click on Enable Login with SAML
- Click Save in the Windsurf settings page
- We also need to set up name claims. This step is important in order for Windsurf to know the display name of the user.
- Under Attributes & Claims under Entra ID, click on Edit
- Create 2 new claims. You can do so by clicking on Add new claim
- The first claim should have ‘firstName’ as the Name, and ‘user.givenname’ as the Source attribute
- The second claim should have ‘lastName’ as the Name, and ‘user.surname’ as the Source attribute
- At this point you should have successfully configured SSO. Under Save in the settings page, click on Test Login to make sure everything works as expected.
Windsurf Enterprise now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Entra, Okta, Google Workspaces, or some other identity provider that supports SAML, you will be able to use SSO with Windsurf.
Configure IDP Application
Click on Applications on the left sidebar, and then Create App Integration
Select SAML 2.0 as the sign-in method
Set the app name as Windsurf (or to any other name), and click Next
Configure the SAML settings as
- Single sign-on URL to https://auth.windsurf.com/__/auth/handler
- Audience URI (SP Entity ID) to www.codeium.com
- NameID format to EmailAddress
- Application username to Email
Configure the attribute statements as following, and then click Next.
In the feedback section, select “This is an internal app that we have created”, and click Finish.
Register Okta as a SAML provider
You should be redirected to the Sign on tab under your custom SAML application. Now you’ll want to take the info in this page and fill it out in Windsurf’s SSO settings.
- Open www.windsurf.com/team/team_settings, and click on Configure SAML
- Copy the text after ‘Issuer’ in Okta’s application page and paste it under Idp Entity ID
- Copy the text after ‘Sign on URL’ in Okta’s application page and paste it under SSO URL
- Download the Signing Certificate and paste it under X509 certificate
- Check Enable Login with SAML and then click Save
- Test the login with the Test Login button. You should see a success message:
At this point everything should have been configured, and can now add users to the new Windsurf Okta application.
You should share your organization’s custom Login Portal URL with your users and ask them to sign in via that link.
Users who login to Windsurf via SSO will be auto-approved into the team.
Caveats
Note that Windsurf does not currently support IDP-initiated login flows.
We also do not yet support OIDC.
Troubleshooting
Login with SAML config failed: Firebase: Error (auth/operation-not-allowed)
This points to your an invalid SSO ID, or your SSO URL being incorrect, make sure it is alphanumeric and has no extra spaces or invalid characters. Please go over the steps in the guide again and make sure you use the correct values.
Login with SAML config failed: Firebase: SAML Response <Issuer> mismatch. (auth/invalid-credential)
This points to your IdP entity ID being invalid, please make sure you copy it correctly from the Okta portal, without any extra characters or spaces before or after the string.
Failed to verify the signature in samlresponse
This points to an incorrect value of your X509 certificate, please make sure you copy the correct key, and that it is formatted as:
Windsurf supports SCIM synchronization for users and groups with Microsoft Entra ID / Azure AD. It isn’t necessary to setup SSO to use SCIM synchronization, but it is highly recommended.
You’ll need:
- Admin access to Microsoft Entra ID / Azure AD
- Admin access to Windsurf
- An existing Windsurf Application on Entra ID (normally from your existing SSO application)
Step 1: Navigate to the existing Windsurf Application
Go to Microsoft Entra ID on Azure, click on Enterprise applications on the left sidebar, and then click on the existing Windsurf application in the list.
Step 2: Setup SCIM provisioning
Click on Get started under Provision User Accounts in the middle (step 3), and then click on Get started again.
Under the Provisioning setup page, select the following options.
Provisioning Mode: Automatic
Admin Credentials > Tenant URL: https://server.codeium.com/scim/v2
Leave the Azure provisioning page open, now go to the Windsurf enterprise portal, and click on Settings in the NavBar on the top of the page. Under SCIM, click on Add API Key. Enter any key name (such as ‘Azure Provisioning Key’) and click Create API Key. Copy the output key, go back to the Azure page, paste it to Secret Token.
(What you should see after creating the key on Windsurf)
On the Provisioning page, click on Test Connection and that should have verified the SCIM connection.
Now above the Provisioning form click on Save.
Step 3: Configure SCIM Provisioning
After clicking on Save, a new option Mappings should have appeared in the Provisioning page. Expand Mappings, and click on Provision Microsoft Entra ID Users
Under attribute Mappings, delete all fields under displayName, leaving only the fields userName, active, and displayName.
For active, now click on Edit. Under Expression, modify the field to
Then click Ok.
Your user attributes should look like
In the Attribute Mapping page, click on Save on top, and navigate back to the Provisioning page.
Now click on the same page, under Mappings click on Provision Microsoft Entra ID Groups. Now only click delete for externalId, and click Save on top. Navigate back to the Provisioning page.
On the Provisioning page at the bottom, there should also be a Provisioning Status toggle. Set that to On to enable SCIM syncing. Now every 40 minutes your users and groups for the Entra ID application will be synced to Windsurf.
Click on Save to finish, you have now enabled user and group syncing for SCIM. Only users and groups assigned to the application will be synced to Windsurf. Note that removing users only disables them access to Windsurf (and stops them from taking up a seat) rather than deleting users due to Azure’s SCIM design.
Windsurf supports SCIM synchronization for users and groups with Okta. It isn’t necessary to setup SSO to use SCIM synchronization, but it is highly recommended.
You’ll need:
- Admin access to Okta
- Admin access to Windsurf
- An existing Windsurf Application on Okta (normally from your existing SSO application)
Step 1: Navigate to the existing Windsurf Application
Go to Okta, click on Applications, Applications on the left sidebar, and then click on the existing Windsurf application in the application list.
Step 2: Enable SCIM Provisioning
Under the general tab, App Settings click on Edit on the top right. Then tick the ‘Enable SCIM Provisioning’ checkbox, then click Save. A new provisioning tab should have showed up on the top.
Now go to provisioning, click Edit and input in the following fields:
SCIM connector base URL: https://server.codeium.com/scim/v2
Unique identifier field for users: email
Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups
Authentication Mode: HTTP Header
For HTTP Header - Authorization, you can generate the token from
- https://windsurf.com/team/team_settings and go to the SCIM tab on the left
- Click on Add API Key, and give your API key a name
- Copy the API key, go back to Okta and paste it to HTTP Header - Authorization
Click on Save after filling out Provisioning Integration.
Step 3: Setup Provisioning
Under the provisioning tab, on the left there should be two new tabs. Click on To App, and Edit Provisioning to App. Tick the checkbox for Create Users, Update User Attributes, and Deactivate Users, and click Save.
After this step, all users assigned to the group will now be synced to Windsurf.
Step 4: Setup Group Provisioning (Optional)
In order to sync groups to Windsurf, you will have to specify which groups to push. Under the application, click on the Push Groups tab on top. Now click on + Push Groups -> Find Groups by name. Filter for the group you would like to add, make sure Push group memberships immediately is checked, and then click Save. The group will be created and group members will be synced to Windsurf. Groups can then be used to filter for group analytics in the analytics page.
This guide shows how to create and maintain groups in Windsurf with the SCIM API.
There are reasons one may want to provision groups manually rather than with their Identity Provider (Azure/Okta). Companies may want Groups provisioned from a different internal source (HR website, Sourcecode Management Tool etc.) that Windsurf doesn’t have access to, or companies may finer control to Groups than what their Idendity Provider provides. Groups can thus be created with an API via HTTP request instead. The following provides examples on the HTTP request via CURL.
There are 5 main APIs here, Create Group, Add group members, Replace group members, Delete Group, and List Users in a Group.
Create Group
Add Group Members
Replace Group Members
Delete Group
List Group
List Users in a Group
You’ll have to at least create the group first, and then replace group to create a group with members in them. You’ll also need to URL encode the group names if your group name has a special character like space, so a Group name such as ‘Engineering Group’ will have to be ‘Engineering%20Group’ in the URL.
Note that users need to be created in Windsurf (through SCIM or manually creating the account) before they can be added to a group.
User APIs
There are also APIs for users as well. The following are some of the common SCIM APIs that Windsurf supports.
Disable a user (Enable by replacing false to true):
Create a user:
Update name:
Creating Api Secret Key
Go to https://www.windsurf.com/team/team_settings. Under Service Key, click on Add Service Key. Enter any key name (such as ‘Azure Provisioning Key’) and click Create Service Key. Copy the output key and save it, you can now use the key to authorize the above APIs.