This feature is only available to Teams and Enterprise users.
Windsurf now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Entra, Okta, Google Workspaces, or some other identity provider that supports SAML, you will be able to use SSO with Windsurf.
Windsurf only supports SP-initiated SSO; IDP-initiated SSO is NOT currently supported.

Configure IDP Application

On the google admin console (admin.google.com) click Apps -> Web and mobile apps on the left.
Click on Add app, and then Add custom SAML app.
Fill out App name with Windsurf, and click Next.The next screen (Google Identity Provider details) on Google’s console page has data you’ll need to copy to Windsurf’s SSO settings on https://windsurf.com/team/settings.
  • Copy SSO URL from Google’s console page to Windsurf’s settings under SSO URL
  • Copy Entity ID from Google’s console page to Windsurf’s settings under Idp Entity ID
  • Copy Certificate from Google’s console page to Windsurf’s settings under X509 Certificate
  • Click Continue on Google’s console page
The next screen on Google’s console page requires you to copy data from Codeium’s settings page
  • Copy Callback URL from Codeium’s settings page to Google’s console page under ACS URL
  • Copy SP Entity ID from Codeium’s settings page to Google’s console page under SP Entity ID
  • Change Name ID format to EMAIL
  • Click Continue on Google’s console page
The next screen on Google’s console page requires some configuration
  • Click on Add Mapping, select First name and set the App attributes to firstName
  • Click on Add Mapping, select Last name and set the App attributes to lastName
  • Click Finish
On Codeium’s settings page, click Enable Login with SAML, and then click Save. Make sure to click on Test Login to make sure login works as expected. All users now will have SSO login enforced.