This feature is only available to Teams and Enterprise users.
Windsurf now supports sign in with Single Sign-On (SSO) via SAML. If your organization uses Microsoft Entra, Okta, Google Workspaces, or some other identity provider that supports SAML, you will be able to use SSO with Windsurf.
Windsurf only supports SP-initiated SSO; IDP-initiated SSO is NOT currently supported.
On the google admin console (admin.google.com) click Apps -> Web and mobile apps on the left.
Click on Add app, and then Add custom SAML app.
Fill out App name with Windsurf, and click Next.The next screen (Google Identity Provider details) on Google’s console page has data you’ll need to copy to Windsurf’s SSO settings on https://windsurf.com/team/settings.
Copy SSO URL from Google’s console page to Windsurf’s settings under SSO URL
Copy Entity ID from Google’s console page to Windsurf’s settings under Idp Entity ID
Copy Certificate from Google’s console page to Windsurf’s settings under X509 Certificate
Click Continue on Google’s console page
The next screen on Google’s console page requires you to copy data from Codeium’s settings page
Copy Callback URL from Codeium’s settings page to Google’s console page under ACS URL
Copy SP Entity ID from Codeium’s settings page to Google’s console page under SP Entity ID
Change Name ID format to EMAIL
Click Continue on Google’s console page
The next screen on Google’s console page requires some configuration
Click on Add Mapping, select First name and set the App attributes to firstName
Click on Add Mapping, select Last name and set the App attributes to lastName
Click Finish
On Codeium’s settings page, click Enable Login with SAML, and then click Save. Make sure to click on Test Login to make sure login works as expected. All users now will have SSO login enforced.