Windsurf Guide for Enterprise Admins
Purpose This guide helps enterprise platform / developer-experience administrators plan, roll out, and operate Windsurf for organizations with large enterprise teams. It is intentionally opinionated and links out to detailed “how-to” docs per topic. Treat it both as a read-through guide and as a check-list when onboarding.
1. Audience & Pre-Requisites
| Details | |
|---|---|
| Who should read | Platform / Dev-Ex admins, Corporate IT, Centralized Tooling teams |
| Assumed knowledge | Basic Windsurf terms (team, role), Enterprise IdP concepts (SAML, SCIM), CLI usage |
| Out-of-scope | Deep security / compliance internals → see Security & Compliance docs |
2. Quick-Start Checklist
- Confirm organization-wide settings
- Set up SSO (Okta, Azure AD, Google; see SAML docs for others)
- Enable SCIM & map IdP groups → Windsurf teams
- Define role & permission model (least privilege)
- Configure Admin Portal: team view & security controls
- Distribute Windsurf clients/extensions to end users
- View analytics dashboards & API access tokens
Use this list as your “Day 0” deployment tracker.
3. Core Windsurf Concepts
- Team – flat collections of members; no nested teams. Teams (also called Groups) drive role assignment and analytics grouping, letting you scope permissions and view usage metrics per cohort.
- Roles & Permissions – predefined RBAC; admins are primarily responsible for team management, Windsurf feature settings, and analytics. Built-in roles usually cover these needs, but creating a custom role with analytics-view permission lets team managers and leads see metrics for their own teams. (RBAC docs)
- Admin Portal – centralized UI for user & team management, credit usage, SSO configuration, feature toggles (Web Search, MCP, Deploys), analytics dashboards/report export, service keys for API usage, and role/permission controls.
- Agents & Workspaces – Windsurf IDE and Jetbrains Plugins are Agentic
3.1 Admin Portal Overview
The Admin Portal provides centralized management for all Windsurf enterprise features through an intuitive web interface. Core capabilities include:User & Team Management
- Add, remove, and manage users across your organization
- Configure teams with proper role assignments
- User status and activity monitoring
Authentication & Security
- Configure SSO integration with major identity providers
- Set up SCIM provisioning for automated user lifecycle management
- Manage role-based access controls (RBAC)
- Create and manage service keys for API automations with scoped permissions
Feature Toggles & Controls
Important: These feature controls affect behavior for your entire organization and can only be modified by administrators. New major features with data privacy implications are released in the “off” state by default to ensure you have control over when and how they’re enabled.The Admin Portal gives you granular control over Windsurf features that can be enabled or disabled per team. Data Privacy Note: Some features require storing additional data or telemetry as noted below: Models Configuration
- Configure which AI models your teams can access within Windsurf
- Select multiple models for different use cases (code completion, chat, etc.)
- Allow or restrict Cascade’s ability to auto-execute commands on users’ machines
- Learn more about auto-executed commands
- Enable users to configure and use Model Context Protocol (MCP) servers
- Maintain whitelisted MCP servers for approved integrations
- Security Note: Review operational and security implications before enabling, as MCP can create infrastructure resources outside Windsurf’s security monitoring
- Learn more about Model Context Protocol (MCP)
- MCP admin controls for teams & enterprises
- Manage deployment permissions for your teams in Cascade
- Learn more about App Deploys
- Allow team members to share Cascade conversations with others
- Conversations are securely uploaded to Windsurf servers
- Shareable links are restricted to logged-in team members only
- Learn more about sharing conversations
- Install Windsurf in your team’s GitHub organization
- Enable PR review automation and description editing
- Learn more about Windsurf PR Reviews
- Curate knowledge from Google Drive sources for your development teams
- Upload and organize internal documentation and resources
- Learn more about Knowledge Base
4. Identity & Access Management
Recommendation: Use SSO plus SCIM wherever possible for automated provisioning, de-provisioning, and group management.
4.1 Single Sign-On (SSO)
| Guidance | |
|---|---|
| IdPs supported | Okta, Azure AD, Google (others via generic SAML) |
| Recommended approach | Create Windsurf-specific app in IdP; use role-based group assignments rather than org-wide All Employees group |
| Common pitfalls | Email suffix mismatches, duplicate user aliases |
4.2 SCIM Provisioning
- Why – automated user lifecycle & team membership management at scale
- Capabilities
- Create / deactivate users automatically
- Create teams automatically (or manage manually)
- Users can belong to multiple teams
- Custom team creation via SCIM API (docs)
- Mapping strategies
- 1 IdP group → 1 Windsurf team (simple, most common)
- Functional vs. project-based group prefixes (e.g.
proj-foo-devs)
- Things to decide
- Which groups to exclude (e.g. interns, contractors)
- Renaming rules when IdP group names change
- Caution: SCIM should remain your source of truth—mixing SCIM and manual / API updates can create drift. Use the API mainly for adding supplemental groups.
5. User & Team Management at Scale
- Flat team → design team taxonomy carefully (no nesting to fall back on)
- Users can belong to multiple groups. Groups are used to view analytics
- Today, SCIM does not support assigning roles to users. SCIM only supports assigning users to Groups
6. Analytics & API Access
6.1 Built-In Analytics
| Dashboard | Use-case |
|---|---|
| Adoption Overview | Track total active users, daily engagement |
| Team Activity | Team usage |
6.2 APIs
| API | Typical admin scenarios |
|---|---|
| REST | SCIM management, analytics |
- Generate service keys under Team Settings → Service Keys. Scope keys to least privilege needed.
- More advanced reporting: see the Analytics API Reference.
- For team management: see the SCIM API – Custom Teams.
7. Operational Considerations
- Status Pages – monitor live service health: Windsurf, Anthropic, OpenAI
- Support Channels – windsurf.com/support
8. Setting Up End Users for Success
- Point end users to the Windsurf installation guide to install the appropriate extension or desktop client.
- Publish an internal “Getting Started with Windsurf” page (link to official docs)
- Hold live onboarding sessions / record short demos
- Curate starter project templates & sample prompts
- Collect feedback via survey after 2 weeks; iterate
9. Additional Resources
- Security & Compliance – SOC 2, ISO 27001, encryption details
- SSO & SCIM Setup Guide
- Generic SAML SSO Guide
- SCIM API – Custom Teams
- Analytics Plugin Guide
- Analytics API Reference
- RBAC Controls