How do I add SSO to Windsurf Teams (+$10/user/mo) and what identity providers are supported?
AI Coding Agent Platforms

How do I add SSO to Windsurf Teams (+$10/user/mo) and what identity providers are supported?

7 min read

Single sign-on (SSO) for Windsurf Teams is an add-on that layers enterprise-style access control on top of a collaborative, AI-native coding environment—without forcing you into a full Enterprise contract. If you’re already running Entra, Okta, or Google as your identity backbone, SSO for Teams lets you wire Windsurf into that stack for an additional $10 per user per month.

Quick Answer: SSO for Windsurf Teams is a paid add-on (+$10/user/month) that lets you authenticate users through your existing identity provider (IdP). Windsurf supports SAML-based SSO with Microsoft Entra, Okta, Google Workspace, and any other standards-compliant SAML IdP on all Enterprise tiers—and the same IdPs are supported when you enable SSO for Teams.

The Quick Overview

  • What It Is: An SSO add-on for Windsurf Teams that plugs into your SAML identity provider, so developers sign in with corporate credentials instead of ad-hoc accounts.
  • Who It Is For: Engineering orgs who want org-level control (and auditability) over how devs access Windsurf, but aren’t yet ready for a full Hybrid or Self-hosted Enterprise deployment.
  • Core Problem Solved: No more one-off logins, orphaned accounts, or manual access audits—SSO centralizes authentication in the IdP you already use.

How It Works

At a high level, SSO for Windsurf Teams swaps username/password login for SAML assertions from your identity provider. You configure Windsurf as a SAML application in your IdP (Entra, Okta, Google Workspace, or another SAML provider), then drop the metadata values into your Windsurf Teams admin settings. From there, users log in via “Sign in with SSO,” and your IdP handles the rest.

The key idea: Windsurf delegates identity decisions to your IdP, while you keep all your developer flow inside Windsurf—Cascade, Tab, Previews, and team features stay exactly the same, just with a governed front door.

  1. Set up the SAML app in your IdP:

    • Create a new SAML application (e.g., “Windsurf Teams”) in Microsoft Entra, Okta, Google Workspace, or your SAML IdP.
    • Configure basic details: ACS/SSO URL, Entity ID, and NameID format per Windsurf’s SSO configuration docs.
    • Assign users or groups that should have access.

  2. Enable SSO on your Windsurf Teams workspace:

    • Upgrade or modify your Teams subscription to include the SSO add-on (+$10/user/month).
    • In the Windsurf Teams admin area, enter your IdP’s SAML metadata (SSO URL, Entity ID, certificate).
    • Save and test with a pilot user before rolling out broadly.

  3. Roll out to your developers:

    • Share the SSO login pattern (e.g., “Use your company email and click ‘Sign in with SSO’”).
    • Optionally enforce SSO-only access so users can’t bypass your IdP.
    • Use your IdP to manage join/leave flows—deprovision in the IdP, and access to Windsurf Teams follows.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
SAML-based SSO integrationConnects Windsurf Teams to your SAML IdP (Entra, Okta, Google Workspace, etc.)Centralizes authentication and aligns with your existing identity strategy.
Org-scoped access controlLets you gate Windsurf Teams access on IdP groups / assignments.Clean onboarding/offboarding; fewer rogue accounts to track manually.
Enterprise-aligned security postureUses the same SSO mechanisms supported on Windsurf Enterprise tiers.Easier security review: SSO, SOC 2 Type II, and governed access from day one.

Ideal Use Cases

  • Best for fast-growing Teams orgs: Because it lets you keep a simple SaaS deployment while tightening auth around 20–200 developers using Windsurf to ship features with Cascade and Tab.
  • Best for security-conscious mid-market orgs: Because you get IdP-based access control, SSO, and alignment with your corporate security posture—without immediately jumping to Hybrid or Self-hosted Enterprise.

Limitations & Considerations

  • SSO doesn’t replace full Enterprise governance:
    SSO for Teams controls who gets in, but it doesn’t add all the Enterprise extras like Hybrid deployment, custom data residency, or Self-hosted control planes. If you need automated zero data retention, specialized environments (EU/FedRAMP), or deeper RBAC, you’ll likely graduate to an Enterprise tier.

  • SAML IdP required:
    Windsurf’s SSO integration uses SAML. That works out of the box with Microsoft Entra, Okta, Google Workspace, and most mainstream IdPs, but if your stack is OAuth/OIDC-only, you’ll need either SAML support or a bridge.

Pricing & Plans

Windsurf Teams is a subscription plan designed for collaborative developer groups. SSO is offered as a paid add-on to that plan.

  • Windsurf Teams:

    • Base plan (per-user, per-month) with everything in Pro plus team-focused capabilities.
    • Ideal when you want shared workflows, centralized billing, and org-level management.

  • SSO Add-on (+$10/user/month):

    • Best for Teams customers who need developers to authenticate through Microsoft Entra, Okta, Google Workspace, or another SAML IdP.
    • Adds SAML-based SSO on top of your Teams subscription, using the same identity standards Windsurf supports on Enterprise.

If you’re approaching or exceeding ~200 developers, or if you also need Hybrid or Self-hosted deployment to keep data inside your network, it’s worth talking to Windsurf Sales about Enterprise tiers instead of staying on pure Teams.

Frequently Asked Questions

Which identity providers are supported for SSO with Windsurf Teams?

Short Answer: Any SAML-compliant IdP, including Microsoft Entra, Okta, and Google Workspace.

Details:
On Enterprise tiers, Windsurf explicitly supports SAML-based SSO via:

  • Microsoft Entra (Azure AD)
  • Okta
  • Google Workspace
  • Any other SAML-supporting identity provider

The Teams SSO add-on uses the same underlying SAML integration model. In practice, if your IdP can expose a standard SAML application with an ACS/SSO URL, Entity ID, and signing certificate, you can wire it to Windsurf Teams. The setup details (attribute mapping, group assignment) will vary by IdP, but the handshake is standard SAML.

How do I actually add SSO to my existing Windsurf Teams workspace?

Short Answer: Upgrade your Teams plan to include the SSO add-on, configure a SAML app in your IdP, and paste the IdP metadata into your Windsurf Teams admin settings.

Details:
The typical path looks like this:

  1. Confirm you’re on Windsurf Teams:

    • Make sure your organization is on the Teams plan with centralized billing and admin controls.

  2. Add the SSO add-on (+$10/user/month):

    • From the billing or plan management section, select the SSO add-on for your Teams workspace.
    • If you don’t see it, or you’re managing more than ~200 developers, contact Sales to validate whether Teams + SSO or an Enterprise deployment is the better fit.

  3. Create the Windsurf app in your IdP:

    • In Microsoft Entra, Okta, Google Workspace, or another SAML IdP, add a new SAML application named “Windsurf” or “Windsurf Teams.”
    • Use Windsurf’s documented SAML configuration values for:
      • ACS/SSO URL
      • Entity ID
      • NameID / email mapping
    • Assign the right users and groups (e.g., “Eng – Product,” “Dev Tools pilot group”).

  4. Configure SSO in Windsurf:

    • In the Windsurf Teams admin console, go to SSO / Authentication settings.
    • Paste in your IdP’s SSO URL, Entity ID (or audience), and X.509 certificate.
    • Save and initiate a test login.

  5. Pilot, then enforce (optional):

    • Test with a few developers first—validate that their Windsurf identities match your IdP emails.
    • Once you’re confident, you can roll out broad SSO, and optionally require SSO for all logins so access is fully governed by your IdP.

If you hit any odd edge cases—multi-domain email setups, group-based provisioning, or migration from personal to corporate emails—Windsurf’s support and sales teams can help you plan the cutover.

Summary

SSO for Windsurf Teams (+$10/user/month) is your bridge between “we’re just trying AI coding tools with a small team” and “we need real enterprise access controls.” You keep all the developer flow Windsurf is known for—Cascade in your editor, Tab across your workflow, Previews and deploys in one loop—while moving authentication onto your existing identity rails.

Under the hood, it’s standard SAML: you configure Windsurf as an application in Microsoft Entra, Okta, Google Workspace, or another SAML IdP, plug that into your Teams workspace, and let your IdP handle who gets in. That gives you cleaner onboarding/offboarding, better compliance stories, and less security friction as you scale your dev org.

Next Step

Get Started

Back to AI Coding Agent Platforms

Keep Reading

More from AI Coding Agent Platforms

How do I set up Windsurf Teams ($30/user/mo) with centralized billing, admin analytics, and automated zero data retention?

Read more

How do I contact Windsurf about Enterprise pricing, RBAC, and hybrid deployment for 200+ seats?

Read more

How do I use Windsurf to generate terminal commands with Cmd+I without accidentally deleting or overwriting stuff?

Read more