How do I add SSO to Windsurf Teams (+$10/user/mo) and what identity providers are supported?

Single Sign-On (SSO) on Windsurf Teams is an add-on that lets you connect your developers’ logins to your company identity provider, tighten access control, and keep onboarding/ offboarding inside your existing IAM workflow. On Teams, SSO is available as a paid upgrade at +$10/user/month on top of your base Teams price.

Quick Answer: You enable SSO for Windsurf Teams by purchasing the SSO add-on, configuring a SAML-based connection from your identity provider (IdP), and enforcing it for your organization. Windsurf Teams supports major SAML IdPs including Microsoft Entra, Okta, and Google Workspace, plus any other provider that speaks standard SAML.

---

The Quick Overview

• What It Is: An SSO integration layer for Windsurf Teams that uses SAML to authenticate your developers through your corporate identity provider instead of standalone Windsurf passwords.
• Who It Is For: Engineering orgs on Windsurf Teams that need centralized identity control, compliance-friendly access management, or just cleaner onboarding/offboarding at scale.
• Core Problem Solved: No more one-off Windsurf accounts to manage. Your security team keeps control in your IdP; your developers log in with the same credentials they use everywhere else.

---

How It Works

Windsurf Teams uses SAML-based SSO: Windsurf acts as the SAML service provider (SP), and your corporate identity provider (IdP) handles authentication and passes signed assertions back to Windsurf. Once configured, your developers click “Continue with SSO,” authenticate via your IdP, and are routed back into Windsurf with the right org membership.

At a high level:

1. Enable the SSO add-on (+$10/user/mo):
   Upgrade your Teams subscription to include SSO so the configuration options appear in your admin settings.

2. Set up the SAML connection in your IdP:
   Create an app/integration for Windsurf in Microsoft Entra, Okta, Google Workspace, or another SAML IdP and plug in Windsurf’s SAML metadata (ACS URL, Entity ID, etc.).

3. Connect, test, then enforce SSO in Windsurf:
   Add IdP metadata back into Windsurf Teams, validate login with a test user, then optionally enforce SSO-only access for your organization.

---

Features & Benefits Breakdown

Core Feature	What It Does	Primary Benefit
SAML-based SSO	Lets users authenticate via Microsoft Entra, Okta, Google Workspace, or any SAML IdP.	Centralizes identity and MFA in your existing IAM stack.
Org-level SSO enforcement	Allows admins to require SSO for all users in a Teams org.	Reduces account sprawl and enforces security policies.
Centralized access controls	Aligns Windsurf access with your existing groups and deprovisioning flows.	Cleaner onboarding/offboarding and lower risk of orphaned access.

---

Ideal Use Cases

• Best for Teams that already standardize on an IdP:
  Because it lets you plug Windsurf neatly into your Microsoft Entra, Okta, or Google Workspace environment instead of running separate credentials.

• Best for Security-conscious orgs and fast-growing teams:
  Because SSO brings Windsurf into your existing access review, deprovisioning, and MFA posture without custom one-off workflows.

---

Limitations & Considerations

• SSO is a paid add-on on Windsurf Teams:
  SSO is not included in the base Teams price; it’s an additional +$10/user/month. Factor that into your budget when planning your rollout.

• SAML is the supported SSO protocol on Teams:
  Windsurf Teams supports SSO via SAML identity providers (Microsoft Entra, Okta, Google Workspace, and others that support SAML). If your IdP only supports non-SAML protocols without a SAML bridge, you may need to use an intermediary or consider an enterprise plan for different integration patterns.

---

Pricing & Plans

On Windsurf’s standard plans, SSO is part of the Teams tier and is billed as an additional +$10 per user per month on top of the base Teams price. That add-on unlocks SAML-based SSO configuration and enforcement for your organization.

A simplified view:

• Teams (Base): Best for engineering teams that want shared billing, organization features, and collaboration, but don’t yet require centralized SSO.
• Teams + SSO Add-on (+$10/user/mo): Best for organizations that need SAML-based SSO, centralized identity control, and tighter governance while staying on the Teams plan.

If you have more than ~200 developers or stricter deployment/retention requirements, Windsurf also offers Enterprise tiers (including Hybrid and Self-hosted deployments) where SSO via SAML is standard and can be paired with SSO, RBAC, and advanced security controls. In that case, you’d typically talk directly with Windsurf Sales rather than self-serving SSO.

---

Step-by-Step: How to Add SSO to Windsurf Teams (+$10/user/mo)

The exact UI may evolve, but the flow for a typical SAML SSO rollout on Windsurf Teams looks like this:

1. Confirm You’re on Windsurf Teams

1. Sign in to Windsurf at https://windsurf.ai (or via the Windsurf Editor).
2. Open your Organization or Team settings.
3. Verify that your subscription is on the Teams plan.
   • If not, upgrade from Pro/Free to Teams first, since SSO is only available on Teams and above.

2. Add the SSO Add-On (+$10/user/mo)

1. Navigate to Billing or Plans in your org settings.
2. Locate the SSO or Security / SSO section.
3. Select the SSO add-on for Teams (priced at +$10 per user per month).
4. Confirm the updated pricing and complete checkout or contract acceptance.
   Once enabled, SSO configuration options should appear in your admin UI.

3. Choose and Prepare Your Identity Provider

Windsurf Teams supports any SAML-capable IdP, including:

• Microsoft Entra ID (formerly Azure AD)
• Okta
• Google Workspace
• Any other SAML-supporting IdP

Before you configure Windsurf, decide:

• Which IdP tenant will own the Windsurf app.
• Which groups or organizational units should have access to Windsurf.
• Whether you’ll use email domains or specific group membership to control who can log in.

4. Create a SAML App in Your IdP

In your chosen IdP:

1. Create a new SAML application (name it something like “Windsurf”).

2. When prompted for SAML settings, you’ll need a few values from Windsurf:

   • Assertion Consumer Service (ACS) URL / Reply URL – the endpoint Windsurf exposes to receive SAML responses.
   • Entity ID / Audience URI – Windsurf’s SAML identifier.
   • NameID format & mapping – typically an email address.

   These values are provided in your Windsurf SSO setup page.

3. Map attributes:

   • NameID → user’s email (primary, work email).
   • Optionally map firstName, lastName, or displayName if your IdP allows.

4. Assign users or groups who should be able to access Windsurf.

5. Export IdP Metadata

After setting up the SAML app:

1. Download the IdP metadata XML or copy:

   • IdP Entity ID
   • Single Sign-On URL
   • X.509 certificate

2. Keep this file/information handy; you’ll paste it into Windsurf.

6. Configure SSO in Windsurf Teams

Back in Windsurf:

1. Go to your Organization / Security / SSO settings.
2. Choose SAML SSO setup.
3. Provide either the IdP metadata XML or the explicit fields:
   • IdP Entity ID
   • SSO URL
   • X.509 certificate (public signing cert)
4. Save the configuration.

Windsurf will now be able to consume SAML responses issued by your IdP for your org.

7. Test SSO with a Pilot User

Before enforcing SSO for everyone:

1. Invite or select a pilot user who is:
   • Assigned to the Windsurf app in your IdP.
   • Belongs to your Windsurf Teams org.
2. Ask them to log out of Windsurf.
3. Have them click “Sign in with SSO” or your org’s dedicated SSO entry point.
4. Verify:
   • They are redirected to your IdP login page.
   • After MFA and auth, they land in Windsurf as the correct org user.
   • Their email/identity looks correct in Windsurf.

If anything fails, double-check:

• Email domain and user mapping between IdP and Windsurf.
• That the SAML certificate and Entity IDs match exactly.
• Group assignments and app access in your IdP.

8. Enforce SSO for the Organization (Optional but Recommended)

Once you’re confident in the SAML setup:

1. In Windsurf SSO settings, enable “Require SSO for login” (exact wording may vary).
2. Communicate the cutover to your team:
   • The date/time SSO enforcement starts.
   • The new login flow (e.g., “Sign in with SSO using your corporate account”).
3. After enforcement, users will be required to authenticate via SSO, which gives your security team full control through the IdP.

---

What Identity Providers Are Supported?

On Windsurf Teams, SSO is based on SAML, which means Windsurf can integrate with any SAML-compatible identity provider.

Formally supported examples include:

• Microsoft Entra ID (Azure AD):
  Configure Windsurf as an enterprise application, use SAML-based SSO, and assign users or groups.

• Okta:
  Create a SAML 2.0 app integration, set ACS/Entity ID from Windsurf, and manage access via Okta groups.

• Google Workspace:
  Use Google as a SAML IdP, define Windsurf as a custom SAML app, and restrict access based on organizational units or groups.

• Other SAML IdPs:
  Any provider that supports standard SAML and exposes metadata (SSO URL, Entity ID, X.509 cert) should work with Windsurf Teams.

If your organization uses a custom or niche IdP, the rule of thumb is simple: if it can act as a SAML identity provider, you can typically wire it into Windsurf Teams.

---

Frequently Asked Questions

Is SSO really +$10 per user per month on top of Windsurf Teams?

Short Answer: Yes. On the Teams plan, SSO is offered as an add-on priced at +$10/user/month in addition to the base Teams rate.

Details:
The Teams plan gives you shared org features out of the box. When you add SSO, you’re enabling SAML-based authentication and org-level enforcement for all users in that org, and that capability is billed as a per-seat add-on. This pricing structure lets smaller teams adopt Teams without SSO overhead, while larger or more regulated orgs can pay for SSO only when they need it. For very large orgs or those requiring Hybrid/Self-hosted deployments, SSO is typically handled as part of a broader Enterprise agreement.

---

Which SSO protocol does Windsurf Teams use, and what if my IdP doesn’t support SAML?

Short Answer: Windsurf Teams supports SSO via SAML identity providers. If your IdP doesn’t support SAML, you’ll need a bridge or to explore Enterprise options.

Details:
Teams-level SSO is built around SAML because it’s widely supported by enterprise IdPs like Microsoft Entra, Okta, and Google Workspace. If your environment is OIDC-only or uses a bespoke protocol, you have a few options:

• Use an IdP that offers a SAML facade over your existing auth (many do).
• Deploy a gateway that presents SAML to Windsurf while talking your native protocol internally.
• If your requirements are strict or unusual, talk to Windsurf about Enterprise tiers, where deployment patterns (Hybrid, Self-hosted) and integration options are broader.

---

Summary

Adding SSO to Windsurf Teams is a straightforward way to plug your AI-native IDE into your existing identity and security stack. For an additional +$10 per user per month, you get SAML-based SSO with support for major IdPs like Microsoft Entra, Okta, Google Workspace, and any other SAML provider.

Developers log in with the credentials they already use. Security teams keep control of MFA, group-based access, and offboarding through your central IdP. And your org gets a cleaner, more governable way to run Windsurf at scale—without sacrificing flow.

---

Next Step

Get Started