"cursor-sso-integration"
Configure SAML 2.0 and OIDC SSO for Cursor with Okta, Microsoft Entra ID, and Google Workspace. Triggers on "cursor sso", "cursor saml", "cursor oauth", "enterprise cursor auth", "cursor okta", "cursor entra", "cursor scim".
claude-codecodexopenclaw
Allowed Tools
"ReadWriteEditBash(cmd:*)"
Provided by Plugin
cursor-pack
Flagship+ skill pack for Cursor IDE - 30 skills for AI code completion, composer workflows, and IDE mastery
Installation
This skill is included in the cursor-pack plugin:
/plugin install cursor-pack@claude-code-plugins-plusClick to copy
Instructions
Cursor SSO Integration
Configure Single Sign-On for Cursor using SAML 2.0 or OIDC. Available on Business and Enterprise plans. Supports Okta, Microsoft Entra ID (Azure AD), Google Workspace, and any SAML 2.0 / OIDC compliant IdP.
Prerequisites
- Cursor Business or Enterprise subscription
- Admin access to both Cursor organization and Identity Provider
- Verified company domain in Cursor admin dashboard
- Understanding of SAML 2.0 or OIDC concepts
SSO Configuration: Okta
Step 1: Create SAML Application in Okta
- Okta Admin Console > Applications > Create App Integration
- Select SAML 2.0
- App name: "Cursor IDE"
Step 2: Configure SAML Settings
Single Sign-On URL (ACS URL):
https://cursor.com/api/auth/saml/callback
Audience URI (Entity ID):
https://cursor.com/api/auth/saml
Name ID format: EmailAddress
Application username: Email
Attribute Statements:
email → user.email (Required)
name → user.firstName + " " + user.lastName (Optional)
Step 3: Download IdP Metadata
After creating the app in Okta:
- Go to the app's "Sign On" tab
- Click "Identity Provider metadata" link
- Save the XML file
Step 4: Upload to Cursor
- Cursor Admin Dashboard > SSO
- Select "SAML 2.0"
- Upload the IdP metadata XML (or paste the metadata URL)
- Save configuration
Step 5: Test
- Open Cursor incognito
- Sign in with your
@company.comemail - Should redirect to Okta login
- After auth, return to Cursor authenticated
SSO Configuration: Microsoft Entra ID
Step 1: Register Enterprise Application
- Azure Portal > Entra ID > Enterprise applications > New application
- Create your own application > "Cursor IDE"
- Select "Integrate any other application you don't find in the gallery (Non-gallery)"
Step 2: Configure SAML
In the enterprise app > Single sign-on > SAML:
Basic SAML Configuration:
Identifier (Entity ID): https://cursor.com/api/auth/saml
Reply URL (ACS URL): https://cursor.com/api/auth/saml/callback
Sign-on URL: https://cursor.com
Attributes & Claims:
Unique User Identifier: user.mail
email: user.mail
name: user.displayname
Step 3: Download Federation Metadata XML
In Entra ID app > SAML Signing Certificate > Download "Federation Metadata XML"
Step 4: Upload to Cursor
Same as Okta Step 4: Admin Dashboard > SSO > Upload metadata.
SSO Configuration: Google Workspace
Step 1: Create SAML App
- Google Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app
- App name: "Cursor IDE"
Step 2: Configure
ACS URL: https://cursor.com/api/auth/saml/callback
Entity ID: https://cursor.com/api/auth/saml
Name ID format: EMAIL
Name ID: Basic Information > Primary email
Step 3: Download IdP Metadata
Google provides this during app creation. Save the metadata XML.
Step 4: Upload to Cursor
Admin Dashboard > SSO > Upload metadata.
SCIM Provisioning (Enterprise Only)
SCIM 2.0 automatically syncs users and groups from your IdP to Cursor:
What SCIM Handles
| Operation | Trigger | Cursor Action |
|---|---|---|
| User created in IdP | Okta/Entra creates user | Seat assigned in Cursor |
| User deactivated in IdP | Okta/Entra deactivates | Seat revoked in Cursor |
| Group membership change | User added/removed from group | Role updated in Cursor |
SCIM Setup (Okta Example)
- Cursor Admin Dashboard > SCIM > Generate SCIM token
- In Okta > Cursor app > Provisioning > Enable SCIM
- Configure:
SCIM connector base URL: https://cursor.com/api/scim/v2
Unique identifier field: email
Authentication mode: Bearer token
Bearer token: [paste token from Cursor]
- Enable: Create Users, Deactivate Users, Push Groups
Domain Verification
Required before SSO activation:
- Cursor Admin Dashboard > Domains > Add domain
- Add DNS TXT record:
Type: TXT
Host: _cursor-verification
Value: cursor-verify=xxxxxxxxxxxxxxxxxxxx
- Wait for DNS propagation (up to 48 hours, usually minutes)
- Click "Verify" in Cursor admin
Rollout Strategy
Phase 1: Pilot (1 week)
[ ] Configure SSO with test users only
[ ] Verify sign-in flow works end-to-end
[ ] Test: new user SSO sign-in creates Cursor account
[ ] Test: sign-out and re-sign-in preserves settings
[ ] Test: IdP session timeout triggers re-auth in Cursor
[ ] Document any issues or friction points
Phase 2: Gradual Rollout (2 weeks)
[ ] Enable SSO for one team/department
[ ] Monitor sign-in success rate in admin dashboard
[ ] Collect feedback on the auth experience
[ ] Resolve any IdP attribute mapping issues
Phase 3: Organization-Wide
[ ] Enable SSO requirement for all users
[ ] Disable password-based login (optional)
[ ] Enable SCIM for automatic provisioning
[ ] Set up IdP group → Cursor role mapping
[ ] Document SSO in company IT wiki
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| "SAML Response Invalid" | Wrong ACS URL or Entity ID | Verify URLs match exactly |
| User not created after SSO | SCIM not enabled or email mismatch | Check SCIM logs in IdP |
| "Domain not verified" | DNS record not propagated | Wait, then re-verify |
| Redirect loop after SSO | Browser cookies corrupted | Clear cookies for cursor.com |
| SSO works but wrong role | Group mapping misconfigured | Check IdP group assignments |
| "No seat available" | All seats assigned | Purchase more seats or revoke unused |
Enterprise Considerations
- MFA enforcement: Apply MFA policy at the IdP level (Okta/Entra). Cursor defers to IdP for MFA.
- Session timeout: Configure session lifetime in IdP. Cursor respects IdP session expiry.
- Emergency access: Keep one admin account with email/password login in case SSO is misconfigured
- Compliance: SSO provides centralized access logging at the IdP level for audit trails
- Cost: SSO is included in Business ($40/user/mo) and Enterprise plans. No additional SSO fee.