cursor-sso-integration | cursor-pack | ClaudePluginHub

Skill

cursor-sso-integration

From cursor-pack

Set up SAML 2.0 and OIDC SSO for Cursor IDE with Okta, Microsoft Entra ID, or Google Workspace using IdP app creation, metadata exchange, and Cursor admin upload.

$

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin cursor-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEditBash(cmd:*)

Preview

Configure Single Sign-On for Cursor using SAML 2.0 or OIDC. Available on Business and Enterprise plans. Supports Okta, Microsoft Entra ID (Azure AD), Google Workspace, and any SAML 2.0 / OIDC compliant IdP.

Supporting Assets

references/errors.mdreferences/examples.mdreferences/rollout-strategy.mdreferences/saml-2.0-configuration.mdreferences/testing-sso.mdreferences/user-provisioning.md

SKILL.md

Similar Skills

workos

13

Routes to WorkOS references for implementing, debugging authentication like SSO, SAML, MFA, RBAC, Directory Sync, and SDKs across Next.js, React, Node.js, Python, PHP.

20 files

implementing-google-workspace-sso-configuration

16

Configures SAML 2.0 SSO for Google Workspace with IdPs like Okta or Azure AD, enabling centralized authentication and access policies. Useful for securing organizational environments.

implementing-google-workspace-sso-configuration

5.9k

Configure SAML 2.0 SSO for Google Workspace with IdPs like Okta or Azure AD, centralizing authentication and enforcing access policies.

7 files

cybersecurity-skills

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

enterprise-auth

Help us improve

Share bugs, ideas, or general feedback.

Cursor SSO Integration

Configure Single Sign-On for Cursor using SAML 2.0 or OIDC. Available on Business and Enterprise plans. Supports Okta, Microsoft Entra ID (Azure AD), Google Workspace, and any SAML 2.0 / OIDC compliant IdP.

Prerequisites

Cursor Business or Enterprise subscription
Admin access to both Cursor organization and Identity Provider
Verified company domain in Cursor admin dashboard
Understanding of SAML 2.0 or OIDC concepts

SSO Configuration: Okta

Step 1: Create SAML Application in Okta

Okta Admin Console > Applications > Create App Integration
Select SAML 2.0
App name: "Cursor IDE"

Step 2: Configure SAML Settings

Single Sign-On URL (ACS URL):
  https://cursor.com/api/auth/saml/callback

Audience URI (Entity ID):
  https://cursor.com/api/auth/saml

Name ID format: EmailAddress
Application username: Email

Attribute Statements:
  email    → user.email       (Required)
  name     → user.firstName + " " + user.lastName  (Optional)

Step 3: Download IdP Metadata

After creating the app in Okta:

Go to the app's "Sign On" tab
Click "Identity Provider metadata" link
Save the XML file

Step 4: Upload to Cursor

Cursor Admin Dashboard > SSO
Select "SAML 2.0"
Upload the IdP metadata XML (or paste the metadata URL)
Save configuration

Step 5: Test

Open Cursor incognito
Sign in with your @company.com email
Should redirect to Okta login
After auth, return to Cursor authenticated

SSO Configuration: Microsoft Entra ID

Step 1: Register Enterprise Application

Azure Portal > Entra ID > Enterprise applications > New application
Create your own application > "Cursor IDE"
Select "Integrate any other application you don't find in the gallery (Non-gallery)"

Step 2: Configure SAML

In the enterprise app > Single sign-on > SAML:

Basic SAML Configuration:
  Identifier (Entity ID):     https://cursor.com/api/auth/saml
  Reply URL (ACS URL):        https://cursor.com/api/auth/saml/callback
  Sign-on URL:                https://cursor.com

Attributes & Claims:
  Unique User Identifier:     user.mail
  email:                      user.mail
  name:                       user.displayname

Step 3: Download Federation Metadata XML

In Entra ID app > SAML Signing Certificate > Download "Federation Metadata XML"

Step 4: Upload to Cursor

Same as Okta Step 4: Admin Dashboard > SSO > Upload metadata.

SSO Configuration: Google Workspace

Step 1: Create SAML App

Google Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app
App name: "Cursor IDE"

Step 2: Configure

ACS URL:        https://cursor.com/api/auth/saml/callback
Entity ID:      https://cursor.com/api/auth/saml
Name ID format: EMAIL
Name ID:        Basic Information > Primary email

Step 3: Download IdP Metadata

Google provides this during app creation. Save the metadata XML.

Step 4: Upload to Cursor

Admin Dashboard > SSO > Upload metadata.

SCIM Provisioning (Enterprise Only)

SCIM 2.0 automatically syncs users and groups from your IdP to Cursor:

What SCIM Handles

Operation	Trigger	Cursor Action
User created in IdP	Okta/Entra creates user	Seat assigned in Cursor
User deactivated in IdP	Okta/Entra deactivates	Seat revoked in Cursor
Group membership change	User added/removed from group	Role updated in Cursor

SCIM Setup (Okta Example)

Cursor Admin Dashboard > SCIM > Generate SCIM token
In Okta > Cursor app > Provisioning > Enable SCIM

Configure:

SCIM connector base URL: https://cursor.com/api/scim/v2
Unique identifier field: email
Authentication mode: Bearer token
Bearer token: [paste token from Cursor]

Enable: Create Users, Deactivate Users, Push Groups

Domain Verification

Required before SSO activation:

Cursor Admin Dashboard > Domains > Add domain

Add DNS TXT record:

Type:  TXT
Host:  _cursor-verification
Value: cursor-verify=xxxxxxxxxxxxxxxxxxxx

Wait for DNS propagation (up to 48 hours, usually minutes)
Click "Verify" in Cursor admin

Rollout Strategy

Phase 1: Pilot (1 week)

[ ] Configure SSO with test users only
[ ] Verify sign-in flow works end-to-end
[ ] Test: new user SSO sign-in creates Cursor account
[ ] Test: sign-out and re-sign-in preserves settings
[ ] Test: IdP session timeout triggers re-auth in Cursor
[ ] Document any issues or friction points

Phase 2: Gradual Rollout (2 weeks)

[ ] Enable SSO for one team/department
[ ] Monitor sign-in success rate in admin dashboard
[ ] Collect feedback on the auth experience
[ ] Resolve any IdP attribute mapping issues

Phase 3: Organization-Wide

[ ] Enable SSO requirement for all users
[ ] Disable password-based login (optional)
[ ] Enable SCIM for automatic provisioning
[ ] Set up IdP group → Cursor role mapping
[ ] Document SSO in company IT wiki

Troubleshooting

Issue	Cause	Fix
"SAML Response Invalid"	Wrong ACS URL or Entity ID	Verify URLs match exactly
User not created after SSO	SCIM not enabled or email mismatch	Check SCIM logs in IdP
"Domain not verified"	DNS record not propagated	Wait, then re-verify
Redirect loop after SSO	Browser cookies corrupted	Clear cookies for cursor.com
SSO works but wrong role	Group mapping misconfigured	Check IdP group assignments
"No seat available"	All seats assigned	Purchase more seats or revoke unused

Enterprise Considerations

MFA enforcement: Apply MFA policy at the IdP level (Okta/Entra). Cursor defers to IdP for MFA.
Session timeout: Configure session lifetime in IdP. Cursor respects IdP session expiry.
Emergency access: Keep one admin account with email/password login in case SSO is misconfigured
Compliance: SSO provides centralized access logging at the IdP level for audit trails
Cost: SSO is included in Business ($40/user/mo) and Enterprise plans. No additional SSO fee.

Resources