From windsurf-pack
Configures Windsurf SSO/SAML, RBAC roles (owner, admin, member), and organization AI policies for Teams/Enterprise plans.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin windsurf-packThis skill is limited to using the following tools:
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
Configures enterprise SSO for Windsurf using SAML 2.0 or OIDC with Okta, Azure AD, Google Workspace. Includes cert setup, policies, testing.
Optimizes Windsurf AI IDE licensing costs through seat audits, tier-to-role matching, pricing analysis, and credit monitoring for teams.
Implements Clerk enterprise SSO (SAML/OIDC), custom RBAC roles/permissions, and organization management in Next.js apps.
Share bugs, ideas, or general feedback.
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
Navigate to Admin Dashboard > Security > SSO:
# SSO Configuration Steps
sso_setup:
1_choose_idp:
supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"]
2_configure_saml:
entity_id: "https://windsurf.com/saml/your-org-id"
acs_url: "https://windsurf.com/saml/callback"
# Get these from Admin Dashboard > SSO > SAML Configuration
3_idp_settings:
# Configure in your IdP:
sign_on_url: "https://windsurf.com/saml/login/your-org-id"
audience_uri: "https://windsurf.com/saml/your-org-id"
name_id_format: "emailAddress"
attribute_statements:
email: "user.email"
firstName: "user.firstName"
lastName: "user.lastName"
4_enforce:
enforce_sso: true # Block password login after SSO is verified
auto_provision: true # New IdP users get Windsurf seats automatically
domain_restriction: ["yourcompany.com"] # Only allow company emails
# Windsurf RBAC Model
roles:
owner:
description: "Organization owner — full control"
permissions:
- Manage billing and subscription
- Add/remove admins
- Configure SSO
- View all analytics
- Manage all seats
admin:
description: "Team administrator"
permissions:
- Add/remove members
- Assign seat tiers (Pro, Free)
- View team analytics
- Configure org-wide settings
- Manage MCP server allowlist
member:
description: "Standard developer"
permissions:
- Use assigned AI features
- Configure personal settings
- Create workspace rules
- Cannot view team analytics
# Assign roles via Admin Dashboard > Members > Edit Role
# Admin Dashboard > Settings > AI Policies
org_policies:
# Control which AI models are available
allowed_models:
- "swe-1"
- "swe-1-lite"
- "claude-sonnet"
# Disable models not approved by security team
# Terminal command execution controls
cascade_terminal:
max_execution_level: "normal" # Options: turbo, normal, manual
global_deny_list:
- "rm -rf"
- "sudo"
- "curl | bash"
- "DROP TABLE"
- "format"
# Data controls
data_policies:
telemetry: "off" # No telemetry for enterprise
data_retention: "zero" # Zero-data retention
code_context_sharing: "workspace_only" # AI sees only current workspace
# Feature controls
feature_flags:
previews_enabled: true
mcp_enabled: true
workflows_enabled: true
auto_deploy_enabled: false # Disable direct deployment from IDE
# Seat lifecycle management
seat_management:
onboarding:
1. "Admin invites user via Admin Dashboard > Members > Invite"
2. "User receives email with SSO login link"
3. "SSO authenticates user with company IdP"
4. "User gets assigned tier (Pro/Free) based on role"
5. "User opens project — .windsurfrules provides context"
offboarding:
1. "Disable user in IdP (SSO will auto-block)"
2. "Remove seat in Admin Dashboard > Members"
3. "Seat becomes available for reassignment"
4. "User's local memories/config remain on their machine"
tier_changes:
upgrade: "Admin Dashboard > Members > Select user > Change to Pro"
downgrade: "Admin Dashboard > Members > Select user > Change to Free"
note: "Downgraded users keep Supercomplete, lose Cascade Write mode"
# Admin Dashboard > Analytics > Audit
audit_capabilities:
available:
- User login events (SSO audit trail)
- Credit usage per user per day
- Feature usage patterns
- Seat assignment changes
- Admin actions
exportable:
- CSV export of member usage
- API access for SIEM integration (Enterprise)
compliance_certifications:
- SOC 2 Type II
- FedRAMP High
- HIPAA BAA (on request)
- GDPR compliant
# For programmatic access to admin APIs
service_keys:
purpose: "CI/CD integration, usage reporting, automated provisioning"
create: "Admin Dashboard > Settings > Service Keys > Create"
scopes:
- "admin:read" — read analytics and member data
- "admin:write" — manage members and settings
- "usage:read" — read usage metrics
rotation: "Rotate every 90 days, revoke immediately on compromise"
| Issue | Cause | Solution |
|---|---|---|
| SSO login fails | SAML certificate expired | Update certificate in IdP and Windsurf |
| User can't access Cascade | No Pro seat assigned | Assign Pro tier in Admin Dashboard |
| Admin can't see analytics | Wrong role | Upgrade to admin role in Dashboard |
| New user auto-provisioned to wrong tier | Default tier not set | Configure default seat tier in Settings |
| Service key rejected | Expired or wrong scope | Generate new key with correct scopes |
Add user: Admin Dashboard > Members > Invite > email@company.com
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)
engineering_org:
platform_team:
seats: 8
tier: Pro
admins: ["tech-lead@company.com"]
frontend_team:
seats: 6
tier: Pro
admins: ["frontend-lead@company.com"]
design_team:
seats: 3
tier: Free # Mainly CSS, limited AI use
contractors:
seats: 4
tier: Free
note: "Temporary, upgrade to Pro if AI use increases"
For migration strategies, see windsurf-migration-deep-dive.