cursor-sso-integration
Configure SAML 2.0 and OIDC SSO for Cursor with Okta, Microsoft Entra ID, and Google Workspace. Triggers on "cursor sso", "cursor saml", "cursor oauth", "enterprise cursor auth", "cursor okta", "cursor entra", "cursor scim".
Best use case
cursor-sso-integration is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure SAML 2.0 and OIDC SSO for Cursor with Okta, Microsoft Entra ID, and Google Workspace. Triggers on "cursor sso", "cursor saml", "cursor oauth", "enterprise cursor auth", "cursor okta", "cursor entra", "cursor scim".
Teams using cursor-sso-integration should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cursor-sso-integration/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cursor-sso-integration Compares
| Feature / Agent | cursor-sso-integration | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure SAML 2.0 and OIDC SSO for Cursor with Okta, Microsoft Entra ID, and Google Workspace. Triggers on "cursor sso", "cursor saml", "cursor oauth", "enterprise cursor auth", "cursor okta", "cursor entra", "cursor scim".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Cursor SSO Integration Configure Single Sign-On for Cursor using SAML 2.0 or OIDC. Available on Business and Enterprise plans. Supports Okta, Microsoft Entra ID (Azure AD), Google Workspace, and any SAML 2.0 / OIDC compliant IdP. ## Prerequisites - Cursor Business or Enterprise subscription - Admin access to both Cursor organization and Identity Provider - Verified company domain in Cursor admin dashboard - Understanding of SAML 2.0 or OIDC concepts ## SSO Configuration: Okta ### Step 1: Create SAML Application in Okta 1. Okta Admin Console > Applications > Create App Integration 2. Select **SAML 2.0** 3. App name: "Cursor IDE" ### Step 2: Configure SAML Settings ``` Single Sign-On URL (ACS URL): https://cursor.com/api/auth/saml/callback Audience URI (Entity ID): https://cursor.com/api/auth/saml Name ID format: EmailAddress Application username: Email Attribute Statements: email → user.email (Required) name → user.firstName + " " + user.lastName (Optional) ``` ### Step 3: Download IdP Metadata After creating the app in Okta: 1. Go to the app's "Sign On" tab 2. Click "Identity Provider metadata" link 3. Save the XML file ### Step 4: Upload to Cursor 1. Cursor Admin Dashboard > SSO 2. Select "SAML 2.0" 3. Upload the IdP metadata XML (or paste the metadata URL) 4. Save configuration ### Step 5: Test 1. Open Cursor incognito 2. Sign in with your `@company.com` email 3. Should redirect to Okta login 4. After auth, return to Cursor authenticated ## SSO Configuration: Microsoft Entra ID ### Step 1: Register Enterprise Application 1. Azure Portal > Entra ID > Enterprise applications > New application 2. Create your own application > "Cursor IDE" 3. Select "Integrate any other application you don't find in the gallery (Non-gallery)" ### Step 2: Configure SAML In the enterprise app > Single sign-on > SAML: ``` Basic SAML Configuration: Identifier (Entity ID): https://cursor.com/api/auth/saml Reply URL (ACS URL): https://cursor.com/api/auth/saml/callback Sign-on URL: https://cursor.com Attributes & Claims: Unique User Identifier: user.mail email: user.mail name: user.displayname ``` ### Step 3: Download Federation Metadata XML In Entra ID app > SAML Signing Certificate > Download "Federation Metadata XML" ### Step 4: Upload to Cursor Same as Okta Step 4: Admin Dashboard > SSO > Upload metadata. ## SSO Configuration: Google Workspace ### Step 1: Create SAML App 1. Google Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app 2. App name: "Cursor IDE" ### Step 2: Configure ``` ACS URL: https://cursor.com/api/auth/saml/callback Entity ID: https://cursor.com/api/auth/saml Name ID format: EMAIL Name ID: Basic Information > Primary email ``` ### Step 3: Download IdP Metadata Google provides this during app creation. Save the metadata XML. ### Step 4: Upload to Cursor Admin Dashboard > SSO > Upload metadata. ## SCIM Provisioning (Enterprise Only) SCIM 2.0 automatically syncs users and groups from your IdP to Cursor: ### What SCIM Handles | Operation | Trigger | Cursor Action | |-----------|---------|---------------| | User created in IdP | Okta/Entra creates user | Seat assigned in Cursor | | User deactivated in IdP | Okta/Entra deactivates | Seat revoked in Cursor | | Group membership change | User added/removed from group | Role updated in Cursor | ### SCIM Setup (Okta Example) 1. Cursor Admin Dashboard > SCIM > Generate SCIM token 2. In Okta > Cursor app > Provisioning > Enable SCIM 3. Configure: ``` SCIM connector base URL: https://cursor.com/api/scim/v2 Unique identifier field: email Authentication mode: Bearer token Bearer token: [paste token from Cursor] ``` 4. Enable: Create Users, Deactivate Users, Push Groups ## Domain Verification Required before SSO activation: 1. Cursor Admin Dashboard > Domains > Add domain 2. Add DNS TXT record: ``` Type: TXT Host: _cursor-verification Value: cursor-verify=xxxxxxxxxxxxxxxxxxxx ``` 3. Wait for DNS propagation (up to 48 hours, usually minutes) 4. Click "Verify" in Cursor admin ## Rollout Strategy ### Phase 1: Pilot (1 week) ``` [ ] Configure SSO with test users only [ ] Verify sign-in flow works end-to-end [ ] Test: new user SSO sign-in creates Cursor account [ ] Test: sign-out and re-sign-in preserves settings [ ] Test: IdP session timeout triggers re-auth in Cursor [ ] Document any issues or friction points ``` ### Phase 2: Gradual Rollout (2 weeks) ``` [ ] Enable SSO for one team/department [ ] Monitor sign-in success rate in admin dashboard [ ] Collect feedback on the auth experience [ ] Resolve any IdP attribute mapping issues ``` ### Phase 3: Organization-Wide ``` [ ] Enable SSO requirement for all users [ ] Disable password-based login (optional) [ ] Enable SCIM for automatic provisioning [ ] Set up IdP group → Cursor role mapping [ ] Document SSO in company IT wiki ``` ## Troubleshooting | Issue | Cause | Fix | |-------|-------|-----| | "SAML Response Invalid" | Wrong ACS URL or Entity ID | Verify URLs match exactly | | User not created after SSO | SCIM not enabled or email mismatch | Check SCIM logs in IdP | | "Domain not verified" | DNS record not propagated | Wait, then re-verify | | Redirect loop after SSO | Browser cookies corrupted | Clear cookies for cursor.com | | SSO works but wrong role | Group mapping misconfigured | Check IdP group assignments | | "No seat available" | All seats assigned | Purchase more seats or revoke unused | ## Enterprise Considerations - **MFA enforcement**: Apply MFA policy at the IdP level (Okta/Entra). Cursor defers to IdP for MFA. - **Session timeout**: Configure session lifetime in IdP. Cursor respects IdP session expiry. - **Emergency access**: Keep one admin account with email/password login in case SSO is misconfigured - **Compliance**: SSO provides centralized access logging at the IdP level for audit trails - **Cost**: SSO is included in Business ($40/user/mo) and Enterprise plans. No additional SSO fee. ## Resources - [Cursor SSO Documentation](https://docs.cursor.com/plans/business/sso) - [Cursor Enterprise](https://cursor.com/enterprise) - [SAML 2.0 Specification](https://docs.oasis-open.org/security/saml/v2.0/) - [Okta SAML Guide](https://developer.okta.com/docs/guides/saml-application-setup/)
Related Skills
zapier-integration-helper
Zapier Integration Helper - Auto-activating skill for Business Automation. Triggers on: zapier integration helper, zapier integration helper Part of the Business Automation skill category.
integration-test-setup
Integration Test Setup - Auto-activating skill for Test Automation. Triggers on: integration test setup, integration test setup Part of the Test Automation skill category.
running-integration-tests
This skill enables Claude to run and manage integration test suites. It automates environment setup, database seeding, service orchestration, and cleanup. Use this skill when the user asks to "run integration tests", "execute integration tests", or any command that implies running integration tests for a project, including specifying particular test suites or options like code coverage. It is triggered by phrases such as "/run-integration", "/rit", or requests mentioning "integration tests". The plugin handles database creation, migrations, seeding, and dependent service management.
integration-test-generator
Integration Test Generator - Auto-activating skill for API Integration. Triggers on: integration test generator, integration test generator Part of the API Integration skill category.
fathom-ci-integration
Test Fathom integrations in CI/CD pipelines. Trigger with phrases like "fathom CI", "fathom github actions", "test fathom pipeline".
exa-deploy-integration
Deploy Exa integrations to Vercel, Docker, and Cloud Run platforms. Use when deploying Exa-powered applications to production, configuring platform-specific secrets, or building search API endpoints. Trigger with phrases like "deploy exa", "exa Vercel", "exa production deploy", "exa Cloud Run", "exa Docker".
exa-ci-integration
Configure Exa CI/CD integration with GitHub Actions and automated testing. Use when setting up automated testing for Exa integrations, configuring CI pipelines, or adding Exa health checks to builds. Trigger with phrases like "exa CI", "exa GitHub Actions", "exa automated tests", "CI exa", "exa pipeline".
evernote-deploy-integration
Deploy Evernote integrations to production environments. Use when deploying to cloud platforms, configuring production, or setting up deployment pipelines. Trigger with phrases like "deploy evernote", "evernote production deploy", "release evernote", "evernote cloud deployment".
evernote-ci-integration
Configure CI/CD pipelines for Evernote integrations. Use when setting up automated testing, continuous integration, or deployment pipelines for Evernote projects. Trigger with phrases like "evernote ci", "evernote github actions", "evernote pipeline", "automate evernote tests".
elevenlabs-deploy-integration
Deploy ElevenLabs TTS applications to Vercel, Fly.io, and Cloud Run. Use when deploying ElevenLabs-powered apps to production, configuring platform-specific secrets, or setting up serverless TTS. Trigger: "deploy elevenlabs", "elevenlabs Vercel", "elevenlabs Cloud Run", "elevenlabs Fly.io", "elevenlabs serverless", "host TTS API".
elevenlabs-ci-integration
Configure CI/CD pipelines for ElevenLabs with mocked unit tests and gated integration tests. Use when setting up GitHub Actions for TTS projects, configuring CI test strategies, or automating ElevenLabs integration validation. Trigger: "elevenlabs CI", "elevenlabs GitHub Actions", "elevenlabs automated tests", "CI elevenlabs", "elevenlabs pipeline".
documenso-deploy-integration
Deploy Documenso integrations across different platforms and environments. Use when deploying to cloud platforms, containerizing applications, or setting up infrastructure for Documenso integrations. Trigger with phrases like "deploy documenso", "documenso docker", "documenso kubernetes", "documenso cloud deployment".