cursor-sso-integration
Configure SAML 2.0 and OIDC SSO for Cursor with Okta, Microsoft Entra ID, and Google Workspace. Triggers on "cursor sso", "cursor saml", "cursor oauth", "enterprise cursor auth", "cursor okta", "cursor entra", "cursor scim".
What this skill does
# Cursor SSO Integration Configure Single Sign-On for Cursor using SAML 2.0 or OIDC. Available on Business and Enterprise plans. Supports Okta, Microsoft Entra ID (Azure AD), Google Workspace, and any SAML 2.0 / OIDC compliant IdP. ## Prerequisites - Cursor Business or Enterprise subscription - Admin access to both Cursor organization and Identity Provider - Verified company domain in Cursor admin dashboard - Understanding of SAML 2.0 or OIDC concepts ## SSO Configuration: Okta ### Step 1: Create SAML Application in Okta 1. Okta Admin Console > Applications > Create App Integration 2. Select **SAML 2.0** 3. App name: "Cursor IDE" ### Step 2: Configure SAML Settings ``` Single Sign-On URL (ACS URL): https://cursor.com/api/auth/saml/callback Audience URI (Entity ID): https://cursor.com/api/auth/saml Name ID format: EmailAddress Application username: Email Attribute Statements: email → user.email (Required) name → user.firstName + " " + user.lastName (Optional) ``` ### Step 3: Download IdP Metadata After creating the app in Okta: 1. Go to the app's "Sign On" tab 2. Click "Identity Provider metadata" link 3. Save the XML file ### Step 4: Upload to Cursor 1. Cursor Admin Dashboard > SSO 2. Select "SAML 2.0" 3. Upload the IdP metadata XML (or paste the metadata URL) 4. Save configuration ### Step 5: Test 1. Open Cursor incognito 2. Sign in with your `@company.com` email 3. Should redirect to Okta login 4. After auth, return to Cursor authenticated ## SSO Configuration: Microsoft Entra ID ### Step 1: Register Enterprise Application 1. Azure Portal > Entra ID > Enterprise applications > New application 2. Create your own application > "Cursor IDE" 3. Select "Integrate any other application you don't find in the gallery (Non-gallery)" ### Step 2: Configure SAML In the enterprise app > Single sign-on > SAML: ``` Basic SAML Configuration: Identifier (Entity ID): https://cursor.com/api/auth/saml Reply URL (ACS URL): https://cursor.com/api/auth/saml/callback Sign-on URL: https://cursor.com Attributes & Claims: Unique User Identifier: user.mail email: user.mail name: user.displayname ``` ### Step 3: Download Federation Metadata XML In Entra ID app > SAML Signing Certificate > Download "Federation Metadata XML" ### Step 4: Upload to Cursor Same as Okta Step 4: Admin Dashboard > SSO > Upload metadata. ## SSO Configuration: Google Workspace ### Step 1: Create SAML App 1. Google Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app 2. App name: "Cursor IDE" ### Step 2: Configure ``` ACS URL: https://cursor.com/api/auth/saml/callback Entity ID: https://cursor.com/api/auth/saml Name ID format: EMAIL Name ID: Basic Information > Primary email ``` ### Step 3: Download IdP Metadata Google provides this during app creation. Save the metadata XML. ### Step 4: Upload to Cursor Admin Dashboard > SSO > Upload metadata. ## SCIM Provisioning (Enterprise Only) SCIM 2.0 automatically syncs users and groups from your IdP to Cursor: ### What SCIM Handles | Operation | Trigger | Cursor Action | |-----------|---------|---------------| | User created in IdP | Okta/Entra creates user | Seat assigned in Cursor | | User deactivated in IdP | Okta/Entra deactivates | Seat revoked in Cursor | | Group membership change | User added/removed from group | Role updated in Cursor | ### SCIM Setup (Okta Example) 1. Cursor Admin Dashboard > SCIM > Generate SCIM token 2. In Okta > Cursor app > Provisioning > Enable SCIM 3. Configure: ``` SCIM connector base URL: https://cursor.com/api/scim/v2 Unique identifier field: email Authentication mode: Bearer token Bearer token: [paste token from Cursor] ``` 4. Enable: Create Users, Deactivate Users, Push Groups ## Domain Verification Required before SSO activation: 1. Cursor Admin Dashboard > Domains > Add domain 2. Add DNS TXT record: ``` Type: TXT Host: _cursor-verification Value: cursor-verify=xxxxxxxxxxxxxxxxxxxx ``` 3. Wait for DNS propagation (up to 48 hours, usually minutes) 4. Click "Verify" in Cursor admin ## Rollout Strategy ### Phase 1: Pilot (1 week) ``` [ ] Configure SSO with test users only [ ] Verify sign-in flow works end-to-end [ ] Test: new user SSO sign-in creates Cursor account [ ] Test: sign-out and re-sign-in preserves settings [ ] Test: IdP session timeout triggers re-auth in Cursor [ ] Document any issues or friction points ``` ### Phase 2: Gradual Rollout (2 weeks) ``` [ ] Enable SSO for one team/department [ ] Monitor sign-in success rate in admin dashboard [ ] Collect feedback on the auth experience [ ] Resolve any IdP attribute mapping issues ``` ### Phase 3: Organization-Wide ``` [ ] Enable SSO requirement for all users [ ] Disable password-based login (optional) [ ] Enable SCIM for automatic provisioning [ ] Set up IdP group → Cursor role mapping [ ] Document SSO in company IT wiki ``` ## Troubleshooting | Issue | Cause | Fix | |-------|-------|-----| | "SAML Response Invalid" | Wrong ACS URL or Entity ID | Verify URLs match exactly | | User not created after SSO | SCIM not enabled or email mismatch | Check SCIM logs in IdP | | "Domain not verified" | DNS record not propagated | Wait, then re-verify | | Redirect loop after SSO | Browser cookies corrupted | Clear cookies for cursor.com | | SSO works but wrong role | Group mapping misconfigured | Check IdP group assignments | | "No seat available" | All seats assigned | Purchase more seats or revoke unused | ## Enterprise Considerations - **MFA enforcement**: Apply MFA policy at the IdP level (Okta/Entra). Cursor defers to IdP for MFA. - **Session timeout**: Configure session lifetime in IdP. Cursor respects IdP session expiry. - **Emergency access**: Keep one admin account with email/password login in case SSO is misconfigured - **Compliance**: SSO provides centralized access logging at the IdP level for audit trails - **Cost**: SSO is included in Business ($40/user/mo) and Enterprise plans. No additional SSO fee. ## Resources - [Cursor SSO Documentation](https://docs.cursor.com/plans/business/sso) - [Cursor Enterprise](https://cursor.com/enterprise) - [SAML 2.0 Specification](https://docs.oasis-open.org/security/saml/v2.0/) - [Okta SAML Guide](https://developer.okta.com/docs/guides/saml-application-setup/)
Related in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.