Summary and recommendation
Windsurf supports native SCIM provisioning through their standard SCIM 2.0 implementation. However, SCIM access is locked behind the Enterprise tier at $60/user/month—double the cost of their Teams plan ($30/user/month) that includes SSO. For a 50-developer team, upgrading from Teams to Enterprise solely for SCIM costs an additional $18,000/year. The implementation also requires SCIM to be the single source of truth—mixing manual user management with SCIM creates account drift issues.
This pricing gap creates a real problem for growing engineering teams. Developers need immediate access to AI coding tools when they join, but manually provisioning accounts in a sensitive IP environment introduces security risks and delays onboarding. SSO alone doesn't solve this—you still need someone manually creating accounts, assigning proper model access controls, and cleaning up when developers leave.
The strategic alternative
Stitchflow provides managed SCIM automation for Windsurf without requiring the Enterprise tier upgrade. Works with any plan, any IdP. Flat pricing under $5K/year regardless of team size.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Windsurf accounts manually. Here's what that costs:
The Windsurf pricing problem
Windsurf gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Teams | $30/user/mo | ||
| Enterprise | $60/user/mo |
Note: Teams tier includes SSO but no SCIM. Enterprise is required for full SCIM provisioning with group push and role-based model access controls.
What this means in practice
Using current list prices (Teams → Enterprise for SCIM):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 developers | +$9,000/year |
| 50 developers | +$18,000/year |
| 100 developers | +$36,000/year |
Calculation: $30/user/month × users × 12 months for the tier upgrade
Additional constraints
Summary of challenges
- Windsurf supports SCIM but only at Enterprise tier ($60/user/month (Enterprise with ZDR))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Windsurf doesn't sell SCIM à la carte. It's bundled with Enterprise features at $60/user/month:
Stitchflow Insight
Teams upgrading from the $30/month Teams plan (which includes SSO) pay double their current rate primarily for SCIM and ZDR. If you need enterprise-grade code security anyway, the upgrade makes sense. If you just want automated user provisioning, you're paying for a premium bundle. We estimate ~60% of Enterprise features are irrelevant for teams that only need basic SCIM functionality.
What IT admins are saying
Community sentiment on Windsurf's SCIM requirements centers around the steep Enterprise pricing barrier. Common complaints:
- Enterprise tier required for SCIM doubles the cost from Teams ($30 to $60/user/month)
- No middle-ground option between Teams SSO and full Enterprise features
- Mixing SCIM with manual provisioning creates user drift issues
- SP-initiated SSO only - no IdP-initiated support for streamlined workflows
Enterprise required for SSO/SCIM - that's a big jump from the Teams plan just for identity features.
The documentation warns about drift if you mix SCIM with manual user management, but then why charge so much for the automation?
The recurring theme
Windsurf forces a 100% price increase just to get automated provisioning, pushing teams toward error-prone manual user management or expensive Enterprise upgrades.
The decision
| Your Situation | Recommendation |
|---|---|
| On Teams ($30/user), need SCIM | Use Stitchflow: avoid the $30/user/month Enterprise upgrade |
| On Pro ($15/month), need team provisioning | Use Stitchflow: skip both Teams and Enterprise tiers |
| Already on Enterprise with SCIM | Use native SCIM: you're paying $60/user/month for it |
| Large engineering team (200+ users) with volume discounts | Evaluate Enterprise: SCIM comes bundled with volume pricing |
| Small dev team, infrequent changes | Manual may work: but consider security implications for code access |
The bottom line
Windsurf's Enterprise tier requirement means SCIM costs $30-45/user/month more than your current plan. For development teams that need automated provisioning without Enterprise features, Stitchflow delivers SCIM automation at under $5K/year total.
Automate Windsurf without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Windsurf at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SSO recommended but not required for SCIM
- SCIM should be source of truth - mixing with manual/API creates drift
- Enterprise tier required for SCIM
- SP-initiated SSO only - IDP-initiated NOT supported
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Windsurf
Windsurf gates automation behind Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee, saving you 100%.
See how it works
