Enterprise
Cursor SCIM Provisioning: Setup, Directory Groups & Spend Limits
SCIM 2.0 on Cursor Enterprise automatically adds and removes users from your identity provider assignment to the Cursor SCIM app, syncs directory groups read-only into Cursor and lets admins set per-group spend limits (users in multiple groups get the highest limit). SSO must be configured first; user and group changes must be made in your IdP, not in Cursor.
On this page
What do we need before turning on SCIM?
- Cursor Enterprise plan (contact sales if SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. is not visible).
- SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. already working - SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. requires an active SAMLAn enterprise standard that powers single sign-on. connection.
- Admin access to your IdP (Okta, Entra ID, Google Workspace, etc.) and Cursor org admin.
How does SCIM change day-to-day admin work?
- Users
- Assigned in IdP → appear in Cursor; unassigned → removed.
- Directory groups
- Group membership mirrors IdP; Cursor display is read-only.
- Spend limits
- Optional per-directory-group caps; highest limit wins for multi-group users.
Once SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. is live, add, remove and regroup users only in your identity provider. Changes propagate to Cursor in real time. Manual invites and domain-matching self-join are replaced by IdP assignment.
How do we configure SCIM step by step?
- 1Confirm SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. login works for a test user.
- 2Open Dashboard → Members & Groups → Directory Groups (or the Active Directory subtab).
- 3Start the SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. setup wizard after SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. verification and copy the endpoint and bearer token.
- 4In your IdP, create or configure the Cursor SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. app; enable user and group push provisioning; run a connection test.
- 5Optionally set per-group spend limits on synced directory groups in Cursor.
Why are users or groups missing after SCIM setup?
- Users: they must be explicitly assigned to the SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. application in the IdP, not only in a group elsewhere.
- Groups: confirm group push provisioning is enabled and groups are assigned to the SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. app.
- SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. UI hidden: SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. is not verified yet; fix SAMLAn enterprise standard that powers single sign-on. before SCIM controls appear.
How is SCIM different from billing groups?
Directory groups (SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave.) drive identity and optional spend limits. Billing groups attribute usage for chargebacks and can also sync from IdP groups but serve finance reporting. They are related concepts with different dashboards; large orgs often use both. See the billing groups guide for spend attribution rules.
Frequently asked questions
Can we mix SCIM and manual invites?
Not for SCIM-managed users. Membership is owned by the IdP. Non-SCIM domain controls apply only when you are not provisioning through SCIM.
Which identity providers are supported?
Cursor documents SCIM with WorkOS integration guides covering Okta, Azure AD, Google Workspace and others. Follow the provider-specific steps linked from the SCIM doc.
Do directory group spend limits override team defaults?
Yes. Group limits take precedence over team-wide per-user limits; users in multiple groups receive the highest applicable limit.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 24, 2026.