Getting Started with SAML SSO for Organizations
Security Assertion Markup Language (SAML) is a web security standard for logging users into applications.
This revolves around the idea of a single sign-on, which allows users to access multiple applications or websites, via one single authentication source. This is perfect for large organizations with enhanced security requirements.
If you are an Admin for a Figma Organization, then you can enable and enforce SAML SSO for all team members added to your Figma account.
- Okta: Configure and Provision Okta SAML SSO.
- Azure Active Directory: Configure Azure Active Directory SAML SSO.
- OneLogin: Configure and Provision OneLogin SAML.
If you are using G Suite to manage your company email, then you can enable Google SSO in your Figma Organization. Learn more in our Require Google SSO article.
Understanding SAML SSO functions
We've put together some explanations for common terms and functions relating to SAML SSO:
IdP | Identity Provider. This is the service that manages the end user's accounts and credentials. This service can send SAML responses to the SP (see below), which will authenticate end viewers. This is either Okta, Azure, or OneLogin.
SP | Service Provider. The SP is a company providing services to the end user(e.g. communication, storage, processing, hosting etc) - in this situation, that's Figma! The SP(Figma) will redirect the user to the IdP( Okta, Azure, or OneLogin) for the authentication process to be completed. Figma will then accept SAML responses as a way of signing in users.
JIT | Just In Time Provisioning. This allows new users to be created and updated, on the fly. A user will be created in Figma during their first login via SAML SSO, and will be automatically updated during any subsequent logins. This is an automated process and doesn't need to be manually enabled.
Automatic Provisioning. In addition to the JIT provisioning above, you also have the option to enable Automatic Provisioning. This allows you to import, deactivate and reactivate users, in addition to creating and updating users. Provisioning(via SCIM) allows you to update users in real-time, as any changes are automatically pushed to Figma - versus JIT provisioning which requires the user to login again before any changes are applied.
Frequently Asked Questions
What should I do to prepare?
We recommend ensuring that everyone who is added to your Organization’s Figma account, is doing so under their company email address. This will ensure they are able to access Figma via SAML SSO once it is enabled.
What happens to users once SAML SSO is enabled?
Once SSO is enabled, a user will be able to login to Figma with their company email address and password. This will create an account for them in Figma that gives them access to the Organization’s account. You will be able to define their Role and Account Type in Figma, which will determine their level of access.
The user will need to be provisioned for the application(Azure), or assigned to the application(Okta), before the user can use Single Sign-On to access the Organization account.
If the user hasn’t been provisioned(Azure) or assigned(Okta,OneLogin) and they attempt to login with their company email, they will create a new account instead of signing into the Organization’s account.
Learn more about user sign in, in our Sign in to your Organization account article.
Do I have to turn on or enforce SAML SSO immediately?
No, you do not need to enforce SSO immediately. In fact, we recommend testing out this process with a few users within the company first, before making it compulsory.Users will continue to login via their existing email and password, until SSO is made compulsory.
When you go through the setup process, let us know when you would like to require SAML SSO(i.e. disable email and password login). This can be applied immediately, or at a later date. You can ask Figma to enable and disable SAML SSO at any time.
What happens once compulsory SAML SSO is enabled?
Email and password logins will be disabled for anyone with an email address registered to your company’s domain. All users(across all Teams and Projects) will then be logged out and prompted to sign in via SAML SSO. This applies to all Members, Admins and Guests.
Will users see anything different?
Once users have logged in via SAML SSO, they will have access to all of their existing files. Everything in the Figma app will be the same, except for some of their profile settings.
A user’s name and job title will automatically match the IdP. Additionally, some profile settings will be disabled in Figma(e.g. changing the email address, or resetting the password), these changes would need to be managed in the SAML SSO database directly.
What happens if an editor doesn’t use their company email?
If their login email doesn’t match their company email address, then they should update the email address of their account in Figma. They must do this prior to using SAML SSO or else they will inadvertently create a NEW account.
Any user that already uses their company email address will continue to see all existing files linked to their account. If they are an external contractor, or don’t have a company email, then SAML SSO won’t be enforced on their login.
What happens when I remove or deactivate a user?
Deactivating a user will automatically logout the user and remove them from the Organization, including any related files, projects or teams. Any drafts related to that user's account will also be made accessible to the Organization's admin (under the Shared Folders section).