Getting Started with SAML SSO

Who can use this feature?

πŸ”’ Users on the Figma Organization Plan πŸ‘€ Only Organization Admins can configure SAML SSO

Organizations that need enhanced security requirements can configure SAML SSO.

Security Assertion Markup Language (SAML) is a security standard for logging into applications.

Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

How SAML SSO Works

The Identity Provider (IdP) manages the Organization's user accounts and credentials.

The Service Provider (SP) is the app or website that provides services to the User or Organization. That's Figma.

  1. The User attempts to log in to Figma via SAML SSO
  2. Figma creates a SAML request and sends this to the IdP
  3. The IdP checks this user's credentials to confirm they are correct
  4. The IdP sends a response to Figma to verify the user's identity
  5. Figma accepts the response and logs the user into their Figma account

Set up SAML for an Organization

The process for configuring SAML will depend on your specific IdP. Figma has dedicated integrations with the following providers:

Note: You can also set up a custom SAML configuration with a provider that isn't on this list. Learn more in our Set up a Custom SAML Configuration article.

We've outlined the general process for implementing SAML SSO in your Organization:

  1. Confirm your Company Domain
  2. Add the Figma app to your IdP
  3. Configure SAML SSO in Figma
  4. Add your SAML details to your IdP
  5. Set up SCIM Provisioning
  6. Users Log In to Figma via SAML
  7. Manage Member Permissions in Figma

Confirm your Company Domain(s)

Domain Capture allows you to define any email domains associated with your Organization. This allows anyone with a company email address to log in to your Organization e.g. name@figma.com.

You can define more than one domain for your Organization. For this to work with SAML, you will also need to register those domains with your Identity Provider.

Current Figma users will want to be able to access Files and Projects from their existing login.

Make sure everyone is using Figma with their correct company email, before you set up SAML. This includes people using email aliases.

Add the Figma app to your IdP

If you're using a Supported Identity Provider, you will need to add the Figma app to your IdP.

During this process your Identity Provider will provide you with a Metadata URL.

This is an XML link that we'll use to connect the two applications. We also use this link to authenticate your users when they log in to Figma.

Configure SAML SSO in Figma

Next, you'll need to set up SAML SSO in Figma. This does two things:

  • Enables SAML SSO in your Organization
  • Connects your IdP to your Figma account

At this point, you can choose if users may or must log in via SAML.

At the end of the configuration process, Figma will provide you with a Tenant ID. You will need this to complete the configuration process with your IdP.

Note: If you want to set up Google SSO, all users will need to login via Google SSO. There is no way to make this optional or enable this for only some users.

Add your SAML details to your IdP

You will need to complete the rest of the set up process with your IdP.

  • Supported Identity Providers: you'll only need the Tenant ID Figma created.
  • Custom SAML configurations: you'll need the SP Entity ID and SP ACS URL Figma generated.

Set up SCIM Provisioning

All SAML configurations support "Just In Time" (JIT) or Manual provisioning.

JIT provisioning allows Figma to create and update users in Figma. JIT provisioning allows Figma to create and update users in Figma. JIT only apples changes when a user logs in to their account, not when an Admin makes the changes.

If you're using a supported Identity Provider, you can enable provisioning via SCIM. We don't support SCIM provisioning for custom SAML configurations.

SCIM gives you greater control as it allows you to import and deactivate users. SCIM pushes any changes you make with the IdP to the SP as soon as they happen.

It's not possible to define a user's permissions via your Identity Provider. You can only manage a user's permissions in Figma.

For every user that you provision in your IdP, we will add them to Figma as a Viewer. Learn more about Permissions in an Organization.

Users Log in to Figma via SAML

Users can now access Figma using their company email address and password.

Manage Member Permissions in Figma

It's not possible to define a user's permissions via your Identity Provider. You can only manage a user's permissions in Figma.

By default, we give every user that you add to your IdP Viewer permissions. This is a provisional Role, which means there are no restrictions around upgrading.

You can update a user's permissions at any time:

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.