Configure and Provision Okta SAML SSO for your Organization

IMPORTANT You can only use SAML SSO if you are on Figma’s Organizations plan. Learn more about Figma's plans here: https://www.figma.com/pricing

There are a couple of approaches available when implementing SAML SSO.

You can choose to initiate the SAML SSO process from the Identity Provider's end (Initiated via Okta), or from the Service Provider's end (Initiated via Figma).

You also have the option to restrict logins via SAML SSO to a specific domain (i.e. your organization's domain name).

In this article, we'll take you through the steps required to get SAML SSO set up with Okta:

  1. Add the Figma App to your Okta Account.
  2. Configure Okta in Figma.
  3. Configure the Okta Application.
  4. Assign Users to the Application.
  5. Configure Automatic Provisioning via SCIM (Recommended).

Learn more about SAML SSO functions in our Getting Started with SAML SSO article.

Add the Figma App to your Okta Account

First, you will need to add the Figma Okta app to your Okta account. This will allow you to generate a Metadata URL - you'll need to provide Figma with this, so the two services can be connected.

  1. Login to your Okta account and head to the Applications page.
  2. Select Add Application from the options.
  3. Search for Figma and click the Add button to add Figma to your account:
  4. Once installed, you can go to the Sign On page.
  5. Right click on the Identity Provider Metadata link and choose Copy link address. You will need this for the next step below.

    The link should look something like this: 

    https://example.okta.com/app/abc123/sso/saml/metadata

Configure Okta in Figma 

Next you will need to set up the Okta integration in Figma.

  1. Open the Admin Console in your Figma Organization: 

  2. From the General page, find the Sign in and Provisioning section.
  3. Click the Update Sign In Settings link: 

  4. From the Authentication and Provisioning page, you can set your Authentication preference. Before you can select SAML SSO from the options, you will need to Configure SAML.
  5. Click the Configure SAML button at the bottom of the SAML SSO section:
  6. In the Configure SAML SSO modal, select Okta from the Identity Provider (Idp) section: 
  7. Enter your IdP Metadata URL in the field provided. This is the URL you generated in the Add the Figma App to your Okta Account section above.
  8. Click Review. You'll be prompted to review and confirm the details are correct. This is the only time you will be able to make changes to your Okta details, without having to contact customer support.
  9. Check the box to confirm This information is correct... and click Configure SAML SSO
  10. You will now see a confirmation of your Okta SAML SSO Configuration in the SAML SSO section.
  11. Click the Copy link next to your Tenant ID. You will need this during the set up process in Okta: 

Configure the Okta Application

Once you've received your confirmation and Tenant ID, you can complete the configuration process in Okta.

  1. In Okta, go to Sign On tab for the Figma app.
  2. Click Edit and scroll down to the Advanced Sign-On Settings section.
  3. Enter your Tenant ID in the corresponding field.
  4. In the Application username format field, select Email from the options:
  5. Click Save to complete the process.

Assign Users to the Application

Now that everything is set up, you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

Head to the Assignments tab (on the far right) to start adding users to the application.

The following basic attributes are supported:

Variable Name External Name External Namespace Suggested Mapping
givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
familyName  familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
displayName  displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
title  title urn:ietf:params:scim:schemas:core:2.0:User user.title

Additionally, the SCIM Enterprise User attributes are also supported:

Variable Name External Name External Namespace Suggested Mapping
employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

Note: Missing the SCIM Enterprise User attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

Sign In via Figma(SP initiated SSO)

To start the SAML SSO process from Figma's end, you can head to the following URL: https://www.figma.com/saml/[TenantID]/start

Note: You'll need to enter your [TenantID] provided by Figma in the URL above.

Configure Automatic Provisioning via SCIM(Recommended)

Okta automatically offers JIT provisioning, which supports the ability to Create and Update user accounts. We also recommend that you enable Automatic Provisioning via SCIM, as well.

This allows you to support the following actions:

  1. Create Users - Creating a user in Okta will automatically create a user in Figma, that is assigned to your Organization. Any users created via this process will have their Okta email validated automatically.
  2. Update Users - This allows any changes made to the user in Okta,(e.g. updating their name or email address) to be applied to the corresponding user account in Figma.
  3. Deactivate Users - If a user is unassigned in Okta, this will automatically deactivate their account in Figma. 

    Deactivating a user will automatically logout the user and remove them from the organization, including any related files, projects or teams. Any drafts related to that user's account will also be made accessible to the Organization's admin(under the Shared Folders section).

    Tip! If the user would like to use the same email address for a personal account, they will be required to reset their password before they can create a new account with that address. They will no longer have access to any of the Organization's Files, including any Drafts on their company account

  4. Reactivate Users - When a user is re-assigned in Okta, this will automatically add them back to the Organization's account in Figma. They'll be prompted to log back in(using SSO, if required). Any previous file, project, or team roles must be restored manually.

Learn more about What is SCIM on Okta's website: https://www.okta.com/blog/2017/01/what-is-scim/

1 | Generate an API Token (Figma)

You'll need to generate an API token in Figma, this allows you to authorize the connection between Okta and Figma.

  1. Open the Admin Console in your Figma Organization.
  2. From the General page, click Configure Authentication, SAML SSO and SCIM Provisioning link.
  3. On the Authentication and Provisioning modal, find the SCIM Provisioning.
  4. Next to the API Token click Generate API Token
  5. Copy the API Token that is generated.

2 | Provisioning with SCIM (Okta)

Once you've got your API Token:

  1. In Okta, go to the Provisioning tab in the Figma app.
  2. Click the Configure API Integration button.
  3. Check the box next to Enable API Integration.
  4. Enter the API Token in the field provided.
  5. Click Test API Credentials to ensure it's set up correctly.
  6. When you see the success message, you can click Save to apply:
  7. A few more options will now appear under the Provisioning section
  8. Click on the To App option in the left-hand menu.

    Important: Ensure that the following functions are all enabled:
    1. Create Users.
    2. Update User Attributes.
    3. Deactivate Users.
  9. Click Save to apply.

Learn more

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.