Configure and Provision SAML SSO with Okta

Who can use this feature?

๐Ÿ”’ Users on the Figma Organization Plan
๐Ÿ‘ค Only Organization Admins can configure SAML SSO
๐Ÿ‘ค You will need to have an existing Okta account

Learn more about SAML SSO in our Getting Started with SAML SSO article.

Figma supports both Identity Provider and Service Provider initiated SAML. Our integration with Okta supports both Authentication and Provisioning for SAML.

To configure SAML SSO with Okta:

  1. Add Figma to Okta
  2. Configure SAML SSO in Figma
  3. Configure SAML SSO in Okta
  4. Set up Automatic Provisioning via SCIM

Add Figma to Okta

First, you will need to add the Figma Okta app to your Okta account. This will allow you to generate a IdP Metadata URL, which you'll need to connect Okta to Figma.

  1. Log in to your Okta account and head to the Applications page.
  2. Select Add Application from the options.
  3. Search for Figma and click the Add button to add Figma to your account:
  4. Once installed, you can go to the Sign On page.
  5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

Configure SAML SSO in Figma

Next you'll need to set up SAML SSO in Figma.

  1. Open the Admin Console:

    Click on the Organizationโ€™s name in the File Browser and go to the Settings tab.

  2. In the General tab, find the Log in and Provisioning section.
  3. Click the Update Log In Settings link.
  4. Click the Configure SAML button at the bottom of the SAML SSO section.
  5. Select Okta from the options.
  6. Enter the IdP Metadata IRL you got from Okta. Click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

Configure SAML SSO in Okta

Now you have your Tenant ID, you can complete the configuration process in Okta. You can also map User Attributes between applications.

Configure SAML SSO

  1. Open the Figma app in Okta.
  2. Go to Sign On tab and click Edit.
  3. Scroll down to the Advanced Sign-On Settings section.
  4. Enter your Tenant ID in the field provided.
  5. In the Application username format field, select Email from the options.
  6. Click Save to complete the process.

Log in via Figma (SP initiated SSO) To start the SAML SSO process from Figma's end, you can head to the following URL:  https://www.figma.com/saml/[TenantID]/start

Assign Users to the Application

Now that everything is set up, you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

Figma supports some basic attributes, as well as Attributes only available tom SCIM Enterprise users.

Head to the  Assignments tab (on the far right) to start adding users to the application.

Supported Basic Attributes

Variable Name External Name External Namespace Suggested Mapping
givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
familyName  familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
displayName  displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
title  title urn:ietf:params:scim:schemas:core:2.0:User user.title

 Supported SCIM Enterprise User Attributes 

Variable Name External Name External Namespace Suggested Mapping  
employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

Note: Missing the SCIM Enterprise User attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

Set up Automatic Provisioning via SCIM

To set up Automatic Provisioning you will need to:

  1. Generate an API Token in Figma
  2. Configure Automatic Provisioning in Okta

We recommend having both of these windows open at the same time, to make that process easier.

Generate an API Token in Figma

  1. In Figma, click on your Organization and go to the Settings tab.
  2. On the General page click the Update Log in Settings link.
  3. In the SAML SSO section, copy the Tenant ID.
  4. In the SCIM Provisioning section, click Generate API Token.
  5. Copy the API Token value.

Configure Automatic Provisioning in Okta

 โœ… You'll need your API Token from Figma

  1. Open the Figma app in Okta.
  2. Go to the Provisioning tab in the Figma app.
  3. Click the Configure API Integration button.
  4. Check the box next to Enable API Integration.
  5. Enter the API Token in the field provided.
  6. Click Test API Credentials to ensure it's set up correctly.
  7. When you see the success message, click Save to apply:
  8. A few more options will now appear under the Provisioning section. Click on the To App option in the left-hand menu.


    IMPORTANT:
    Ensure all the following functions are enabled

      โœ… Create Users
      โœ… Update User Attributes
      โœ… Deactivate Users

  9. Click Save to apply.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.