Provision Okta SAML SSO

IMPORTANT You can only use SAML SSO if you are on Figma’s Organizations plan(Currently in Beta). Learn more about Figma's plans here: https://www.figma.com/pricing

You will also need to have configured Figma with Okta SAML SSO, before being able to enable Automatic Provisioning. Check out our Configure Okta SAML SSO article to get started.

Provisioning Features

Okta automatically offers JIT provisioning, which supports the ability to Create and Update user accounts. We also recommend that you enable Automatic Provisioning via SCIM, as well.

This allows you to support the following actions:

  1. Create Users - Creating a user in Okta will automatically create a user in Figma, that is assigned to your Organization. Any users created via this process will have their Okta email validated automatically.
  2. Update Users - This allows any changes made to the user in Okta,(e.g. updating their name or email address) to be applied to the corresponding user account in Figma.
  3. Deactivate Users - If a user is unassigned in Okta, this will automatically deactivate their account in Figma. 

    Deactivating a user will automatically logout the user and remove them from the organisation, including any related files, projects or teams. Any drafts related to that user's account will also be made accessible to the Organization's admin(under the Shared Folders section).

    Tip! If the user would like to use the same email address for a personal account, they will be required to reset their password before they can create a new account with that address. They will no longer have access to any of the Organization's Files, including any Drafts on their company account

  4. Reactivate Users - When a user is re-assigned in Okta, this will automatically add them back to the Organization's account in Figma. They'll be prompted to log back in(using SSO, if required). Any previous file, project, or team roles must be restored manually.

Learn more about What is SCIM on Okta's website: https://www.okta.com/blog/2017/01/what-is-scim/

1 | Request an API Token from Figma

You'll need to reach out to the Figma Support team and let them know you want to set up provisioning with SCIM.

They will provider you with an API Token, which you can then use to set up provisioning in Okta.

2 | Provisioning with SCIM

Once you've received your API Token:

  1. In Okta, go to the Provisioning tab in the Figma app.
  2. Click the Configure API Integration button.
  3. Check the box next to Enable API Integration.
  4. Enter the API Token in the field provided.
  5. Click Test API Credentials to ensure it's set up correctly.
  6. When you see the success message, you can click Save to apply:
  7. A few more options will now appear under the Provisioning section
  8. Click on the To App option in the left-hand menu.

    Important: Ensure that the following functions are all enabled:
    1. Create Users.
    2. Update User Attributes.
    3. Deactivate Users.
  9. Click Save to apply.

Learn more