Manage seats via SCIM using Okta
In this guide, you'll learn how to manage seats in Figma using Okta. To get started, follow the steps below:
- Things to check before you start
- Create Okta Groups for provisioning
- Disable your Okta provisioning and deprovisioning service
- Add custom attribute mappings for seatType
- Map custom attributes to Okta assignment groups
- Re-enable your Okta provisioning service
- Test user provisioning
- Re-enable your Okta deprovisioning service
Things to check before you start
- Install the Figma Application from the Okta App Catalog. This guide does not cover custom SAML configurations.
- Make sure you are an Okta Administrator who has scopes to Add/Update Groups and Applications as well as create custom attributes.
- Make sure you are an Organization admin in Figma and are on the Enterprise plan.
- Complete the section on ’Setting up automatic provisioning via SCIM' in Okta.
Configure Okta Groups for provisioning
Under Directory>Groups, you will need to create 4 different groups that represent all seat type combinations: Full, Dev, Collab, and View
Here’s what each of these access groups represent:
Okta Group Name |
Description |
Recommended Titles |
---|---|---|
Figma |
Full Seat |
Users inherit access to Figma Design, Dev Mode, Figma Slides, and FigJam |
Figma |
Dev Seat |
Users inherit access to Dev Mode, Figma Slides, and FigJam |
Figma |
Collab Seat |
Users inherit access to Figma Slides and FigJam. |
Figma |
View Seat |
Users inherit free, view and comment-only permissions to Figma products |
Disable your Okta provisioning and deprovisioning service
Under Okta Admin > Applications > Applications > Figma > Provisioning, click Edit. Disable the settings Create User, Update User Attributes > Deactivate Users and click Save.
Add custom attribute mappings for seatType
- Navigate to Applications > Figma > Provisioning > Figma Attribute Mappings.
- Click Go To Profile Editor.
- Click Add Attribute.
- You will need to create a single attribute for seatType using the following configuration details.
Display Name |
Data Type |
Variable Name |
External Name |
External Namespace |
---|---|---|---|---|
Seat type |
string |
seatType Note that Okta will append 'figma.' to the front of the variable name AFTER saving. |
roles.^[type=='seatType'].value |
urn:ietf:params:scim:schemas:core:2.0:User |
- Specify the following Enum Values:
Display Name |
Value |
---|---|
Full |
Full |
Dev |
Dev |
Collab |
Collab |
View |
View |
- Set the Attribute Type to Group. Click Save.
Map custom attributes to Okta assignment groups
- Navigate to the Assignments tab within your Figma Application.
- Under the Groups filter. You will see assignment groups that will assign Figma for SSO (if configured) as well as for SCIM provisioning. Click the Assign drop-down menu and click Assign to Groups.
- Add the 4 groups you created in the Configure Okta Groups for Provisioning step.
- For each of the 4 groups, click the pencil icon and set the custom attributes seatType, to the following values:
Group Name |
seatType |
---|---|
Figma | Full Seat |
Full |
Figma | Dev Seat |
Dev |
Figma | Collab Seat |
Collab |
Figma | View Seat |
View |
- Click Save for each value.
- Within the Assignments view, set the Priority by dragging/dropping the Okta app assignment groups into the same order as mentioned in the table above. This will ensure in the edge case that a user is assigned to multiple groups, the top-most level group assigns the most permissive combination of licenses.
- Note that the assignment group model used in this guide assumes an Okta user will be assigned to a single Okta Group that assigns a single seat value.
Re-enable your Okta provisioning service
Under Okta Admin > Applications > Applications > Figma > Provisioning, click Edit. Enable the settings Create User, Update User Attributes and click Save.
Note: You will enable Okta Deprovisioning after performing a successful test provision.
Test user provisioning
Before testing your mapping, remember to assign a test user to your groups. We recommend you test provisioning a seat from each group with a single test user.
- Assign a test user to one of your Okta assignment groups.
- Navigate to Applications > Figma > Provisioning.
- Ensure Provisioning to App: Create Users and Update Users are Enabled, at minimum.
- Under Figma Attribute Mappings click Force Sync – this will push any test SCIM users you have assigned to access groups to Figma.
- You can validate a successful push SCIM event under Applications > Figma > View Logs.
- Within Figma’s admin console, navigate to Members. You should see your test user reporting “Pending SCIM” with the appropriate license combination associated with that Okta App Assignment Group.
- You may repeat the above test for the other following test cases:
- Remove that test user from one Okta App Assignment Group and add to another: this should update the user’s licenses in Figma.
Re-enable your Okta deprovisioning service
Under Okta Admin > Applications > Applications > Figma > Provisioning, click Edit. Enable the setting Deactivate Users and click Save.