Meet FigJam, our new online whiteboard for teams to explore ideas together. Learn more.

···

    Guide to SAML SSO in Figma

    Before you start

    Who can use this feature

    Supported on the Figma Organization plan.

    Only organization admins can configure SAML SSO.

    SAML SSO only applies to members of an organization. Guests can always log in to an organization via Google SSO or using their email and a unique password.

    Organizations that need enhanced security requirements can configure SAML SSO.

    Security Assertion Markup Language (SAML) is a security standard for logging into applications. Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

    In a SAML SSO set up, the identity provider manages the organization's user accounts and credentials. The service provider is the app or website that provides services to the user or organization. Figma is a service provider in this scenario.

    SAML SSO only applies to members of an organization. Guests can't log in via SAML SSO, but can log in via Google SSO or their email and unique password.

    How SAML SSO works:

    1. Member attempts to log in to Figma via SAML SSO.
    2. Figma sends a SAML request to the identity provider.
    3. The identity provider checks this user's credentials.
    4. The identity provider sends a response to Figma to verify the user's identity.
    5. Figma accepts the response and logs the user into their Figma account.

    Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with any of our supported identity providers, as well as any custom configurations.

    Note: Passwords belonging to SSO-managed accounts aren't stored in Figma's infrastructure. 

    Set up SAML SSO

    The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO in your Organization below.

    Confirm your company domain(s)

    Domains are the way we identify entities on the internet. We can view domains in a website's URL www.figma.com or email address support@figma.com.

    Organization Admins will define what domains are associated with their business as part of the set up process. Organizations can have more than one domain, including subdomains. Learn more about domains and domain capture →

    Domains let Figma know who to treat as a member of the Organization, and who to treat as a guest. Only members of the organization can log in using SAML SSO.

    Tip! Guests can login using Google SSO, or their email address and a unique password. Learn how to log in to Figma →

    For example: ACME Corp has three domains registered to their Figma Organization: acme.org, acmecorp.org, and dev.acme.org.

    • Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member.
    • Anyone with an email address that doesn't match those domains is a guest and can't log in via SAML. For example: name@gmail.com or name@notyourdomain.com

    Note: If you plan on using SAML SSO, you will need to register each domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.

    Caution: For a member to access their existing files and projects in the Organization, they will need to be using their correct company email to join the Organization. We recommend making sure everyone is using their company email in Figma before you set up SAML SSO.

    Add Figma app to your identity provider

    This usually involves adding an app to your identity provider. Your identity provider will provide you with a Metadata URL during this process.

    This is an XML link that Figma will use to connect your identity provider, and authenticate users when they login.

    Figma supports dedicated integrations with the following identity providers:

    Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Learn more about custom SAML configurations →

    *If you want to use Google SAML SSO and SCIM, you need to set up a custom SAML configuration instead of using the Google SSO option. Learn more about Google SAML SSO →

    Turn on SAML SSO in Figma

    Next, you'll need to set up SAML SSO in Figma. This does the following:

    • Turns on SAML SSO in your Organization
    • Connects your identity provider to your Figma account
    • Lets you decide if how members can login

    Figma will provide you with a Tenant ID as part of this process, which you'll need to complete the configuration process with your provider.

    You also need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. This only applies to members, guests can login via Google SSO or email and unique password.

    If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Learn more about authentication options →

    Set up SAML SSO in your identity provider

    Complete the rest of the set up process with your identity provider. The articles below cover this process in detail.

    For supported providers, you'll only need your Tenant ID. For custom configurations, you'll need both the SP Entity ID and SP ACS URL.

    Set up SCIM provisioning (optional)

    All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma.

    JIT only applies any changes to a user's profile when they next log into their account, not when the Admin first makes the changes.

    You can choose to enable automatic provisioning via SCIM. SCIM pushes any changes you make to Figma, as soon as they happen.

    SCIM gives you greater control as it allows you to also import and deactivate users.

    • Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
    • Custom SAML configuration: you can set up SCIM with your chosen identity provider.Learn more about setting up a custom SCIM configuration →

    Users can now access Figma using their company email address and password. If they have already been using Figma, they can log in to their account. If they are new to Figma, they can create a new account.

    When you provision a user with your identity provider, Figma will add them to your Organization as a Viewer. This is a provisional Role, which means there are no restrictions around upgrading.

    It's not possible to define a user's permissions via your identity provider. You can only manage a user's permissions in Figma. Learn more about managing members →

    Edit a SAML configuration

    Organization Admins can make changes to the SAML SSO settings at any time. This is perfect when you need to fix errors, update an expired certificate, or switch to another provider.

    You will need to update your Authentication settings to Members may log in with any method, including email and password to edit your configuration. This allows members to log in with email address and password, while you make any changes.

    1. Open Figma in the file browser.
    2. Select Admin Settings in the sidebar.
    3. Select the Settings tab at the top of the screen.
    4. In the Login and provisioning section, click the Authentication setting.
    5. Select Members may log in with any method, including email and password.
    6. Click Done to return to the screen.
    7. Click on the SAML SSO option to adjust your settings.

    Learn more about choosing an authentication method →

    Related Videos