Guide to SAML SSO

Related Videos

• Set login and authentication method

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plan

  Only organization admins can adjust the organization's log in and authentication settings.

  Organization admins can choose what method members can use to log in to the organization. These settings will apply to any member that has an email address that matches your organization's domain(s).

  You can update these settings at any time. If you want to make change to your SAML SSO configuration, you will need to temporarily update these settings to allow members to log in via any methods.

  SAML SSO only applies to members of an organization. Guests can always log in to an organization using Google SSO or their email and password.

  Available methods

  The authentication methods you can choose from in an organization are:

  • Members may log in with any method, including email and password (default)
  • Members must log in with a Google account
  • Members must log in with SAML SSO

  Any method

  When authentication is set to "Members may log in with any method (default)", members can log in using any method. This includes Google SSO, SAML SSO, or a company email and unique password.

  To allow members to log in via SAML SSO, you still need to configure SAML SSO for your organization. 

  You can also use this setting to prevent members being locked out during the configuration process. This is handy when you're setting up or updating your SAML SSO settings, or switching to another identity provider. 

  Enforce Google SSO

  If you are using Google Workspaces to manage your company email, you have two approaches available for authentication.

  • Google SSO: Use Google's traditional single sign on (SSO) process. This allows members to log in using their Google managed email address and password.
  • Google SAML SSO: If you use SAML and SCIM with Google Workspace, you can set up a custom SAML SSO configuration with Figma.

  Enforce SAML SSO for members

  Organizations with enhanced security requirements can configure SAML SSO.

  SAML SSO lets you connect your external identity provider—like Okta, Onelogin, or Azure Active Directory— to Figma. Members can then log in and authenticate using a third-party provider.

  This also allows you to pre-provision members to Figma via SCIM. If you're on the Enterprise plan, you can also set member roles via SCIM.

  Once you have configure SAML SSO, you can choose if this is optional or required:

  • Select Members must log in with SAML SSO to make logging in via SAML SSO mandatory for members.
  • Select Members may log in with any method, including email and password to make SAML SSO optional.

  When you make SAML SSO mandatory, Figma will require members to use SAML SSO when they next log in. Guests can still use their company email address and password to access Figma.

  Set authentication method

  Adjust the authentication method in the organization's admin settings.

  1. Open the organization in Figma.
  2. Select Admin settings in the sidebar.
  3. Select the Settings tab at the top of the screen.
  4. In the Login and provisioning section, click the Authentication setting.
  5. Select your desired method and click Done to apply.
• Authenticate with Google (Google SSO)

  Who can use this feature

  Users on the Organization and Enterprise plans

  Only organization admins can configure SSO.

  If you are using Google Workspaces to manage your company email, you have two approaches available for authentication.

  • Google SSO: Use Google's traditional single sign on (SSO) process. This allows members to log in using their Google managed email address and password.
  • Google SAML SSO: If you use SAML and SCIM with Google Workspace, you can set up a custom SAML SSO configuration with Figma.

  Google SSO and SAML SSO only to members of the organization. Guests can log in with their external email address and a password.

  Google SSO

  You can enable Google SSO in your Figma Organization. Members must use the Log in with Google option to log in using their Google-managed company email and password.

  • Select Members must sign in with a Google Account to make Google SSO mandatory.
  • Select Members may log in with any method, including email and password to make Google SSO optional.

  Note: You can disable this requirement at any time, if required. Return to this page and select Members may sign in with any available method, including email and password instead. You will need to update your authentication method to this setting, if you want make changes to your SAML SSO or SCIM settings.

  Google SAML SSO

  Google also supports both SAML SSO and SCIM configurations. If you want to use Google SAML SSO and SCIM with Figma, you will need to:

  1. Set up a custom app for Figma in GSuite (Opens Google Support article)
  2. Decide if you want to make SAML SSO mandatory
  3. Set up a custom SAML configuration in Figma

  Note: We've heard that there can be delays when setting up a custom SAML SSO app with Google. If you see a "Not a SAML app" error, or similar, we recommend trying again in a few hours. Google has some recommendations for common errors:Troubleshoot single sign-on (SSO).

• SAML SSO with Okta

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  You will need to have an existing Okta account to set up SAML SSO with Okta.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

  Add the Figma app to Okta

  To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.

  1. Log in to your Okta account and head to the Applications page.
  2. Select Add Application from the options.
  3. Search for Figma and click the Add button to add Figma to your account.
  4. Once installed, go to the Sign On page.
  5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select Okta from the options.
  6. Enter the IdP Metadata IRL from Okta and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Set up Figma in Okta

  Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.

  Configure SAML SSO

  1. Open the Figma app in Okta.
  2. Go to Sign On tab and click Edit.
  3. Scroll down to the Advanced Sign-On Settings section.
  4. Enter your Tenant ID in the field provided.
  5. In the Application username format field, select Email from the options.
  6. Click Save to complete the process.

  Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start 

  Make sure to replace [Tenant ID] with your Organization's actual Tenant Id!

  Assign users to the application

  Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

  Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.

  Start adding users to the application in the Assignments tab on the far right.

  Supported Basic Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  givenName	givenName	urn:ietf:params:scim:schemas:core:2.0:User	user.firstName
  familyName	familyName	urn:ietf:params:scim:schemas:core:2.0:User	user.lastName
  displayName	displayName	urn:ietf:params:scim:schemas:core:2.0:User	user.displayName
  title	title	urn:ietf:params:scim:schemas:core:2.0:User	user.title

  Supported SCIM Enterprise User Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  employeeNumber	employeeNumber	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.employeeNumber
  costCenter	costCenter	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.costCenter
  organization	organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.organization
  division	division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.division
  department	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.department
  managerValue	manager.value	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.managerId
  managerDisplayName	manager.displayName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.manager

  Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

  Set up automatic provisioning with SCIM

  Okta also supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.

  We recommend having both windows open to make copying between the two easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure automatic provisioning in Okta

  Important! Make sure the following functions are enabled in Okta:

  • Create Users
  • Update User Attributes
  • Deactivate Users

  1. Open the Figma app in Okta.
  2. Go to the Provisioning tab in the Figma app.
  3. Click the Configure API Integration button.
  4. Check the box next to Enable API Integration.
  5. Enter the API Token in the field provided.
  6. Click Test API Credentials to ensure it's set up correctly.
  7. When you get a success message, click Save to apply.
  8. A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
  9. Click Save to apply.
• SAML SSO with OneLogin

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  You will need to have an existing OneLogin account

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

  Add Figma to OneLogin

  First, you'll need to add the Figma App to your OneLogin account.

  1. Log in to your OneLogin account and go the Administration section.
  2. Head over to the Apps page and select Add Apps.
  3. Search for Figma in the Find apps field.
  4. On the Info tab, click Save to add the app to your Company Apps.
  5. You will then be able to access the additional configuration settings. Click on the SSO tab:
  6. Copy the contents of the Issuer URL field:

     

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select OneLogin from the options.
  6. Enter the IdP Metadata IRL from OneLogin and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Configure SAML SSO in OneLogin

  Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

  1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
  2. Go to the Configuration Tab for the Figma app:

     

  3. Enter the Tenant ID that you copied from Figma.
  4. Click SAVE to complete the process.

  Set up automatic provisioning via SCIM

  To set up automatic provisioning you will need to:

  1. Generate an API Token in Figma
  2. Configure Automatic Provisioning in OneLogin
  3. Map Custom Attributes

  Tip! We recommend having both of these windows open at the same time, to make that process easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure SCIM in OneLogin

  You'll need your API Token from Figma

  1. Open the Figma app in OneLogin.
  2. Go to the Configuration Tab for the Figma app.
  3. Under API connection, enter your API token in the SCIM Bearer Token field.
  4. Click ENABLE.
  5. Go to the Provisioning tab and check the box next to Enable Provisioning.
  6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
     • Create User
     • Delete User
     • Update User
  7. Decide the appropriate action for When user accounts are suspended in OneLogin..

     

  Add custom attributes

  Some Figma attributes are mapped to OneLogin attributes by default:

  • Email
  • First Name
  • Last Name
  • NameID
  • SCIM Username
  • Title
  • Manager
  • Department

  Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

  • employeeNumber
  • costCenter
  • organization
  • division

  To create a custom field in OneLogin:

  1. Login to your OneLogin account.
  2. Go to Users > Custom User Fields in the main menu:
  3. Complete the New User Field inputs.
  4. Click SAVE to apply your changes.
• SAML SSO with Azure Active Directory

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  You will need to have an existing Microsoft Azure Active Directory account

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

  Note: Microsoft recommends testing your SAML Configuration in a sandbox environment. You can do this before you configure Automatic Provisioning via SCIM. Find detailed instructions in Microsoft's Azure Active Directory SSO Integration with Figma article.

  Add Figma to Azure AD

  Add Figma to your Azure Portal and enable SAML SSO. This generates an App Federation Metadata URL, which you can then use to connect the two applications.

  1. Log in to your Azure Portal and using the left navigation menu open Azure Active Directory.
  2. Select Enterprise Applications and then All Applications.
  3. Click on the Enterprise Applications setting.
  4. In the Manage section, select All Applications.
  5. Click the + New application button.
  6. Search for Figma in the field provided and click Add to add the application to your portal.
  7. Go to the Single Sign-On configuration page.
  8. Set the Mode as SAML-based Sign-On.
  9. Copy the App Federation Metadata URL.

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select Microsoft Azure Active Directory.
  6. Enter the App Federation Metadata URL from Azure AD and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Azure AD.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Set up SAML SSO in Azure

  Complete these steps to configure SAML SSO in Azure Active Directory. You can choose to initiate SAML from the Azure Active Directory or Figma.

  Configure SAML SSO

  Remember: Swap the <TENANT ID> placeholder with the Tenant ID generated by Figma.

  1. In your Azure Portal open the Figma app.
  2. In the Manage section, select Single Sign-On
  3. On the Select a single sign-on method page, select SAML.
  4. Click the pen icon next to Basic SAML Configuration
  5. To configure in in IDP initiated mode:
     1. In the Identifier field enter the URL: https://www.figma.com/saml/<TENANT ID>
     2. In the Reply URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/consume
  6. To configure in SP initiated mode:
     1. Click Set additional URLs
     2. In the Sign-on URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/start

  Map user attributes

  Map your user attributes between Figma and Azure Active Directory.

  Required

  There are some required attributes that you will need to keep.

  GivenName	user.givenname
  Surname	user.surname
  Emailaddress	user.mail
  Name	user.userprincipalname
  Unique User Identifier	user.userprincipalname

  Pre-Populated

  Figma will pre-populate some other attributes. You can review and adjust these as required.

  externalId	user.mailnickname
  displayName	user.displayname
  title	user.jobtitle
  emailaddress	user.mail
  familyName	user.surname
  givenName	givenName
  userName	user.userprincipalname

  Test your SAML Configuration

  Microsoft recommends testing your SAML configuration before adding or importing your accounts.

  1. Create a test user in Azure AD.
  2. Assign the test user to Figma in Azure AD.
  3. Figma will create a corresponding test user account in Figma
  4. Test the SSO process with this user.

  Find detailed instructions in Microsoft Azure's Tutorial: Azure Active Directory single sign-on (SSO) integration with Figma.

  Set up automatic provisioning with SCIM

  You'll need an API token from Figma to set up SCIM in Azure AD. We recommend having both Figma and Azure AD open to make copying between them easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure SCIM in Azure AD

  Note: You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID> placeholder in the URL below with the Tenant ID Figma generated.

  1. In your Azure Portal go to Enterprise Applications > All Applications
  2. Select the Figma app.
  3. Go to the Manage section select Provisioning.
  4. Set the Provisioning Mode to Automatic.
  5. Enter the following details in the Admin Credentials section:
     1. Enter the URL in the Tenant URL field: https://www.figma.com/scim/v2/<TenantID>
     2. Enter the API Token in the Secret Token field.
     3. Click Test Connection to make sure that Azure AD can connect to Figma.
  6. Enter the desired email address in the Notification Email field.
  7. Check the box next to Send an email notification when a failure occurs and click Save to apply.
  8. In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
  9. In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
  10. Click the Save button to apply any changes.
  11. Under Settings, toggle the Provisioning Status > On.
  12. Define which users and/or groups you would like to provision to Figma. Choose from:
      • Sync all users and groups
      • Sync only assigned users and groups
  13. Click Save to apply your provisioning settings.

  Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.

• Set up SAML SSO for ADFS

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

  To use this integration you will need to:

  • Have an ADFS instance of 3.0 or later
  • Expose the SAML endpoint for ADFS

  You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).

  Add Figma to ADFS

  Required information

  There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.

  Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Add Figma to your ADFS instance

  Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

  1. Open your ADFS instance.
  2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process.
  3. On the Welcome screen, click “Start” to start the set up process.
  4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

  5. Add a Display name, like Figma or similar, then click Next to proceed.

  6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
  7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

  8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://www.figma.com/saml/123456789123456789/consume. Click Next to proceed.

  9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://www.figma.com/saml/123456789123456789. Click Next to proceed.
  10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed.
  11. On the Ready to Add Trust step, click the Next button to complete the process.
  12. Click Close to finish the Wizard.

  Add attributes to ADFS

  Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

  1. On the Edit Claim Issuance Policy page, click the Add rule button.
  2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
  3. On the Configure Claim Rule step:
     1. Enter a Claim rule name.
     2. For your Attribute store, select Active Director.
     3. In the LDAP Attribute... column, select E-Mail Address.
     4. In the Outgoing Claim Type... column, select E-Mail Address.
     5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
     
  4. Click Apply to apply the rule and return to the Issue Transform rules page.
  5. Click Add Rule to add a second Transform rule.
  6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
  7. On the Configure Claim Rule step:
     1. For Claim rule name, enter Transform email address as NameID
     2. In the Incoming claim type, select E-Mail Address.
     3. In the Outgoing Claim Type column, select NameID
     4. In the Outgoing name ID format column, select Email
     5. Toggle Pass through all claim values.
     6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
  8. Click Apply to apply the rules to your instance.

  Export signing certificate

  Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

  1. In your ADFS instance, go to Service > Certifications
  2. Click on the certificate under Token-signing and select View Certificate. certificate
  3. Click Copy to File > Ok.
  4. Click Next on Certificate Export Wizard.
  5. Select Base-64 encoded... from the options and click Next.
  6. Name your certificate file figma.cer and click Next.
  7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

  Complete the set up process in Figma

  Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

  You'll need the following information from ADFS:

  • IdP Entity Id: This lets Figma know which Identity Provider you are using.
  • IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://sso.yourdomain.tld/adfs/ls/
  • Signing Certificate: This is the certificate that you have just downloaded.
• Set up a custom SAML configuration

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  You must use SAML 2.0 to set up SAML SSO with Figma.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  If you do not use one of our supported identity providers, you can set up a custom SAML configuration. You must use SAML 2.0, Figma doesn't support earlier versions of SAML.

  Note: you will need the following information from your identity provider to set up SAML SSO in Figma:

  • IdP Entity Id: This lets us know which Identity Provider you are using.
  • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO.
  • Signing Certificate: Usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

  Set up SAML SSO in Figma

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn about authentication options →

  1. Open Figma in the file browser and select Admin settings in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Log in and provisioning section, click SAML SSO.
  4. Figma will generate the information you need to complete the process with your identity provider. Find this in the Your configuration details are section.
  5. In the Identity provider section, select Other.
  6. Enter the details from your identity provider:
     • IdP Entity ID
     • IdP SSO Target URL
  7. Upload your Signing certificate and click Review.
  8. Check the box to confirm This information is correct... and click Configure SAML SSO.

  Complete the set up with your identity provider

  1. View the details of your SAML SSO configuration in Figma. You'll need these to complete the configuration process with your Identity Provider:
     • The SP Entity ID
     • The SP ACS URL
  2. Make sure to configure the NameId using the following format:  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

  Tip! You can address any typos, or update your SAML SSO configuration at any time. Return to these settings and click the Edit configuration button. Learn more about editing your SAML SSO settings →

• Edit a SAML configuration

  Who can use this feature

  Supported on the Organization and Enterprise plan.

  Only organization admins can configure SAML SSO.

  Organization admins can make changes to the SAML SSO settings at any time. This is perfect when you need to fix errors, update an expired certificate, or switch to another provider.

  You will need to update your Authentication settings to Members may log in with any method, including email and password to edit your configuration. This allows members to log in with email address and password, while you make any changes.

  Once the process is complete, you can enforce log in via SAML SSO for members.

  Update login method

  1. Open the organization in Figma.
  2. Select Admin settings in the sidebar.
  3. Select the Settings tab.
  4. In the Login and provisioning section, click Authentication.
  5. Select Members may log in with any method, including email and password.
  6. Click Done to return to the screen.
  7. Click on the SAML SSO option to adjust your settings.

  Set login or authentication method →

• Set up automatic provisioning via SCIM

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  All SAML SSO configurations in Figma support Just In Time (JIT) provisioning. This is manual provisioning which only applies any changes when a user next logs into their account, not when the Admin makes the changes. JIT supports creating and updating users in Figma.

  You can choose to enable automatic provisioning with SCIM. SCIM pushes any changes you make to Figma, as soon as they happen. SCIM also support importing and deactivating users.

  To set up automatic provisioning you will need to an API token in Figma and a SCIM URL. This will allow you to configure automatic provisioning in your identity provider.

  Copy your details from Figma

  To make the set up process easier, we recommend having both Figma and your identity provider open at the same time.

  You can generate an API token and find your Tenant ID on the Settings page of your Organization's Admin Settings:

  1. Open Figma and select Admin Settings in the sidebar.
  2. Select the Settings tab.

  Generate an API token

  1. In the Login and provisioning section, click SCIM provisioning.
  2. Click Generate API token.
  3. Copy the API token value.

  Find your Tenant Id

  Your identity provider will need a SCIM base URL to configure SCIM. Your Tenant Id will make up part of this URL.

  1. In the Login and provisioning section, click SAML SSO.
  2. Copy the Tenant ID.
  3. Use the tenant Id to create the SCIM base URL: https://www.figma.com/scim/v2/[tenant]

  Set up SCIM with your identity provider

  The process for setting up provisioning depends on your identity provider.

  Configure SCIM

  If you're using one of our supported identity providers, you can follow our help articles:

  • SAML SSO with Okta
  • SAML SSO with Azure Active Directory
  • SAML SSO with OneLogin

  If you're using an identity provider we haven't listed here, you can still set up SCIM with Figma.

  You'll need to set up SAML SSO configuration with your identity provider, before you can configure SCIM. This may require you to set up a custom application.

  We aren't able to provide documentation for custom configurations. Please reach out to your identity provider for any assistance with a custom configuration.

  IMPORTANT

  As part of the set up process with your identity provider, you'll need to choose which provisioning functions to use. Make sure the following functions are enabled:

  • Create Users
  • Update User Attributes
  • Deactivate Users

  Assign users to the application

  When you set up automatic provisioning, you will be asked to assign users to the application.

  As part of this process, you may be asked to provide additional information about each user. Figma supports the following common basic attributes, as well as some optional extras.

  Basic attributes

  Scroll to view table

  Variable Name	External Name	External Namespace	Suggested Mapping
  givenName	givenName	urn:ietf:params:scim:schemas:core:2.0:User	user.firstName
  familyName	familyName	urn:ietf:params:scim:schemas:core:2.0:User	user.lastName
  displayName	displayName	urn:ietf:params:scim:schemas:core:2.0:User	user.displayName
  title	title	urn:ietf:params:scim:schemas:core:2.0:User	user.title

  Advanced attributes

  Scroll to view table

  Variable Name	External Name	External Namespace	Suggested Mapping
  employeeNumber	employeeNumber	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.employeeNumber
  costCenter	costCenter	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.costCenter
  organization	organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.organization
  division	division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.division
  department	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.department
  managerValue	manager.value	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.managerId
  managerDisplayName	manager.displayName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.manager

  Note: It's not possible to assign permissions in Figma via your identity provider. Figma will add provisioned users to your Organization as viewers.

  This is a provisional role, which means there are no restrictions around upgrading.

  Learn more about members in an Organization →

  Display SCIM member metadata

  When you have SCIM set up, you can choose which of these attributes you want to access in Figma. That attribute will be shown in the Members tab alongside Figma's default data.

  1. Open Admin settings > Settings
  2. In the Other section, click Member metadata.
  3. Choose from Cost center, organization, division, or department.
  4. Figma will show this data in the Members tab. You'll be able to sort your member list based on this column.

  Guide to organization admin →