Getting Started with SAML SSO

     

    Before you start

    Who can use this feature

    Users on the Figma Organization Plan

    Only Organization Admins can configure SAML SSO.

    Organizations that need enhanced security requirements can configure SAML SSO.

    Security Assertion Markup Language (SAML) is a security standard for logging into applications.

    Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

    SAML SSO

    The Identity Provider (IdP) manages the Organization's user accounts and credentials.

    The Service Provider (SP) is the app or website that provides services to the User or Organization. That's Figma.

    1. The User attempts to log in to Figma via SAML SSO
    2. Figma creates a SAML request and sends this to the IdP
    3. The IdP checks this user's credentials to confirm they are correct
    4. The IdP sends a response to Figma to verify the user's identity
    5. Figma accepts the response and logs the user into their Figma account

    Set up SAML for an Organization

    The process for configuring SAML will depend on your specific Identity Provider. We've outlined the general process for implementing SAML SSO in your Organization below.

    1. Confirm your Company Domain(s)
    2. Add the Figma app to your IdP
    3. Configure SAML SSO in Figma
    4. Add your SAML details to your IdP
    5. Set up SCIM Provisioning
    6. Users Log In to Figma via SAML
    7. Manage Member Permissions in Figma

    Confirm your company domain(s)

    In a Figma Organization, Organization Admins can define any domains associated with the Organization. This allows anyone with a company email address to log in to the Organization e.g. name@figma.com.

    It's possible to define more than one domain for your Organization. For example: figma.com and dev.figma.com. You will need to register every domain with your Identity Provider for this to work with Figma.

    Everyone currently using Figma will need to be using their correct company email to join the Organization. Email aliases do not work with SAML SSO. 

    We recommend ensuring this is in place, before you set up SAML. This ensures current Figma users will be able to access Files and Projects from their existing login.

    Domain Capture controls how Figma treats accounts that match a company's domain(s). This includes adding and removing members, draft ownership, and more.

    Add the Figma app to your Identity Provider

    You will need to add a Figma app to your Identity Provider (IdP). During this process your Identity Provider will provide you with a Metadata URL.

    This is an XML link that we'll use to connect the two applications. We also use this link to authenticate your users when they log in to Figma.

    Figma has dedicated integrations with the following providers:

    Note: You can also set up a custom SAML configuration with a provider that isn't on this list. Learn more in our Set up a Custom SAML Configuration article.

    Enable SAML SSO in Figma

    Next, you'll need to set up SAML SSO in Figma. This does the following:

    • Enables SAML SSO in your Organization
    • Connects your IdP to your Figma account
    • Determines if login via SAML SSO is mandatory

    At this point, you can choose if users may or must log in via SAML. Learn more in our Make login via SAML SSO mandatory article.

    At the end of the configuration process, Figma will provide you with a Tenant ID. You will need this to complete the configuration process with your IdP.

    Note: If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users.

    Add your SAML details to your IdP

    Complete the rest of the set up process with your IdP.

    • Supported Identity Providers: you'll only need the Tenant ID Figma created.
    • Custom SAML configuration: you'll need both the SP Entity ID and SP ACS URL Figma generated.

    Set up SCIM provisioning

    All SAML configurations support "Just In Time" (JIT) or manual provisioning.

    JIT provisioning allows Figma to create and update users in Figma.  JIT applies any changes to a user's profile when a user next logs in not when an Admin first makes the changes.

    System for Cross-domain Identity Management or SCIM is an automatic provisioning standard. SCIM pushes any changes you make in your identity provider to Figma, as soon as they happen. 

    As well as supporting the ability to create and update users, SCIM also allows you to import and deactivate users.

    If you're using a supported identity provider: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.

    If you are using a custom SAML configuration: you can set up SCIM with your chosen identity provider. Learn more in our Set up automatic provisioning via SCIM article.

    Manage member permissions in Figma

    It's not possible to define a user's permissions via your Identity Provider. You can only manage a user's permissions in Figma.

    For every user that you provision with your Identity Provider, Figma will add them to your Organization as a Viewer. This is a provisional Role, which means there are no restrictions around upgrading

    To manage user permissions:

    Learn more about Permissions in an Organization.

    SAML SSO setup complete

    Users can now access Figma using their company email address and password.

    Related Videos

    • Privacy and Security in an Organization

      Before you start

      Who can use this feature

      Users on Figma Organization Plan

      Users with Admin access can manage an Organization's settings.

      Figma Organization gives you greater control over what's shared within your business.

      Privacy and Security by Design

      Security is part of everything we do. It’s top of mind in how we work, treat customer data, and develop our product.

      • Figma has completed a SOC 2 Type II audit. SOC 2 is a security compliance standard for software companies in the United States. Its guidelines and policies help businesses, like Figma, protect customer data.
      • Figma is also certified under the EU-US and Swiss-US Privacy Shield Frameworks. Privacy Shield protects the transfer of customer data between the United States and European Union (EU).

      Check out Figma's Privacy and Security policies.

      Intellectual Property

      The Organization has ownership over all the Files created within the Organization. This includes Files within a member's Drafts, or Personal Space.

      When you remove a member, all their Teams, Files and Projects will stay in the Organization.

      Figma will also move Files a deleted member's Drafts to a shared folder in the Organization. Organization Admins can access these Files and delete or redistribute them.

      Link Access Controls

      You can choose which Files you want to share with your Organization. You can control how to share a File is via the File's Link Sharing settings.

      Link Sharing Discovery defines how members of your Organization can find Files.

      • Anyone with the link (including outside the Organization)
      • Anyone at <Organization> with the link
      • Anyone at <Organization> [Default]
      • Only people invited to the File

      Link Sharing Permissions setting determines what permissions they have on those Files.

      • Can View (Viewer) [Default]
      • Can Edit (Editor)

      In an Organization you can also choose to completely disable Link Sharing. This will prevent anyone from outside your Organization from viewing your Files.

      This is different from Link Sharing that is available on each File. To disable Link Sharing in your Organization, contact the Figma Support team.

      Permissions

      In a Team, Permissions determine how members can interact with Files and Projects in the Team.

      In an Organization, every member of an Organization has a Role and an Account Type. This controls what they can access, and how they interact with the Organization.

      • Register official company domains for email addresses
      • Invite members to your Organization as Members or Guests. Guests can only access resources you invite them to.
      • Set and update Permissions at any time. Downgrade members to Viewer [Restricted] to restrict their access.
      • Set different levels of Organization Access for Teams

      Learn more about Roles and Account Types in our Permissions in an Organization article.

      Activity Logs

      Activity Logs provide a record of how users are interacting with Files and resources. This allows you to track what's happening within your Organization:

      • See who is accessing, copying and sharing Files
      • Track changes made to Teams, Projects and File Permissions
      • View Activity for individual members
      • Track changes made by Organization Admins
      • Identify and prevent misuse of Organization Resources

      Learn more about viewing activity logs in an Organization.

      SAML SSO

      Organizations that need enhanced security requirements can configure SAML SSO.

      Security Assertion Markup Language (SAML) is a security standard for logging into applications.

      Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

      Figma has integrations with the following providers:

      You can also Set up a Custom SAML Configuration with a provider that isn't on this list.

      Learn more about getting started with SAML SSO.

      Two-Factor Authentication

      If you don't have SAML or Google SSO enabled, members of your Organization can add extra security via two-factor authentication (2FA).

      When enabled, members will need to confirm their identity every time they log in to Figma.

      Members will need to set this up individually, in their Account Settings. There isn't a way to enable 2FA or make it mandatory across an entire Organization.

      If you're using SAML SSO, you may be able to enable 2FA with your Identity Provider.

      Learn more about adding two-factor authentication to your account.

    • Domain capture in an Organization

      Before you start

      Who can use this feature

      Users on Figma Organization Plan

      Only Organization Admins can configure domain capture. Contact your Figma Account Manager for more information.

      Domain capture allows you to seamlessly on-board users into your Figma Organization.

      Organization Admins define which company domains are part of their Figma Organization. Domain capture controls how Figma treats accounts that match a company's domain(s).

      If you sign up for a Figma Organization with an Account Executive: domain capture will be on as part of the migration process.

      If you sign up for a Figma Organization in your Figma account: your Organization will not have Domain Capture. You can reach out to the Figma support team to turn this on for your Organization.

      Organizations with domain capture

      When domain capture is on, Figma will add accounts registered under a company email to the Organization. This applies to:

      • Any existing Figma accounts at the time of migration
      • Any new accounts created after the Organization is set up 

      ACME Corp has two domains registered to their Figma Organization: acme.org and dev.acme.org.

      They have already migrated their chosen teams to their Figma Organization account. They want ensure everyone at ACME is a part of the same Figma Organization, so they turn on domain capture.

      Figma will now add anyone with a verified company email to the existing Organization. This includes anyone that:

      • Uses an email address with an acme.org or dev.acme.org domain
      • Already has a Figma account registered under their company email
      • Creates a new Figma account using their company email

      Organizations without domain capture

      When domain capture is off, Figma won't automatically add accounts with company emails to the company's Organization.

      This allows companies to create separate teams or Organizations. Or, choose exactly which members they want to include in the Organization.

      This is particularly handy for:

      • Multi-nationals or decentralized companies that want to create more than one Figma Organization. For example: a separate Figma Organization for each department or location.
      • Companies that want to keep a mix of Professional Teams and Organizations. For example: an Organization for Product, and a Professional team for Brand.

      To add members to an Organization without domain capture:

      • Organization Admins can choose which teams and members to invite at migration
      • Existing members can invite other members to join the Organization 

      FASH Corp is a multi-national with teams in locations all around the world. They want each location to be its own Organization, so they can pay for them separately.

      The New York branch of FASH creates an Organization. They select their North American teams to migrate and register both fash.un and na.fash.un as domains.

      The Tokyo branch of FASH also creates an Organization. They select their APAC teams to migrate register both fash.un and ap.fash.un as domains.

      The Paris branch of FASH also creates an Organization. They select their European teams to migrate register both fash.un and eu.fash.un as domains.

      • Invite anyone with a fash.un email to any FASH Organization. This allows people to be members of all three Organizations.
      • Invite anyone with a na.fash.un email to the New York Organization
      • Invite anyone with a ap.fash.un email to the Tokyo Organization
      • Invite anyone with a eu.fash.un email to the Paris Organization
      • Members can create new accounts that aren't linked to the existing Organizations. This allows them to create a separate Professional team or Organization.

      What to expect

      Domain capture affects a couple of aspects of your Organization. 

      Add Members

      The options for adding members to an Organization are dependent on domain capture.

      Domain capture on

      Figma will add anyone with an account under a company email to the Organization.

      This includes existing Figma accounts. As well as any new accounts that users create after you establish the Organization.

      There are many ways to add members and guests to an Organization via domain capture:

      Domain capture off

      You will need to invite members to your Organization. They will need to use a company email on the same domain.

      You can invite them to a File, Project, Team, or the Organization:

      Note: If a user creates a new account with their company email, Figma won't add them to the existing Organization.

      You can still invite these members to your Organization using any of the methods above. To access the Organization, they can switch between their personal and Organization space. 

      Intellectual property

      Organizations usually have extra requirements or restrictions around privacy and security. One important factor protecting Intellectual Property and defining who owns what content.

      In an Organization, every member will have an Organization space and a Personal space. They can access these spaces from their Figma account.

      • Organization space: the teams, files, and resources that are part of your Organization.
      • Personal space: the teams you are a member of, that aren't part of that Organization. This could be teams that weren't migrated, or external teams you're a member of.

      Everything in the Organization Space is the intellectual property of the Organization.

      Domain capture on

      Figma will migrate any accounts with company emails into the new Figma Organization.

      Figma moves any Files in their Drafts to the Drafts in their Organization space. These will become the property of the Organization.

      Domain capture off

      When you're added to the Organization will determine where Figma moves your drafts.

      • At initial migration: Figma will move your Drafts into the Organization Space. They will then be the property of the Organization. They will remain there if you leave the Organization, or if an Organization Admin removes you.
      • After initial migration: your drafts will stay in your Personal Space. You keep ownership of these files if you leave the Organization. Or an Organization Admin removes you. 

      Remove members

      Everything in the Organization space is the intellectual property of the Organization. When you remove a member from your Organization, Figma will:

      • Immediately remove their access to the Organization Space
      • Prevent the user from accessing teams, files or libraries in the Organization.
      • Transfer ownership of any teams to the member with the highest permissions on that team.
      • Transfer ownership of their files and projects to an existing Editor.
      • Move any Drafts in the Organization Space to the Organization's Shared Projects folder. This will lock the files for other collaborators. Organization Admins will need to move the drafts to a new team or assign a new owner to unlock them.

      Domain capture on

      Users will no longer have access to the Figma account under their company email. This means they will also lose access to:

      • Drafts in their personal space
      • Any teams, files, and projects that were in their personal space

      Domain capture off

      Figma will detach the user's email address from the Organization. This allows them to access everything that was in their personal space.

      • Keep the existing Figma account they registered under their company email
      • Access any teams, files, and projects that were in their personal space
      • Access the Drafts in their personal space

       

    • Make Logging in via Google SSO Mandatory

      If you are using G Suite to manage your company email, then you can enable Google SSO in your Figma Organization.

      This requires members of your Organization to login using their Google managed email address. 

      An Organization Admin can enable this from the Admin Console:

      1.  Open the Admin Console in your Figma Organization:
        a. Click on the Organization’s name in the sidebar to open the Organization Page.
        b. Navigate to the Settings tab.
      1. In the General tab, find the Log in and Provisioning section. Click the Update Log In Settings link:
      2. Click the radio button next to Members must sign in with a Google Account
      3. A window will pop up which requires you to confirm the request. Check the box and click Change Sign In to proceed: 
      4. All members of your Organization will now be required to login using their Google-managed email address.

      Note: You can disable this requirement at any time, if required. To do so, you can return to this page and select the radio box next to Members may sign in with any available method, including email and password

    • Make SAML SSO mandatory in an Organization

      Organizations that need enhanced security requirements can configure SAML SSO.

      Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

      When you set up SAML SSO for your Organization, you can choose if users must log in via SAML. This requires members of your Organization to login using their company email via SAML SSO.

      When you make SAML SSO mandatory, Figma will require members to use SAML SSO when they next log in.

      Enforce SAML SSO

      An Organization Admin can adjust these settings from the Admin Console:

      1. Click on the Organization’s name in the sidebar to open the Organization Page.
      2. Go to the Settings tab to open the Admin Console.
      3. In the General tab, find the Log in and Provisioning section. Click the Update Log In Settings link.
      4. Click the radio button next to Members must sign in with SAML SSO.
      5. A window will pop up which requires you to confirm the request. Check the box and click Change Sign In to proceed.
      6. Members of your Organization must use SAML SSO when they next log in.

      Note: You can disable this requirement at any time, if required. Return to this page and select the radio box next to Members may sign in with any available method, including email and password.

    • Configure and Provision SAML SSO with Okta

      Before you Start

      Who can use this feature

      Users on the Figma Organization Plan

      Only Organization Admins can configure SAML SSO.

      You will need to have an existing Okta account to configure SAML SSO with Okta.

      Learn more about SAML SSO in our Getting Started with SAML SSO article.

      Figma supports both Identity Provider and Service Provider initiated SAML. Our integration with Okta supports both Authentication and Provisioning for SAML.

      Add Figma to Okta

      First, you will need to add the Figma Okta app to your Okta account. This will allow you to generate a IdP Metadata URL, which you'll need to connect Okta to Figma.

      1. Log in to your Okta account and head to the Applications page.
      2. Select Add Application from the options.
      3. Search for Figma and click the Add button to add Figma to your account:
      4. Once installed, you can go to the Sign On page.
      5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

      Configure SAML SSO in Figma

      Next you'll need to set up SAML SSO in Figma. You can do this in the Admin Console.

      1. Click on the Organization’s name in the File Browser and go to the Settings tab.
      2. In the General tab, find the Log in and Provisioning section.
      3. Click the Update Log In Settings link.
      4. Decide if you want to Make login via SAML SSO mandatory.
      5. Click the Configure SAML button at the bottom of the SAML SSO section.
      6. Select Okta from the options.
      7. Enter the IdP Metadata IRL you got from Okta. Click Review.
      8. Check the box to confirm This information is correct... and click Configure SAML SSO.
      9. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      Configure SAML SSO in Okta

      Now you have your Tenant ID, you can complete the configuration process in Okta. You can also map User Attributes between applications.

      Configure SAML SSO

      1. Open the Figma app in Okta.
      2. Go to Sign On tab and click Edit.
      3. Scroll down to the Advanced Sign-On Settings section.
      4. Enter your Tenant ID in the field provided.
      5. In the Application username format field, select Email from the options.
      6. Click Save to complete the process.

      Log in via Figma (SP initiated SSO) To start the SAML SSO process from Figma's end, you can head to the following URL:  https://www.figma.com/saml/[TenantID]/start

      Assign Users to the Application

      Now that everything is set up, you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

      Figma supports some basic attributes, as well as Attributes only available to SCIM Enterprise users.

      Head to the  Assignments tab (on the far right) to start adding users to the application.

      Supported Basic Attributes

      Variable Name External Name External Namespace Suggested Mapping
      givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
      familyName  familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
      displayName  displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
      title  title urn:ietf:params:scim:schemas:core:2.0:User user.title

       Supported SCIM Enterprise User Attributes 

      Variable Name External Name External Namespace Suggested Mapping  
      employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
      costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
      organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
      division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
      department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
      managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
      managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

       

      Note: Missing the SCIM Enterprise User attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

      Set up Automatic Provisioning via SCIM

      To set up Automatic Provisioning you will need to:

      1. Generate an API Token in Figma
      2. Configure Automatic Provisioning in Okta

      We recommend having both of these windows open at the same time, to make that process easier.

      Generate an API Token in Figma

      1. In Figma, click on your Organization and go to the Settings tab.
      2. On the General page click the Update Log in Settings link.
      3. In the SAML SSO section, copy the Tenant ID.
      4. In the SCIM Provisioning section, click Generate API Token.
      5. Copy the API Token value.

      Configure Automatic Provisioning in Okta

      Note: You'll need your API Token from Figma

      1. Open the Figma app in Okta.
      2. Go to the Provisioning tab in the Figma app.
      3. Click the Configure API Integration button.
      4. Check the box next to Enable API Integration.
      5. Enter the API Token in the field provided.
      6. Click Test API Credentials to ensure it's set up correctly.
      7. When you see the success message, click Save to apply:
      8. A few more options will now appear under the Provisioning section. Click on the To App option in the left-hand menu.

        Important! Ensure all the following functions are enabled

        • Create Users
        • Update User Attributes
        • Deactivate Users
      9. Click Save to apply.
    • Configure and Provision SAML SSO with Azure Active Directory

      Before you Start

      Who can use this feature

      Users on the Figma Organization Plan

      Only Organization Admins can configure SAML SSO.

      You will need to have an existing Microsoft Azure Active Directory account

      Learn more about SAML SSO in our Getting Started with SAML SSO article.

      Figma supports both IdP and SP initiated SAML. Our integration with Azure Active Directory supports both Authentication and Provisioning for SAML.

      Note: Microsoft recommends testing your SAML Configuration in a sandbox environment. You can do this before you configure Automatic Provisioning via SCIM. Find detailed instructions in Microsoft's Azure Active Directory SSO Integration with Figma article.

      Add Figma to Azure AD

      You will need to add Figma to your Azure Portal and enable SAML SSO. This will generate an App Federation Metadata URL, which connects the two applications.

      1. Log in to your Azure Portal and using the left navigation menu open Azure Active Directory.
      2. Select Enterprise Applications and then All Applications.
      3. Click on the Enterprise Applications setting.
      4. In the Manage section, select All Applications.
      5. Click the + New application button.
      6. Search for Figma in the field provided and click Add to add the application to your portal.
      7. Go to the Single Sign-On configuration page.
      8. Set the Mode as SAML-based Sign-On.
      9. Copy the App Federation Metadata URL.

      Configure SAML SSO in Figma

      Next you will need to set up the Azure Active Directory integration in Figma.

      1. Click on the Organization’s name in the File Browser and go to the Settings tab.
      2. In the General tab, find the Log in and Provisioning section.
      3. Click the Update Log In Settings link.
      4. Decide if you want to Make login via SAML SSO mandatory.
      5. Click the Configure SAML button at the bottom of the SAML SSO section:
      6. Select Microsoft Azure Active Directory from the options
      7. Enter the IdP Metadata IRL (App Federation Metadata URL) you got from Microsoft Azure. Click Review.
      8. Check the box to confirm This information is correct... and click Configure SAML SSO.
      9. Figma will show your configuration in the SAML SSO section.
      10. Click the Copy link next to your Tenant ID. Your Tenant ID will form the Tenant URL, which you'll need during the set up process in Azure: https://www.figma.com/saml/<<strong>TENANT ID</strong>>

      Configure SAML SSO in Azure

      Complete these steps to configure SAML SSO in Azure Active Directory. You can choose to initiate SAML from the IdP (Azure Active Directory) or SP (Figma).

      Configure SAML SSO

      Remember: Swap the <TENANT ID> placeholder with the Tenant ID generated by Figma.

      1. In your Azure Portal open the Figma app.
      2. In the Manage section, select Single Sign-On
      3. On the Select a single sign-on method page, select SAML.
      4. Click the pen icon next to Basic SAML Configuration
      5. To configure in in IDP initiated mode:
        1. In the Identifier field enter the URL: https://www.figma.com/saml/<TENANT ID>
        2. In the Reply URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/consume 
      6. To configure in SP initiated mode:
        1. Click Set additional URLs
        2. In the Sign-on URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/start

      Map User Attributes

      You can also map your User attributes in Azure Active Directory.

      Required

      There are some Required attributes that you will need to keep.

      GivenName user.givenname
      Surname user.surname
      Emailaddress user.mail
      Name user.userprincipalname
      Unique User Identifier user.userprincipalname
         

      Pre-Populated

      Figma will pre-populate some other attributes. You can review and adjust these as required.

      externalId user.mailnickname
      displayName user.displayname
      title user.jobtitle
      emailaddress user.mail
      familyName user.surname
      givenName givenName
      userName user.userprincipalname

      Test your SAML Configuration

      Microsoft recommends testing your SAML configuration before adding or importing your accounts.

      1. Create a Test User in Azure AD
      2. Assign the Test User to Figma in Azure AD
      3. Figma Creates a Corresponding Test User in Figma
      4. Test the SSO Process

      Find detailed instructions in  Microsoft Azure's Tutorial: Azure Active Directory single sign-on (SSO) integration with Figma.

      Set up Automatic Provisioning via SCIM

      To set up Automatic Provisioning you will need to enter an API token from Figma into Azure AD. We recommend having both of these windows open at the same time, to make that process easier.

      Generate an API Token in Figma

      1. In Figma, click on your Organization and go to the Settings tab.
      2. On the General page click the Update Log in Settings link.
      3. In the SAML SSO section, copy the Tenant ID.
      4. In the SCIM Provisioning section, click Generate API Token.
      5. Copy the API Token value.

      Configure Automatic Provisioning in Azure AD

      Note: You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID> placeholder with the Tenant ID generated by Figma.

      1. In your Azure Portal go to Enterprise Applications > All Applications
      2. Select the Figma app.
      3. In the Manage section select Provisioning
      4. Set the Provisioning Mode to Automatic
      5. In Admin Credentials section:
        1. Enter the following in the Tenant URL: https://www.figma.com/scim/v2/<TenantID>  
        2. Enter the API Token in the Secret Token field.
        3. Click Test Connection to make sure that Azure AD can connect to Figma.
      6. Next you will need to set up a notification for any failures:
        1. Enter the desired email address in the Notification Email field.
        2. Check the box next to Send an email notification when a failure occurs.
        3. Click Save to apply.
      7. Next you can review your User Attribute Mappings:
      8. In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
      9. In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
      10. Click the Save button to apply any changes.
      11. In the Settings section you can:
        1. Toggle the Provisioning Status > On.
        2. Define which users and/or groups you would like to provision to Figma. Choose from:
          • Sync all users and groups
          • Sync only assigned users and groups
      12. Click Save to apply your provisioning settings.

      Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.

    • Configure and Provision SAML SSO with OneLogin

      Before you Start

      Who can use this feature

      Users on the Figma Organization Plan

      Only Organization Admins can configure SAML SSO.

      You will need to have an existing OneLogin account

      Learn more about SAML SSO in our Getting Started with SAML SSO article.

      Figma supports both Identity Provider and Service Provider initiated SAML. Our integration with OneLogin supports both Authentication and Provisioning for SAML.

      Add Figma to OneLogin

      First, you'll need to add the Figma App to your OneLogin account.

      1. Log in to your OneLogin account and go the Administration section.
      2. Head over to the Apps page and select Add Apps.
      3. Search for "Figma" in the Find apps field.
      4. On the Info tab, click Save to add the app to your Company Apps.
      5. You will then be able to access the additional configuration settings. Click on the SSO tab:
      6. Copy the contents of the Issuer URL field:

      Configure SAML SSO in Figma

      Next you'll need to set up SAML SSO in Figma.

      1. Open the Admin Console: Click on the Organization’s name in the File Browser and go to the Settings tab.
      2. In the General tab, find the Log in and Provisioning section.
      3. Click the Update Log In Settings link.
      4. Decide if you want to Make login via SAML SSO mandatory.
      5. Click the Configure SAML button at the bottom of the SAML SSO section.
      6. Select Okta from the options.
      7. Enter the IdP Metadata IRL you got from Okta. Click Review.
      8. Check the box to confirm This information is correct... and click Configure SAML SSO.
      9. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      Configure SAML SSO in OneLogin

      Once you've received your confirmation and  Tenant ID, you can complete the configuration process in OneLogin.

      1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
      2. Go to the Configuration Tab for the Figma app:

      3. Enter the Tenant ID that you copied from Figma.
      4. Click SAVE to complete the process.

      Set up Automatic Provisioning via SCIM

      To set up Automatic Provisioning you will need to:

      1. Generate an API Token in Figma
      2. Configure Automatic Provisioning in OneLogin
      3. Map Custom Attributes

      Tip! We recommend having both of these windows open at the same time, to make that process easier.

      Generate an API Token in Figma

      1. In Figma, click on your Organization and go to the Settings tab.
      2. On the General page click the Update Log in Settings link.
      3. In the SCIM Provisioning section, click Generate API Token.
      4. Copy the API Token value.

      Configure Automatic Provisioning in OneLogin

      You'll need your API Token from Figma

      1. Open the Figma app in OneLogin.
      2. Go to the Configuration Tab for the Figma app.
      3. Under API connection, enter your API token in the SCIM Bearer Token field.
      4. Click ENABLE.
      5. Go to the Provisioning tab and check the box next to Enable Provisioning.
      6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
        • Create User
        • Delete User
        • Update User
      7. Decide the appropriate action for When user accounts are suspended in OneLogin..

      Add Custom Attributes

      Some Figma attributes are mapped to OneLogin attributes by default:

      Email First Name Last Name NameID SCIM Username Title Manager Department

      Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

      employeeNumber costCenter organization division

      To create a custom field in OneLogin:

      1. Login to your OneLogin account.
      2. Go to Users > Custom User Fields in the main menu:
      3. Complete the New User Field inputs.
      4. Click SAVE to apply your changes.
    • Set up SAML SSO for ADFS

      If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

      To use this integration you will need to:

      • Have an ADFS instance of 3.0 or later
      • Expose the SAML endpoint for ADFS

      Figma supports both identity provider and service provider initiated SAML. In this article, we'll only cover how to set up SAML initiated by the service provider (ADFS).

      Add Figma to ADFS

      Required information

      There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

      1. In the File Browser, click on your Organization and go to the Settings tab.
      2. On the General page, click the Update Log in Settings link.
      3. In the SAML SSO section find the:
        • SP Entity ID
        • SP ACS URL

      Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

      Add Figma to your instance

      Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

      1. Open your ADFS instance.
      2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588197332390_Screenshot+2020-04-29+14.45.49.png
      3. On the Welcome screen, click “Start” to start the set up process.
      4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

      5. Add a Display name, like Figma or similar, then click Next to proceed.

      6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
      7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

      8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://figma.com/saml/123456789123456789/consume. Click Next to proceed. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209465768_Screenshot+2020-04-29+14.48.40.png

      9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://figma.com/saml/123456789123456789. Click Next to proceed. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209490383_Screenshot+2020-04-29+14.49.23.png
      10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209510113_Screenshot+2020-04-29+14.49.29.png
      11. On the Ready to Add Trust step, click the Next button to complete the process.
      12. Click Close to finish the Wizard.

      Add attributes to ADFS

      Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

      1. On the Edit Claim Issuance Policy page, click the Add rule button. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209572512_Screenshot+2020-04-29+14.51.13.png
      2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed. https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209587464_Screenshot+2020-04-29+14.51.24.png
      3. On the Configure Claim Rule step:
        1. Enter a Claim rule name.
        2. For your Attribute store, select Active Director.
        3. In the LDAP Attribute... column, select E-Mail Address.
        4. In the Outgoing Claim Type... column, select E-Mail Address.
        5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
        https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209621441_Screenshot+2020-04-29+14.52.17.png
      4. Click Apply to apply the rule and return to the Issue Transform rules page.
      5. Click Add Rule to add a second Transform rule.
      6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
      7. On the Configure Claim Rule step:
        1. For Claim rule name, enter Transform email address as NameID
        2. In the Incoming claim type, select E-Mail Address.
        3. In the Outgoing Claim Type column, select NameID
        4. In the Outgoing name ID format column, select Email
        5. Toggle Pass through all claim values
        6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
      8. Click Apply to apply the rules to your instance.

      Export signing certificate

      Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

      1. In your ADFS instance, go to Service > Certifications
      2. Click on the certificate under Token-signing and select View Certificate. certificate https://paper-attachments.dropbox.com/s_5A407347E66203089B4D4D0A79E33FE8E66A6080021E945AF8DD08F107AACD3D_1588209659955_Screenshot+2020-04-29+14.53.27.png
      3. Click Copy to File > Ok.
      4. Click Next on Certificate Export Wizard.
      5. Select Base-64 encoded... from the options and click Next.
      6. Name your certificate file figma.cer and click Next.
      7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

      Complete the set up process in Figma

      Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

      You will need the following information from ADFS.

      • IdP Entity Id: This lets us know which Identity Provider you are using.
      • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://**sso.yourdomain.tld**/adfs/ls/
      • Signing Certificate: This is the certificate that you have just downloaded.
    • Set up a custom SAML configuration

      You'll also need some additional information from your Identity Provider (idP).

      If you do not use one of our supported Identity Providers, you can set up a custom SAML configuration.

      Note: you will need the following information from your Identity Provider:

      • IdP Entity Id: This lets us know which Identity Provider you are using.
      • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO.
      • Signing Certificate: Usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.
      1. Open the Admin Console in your Figma Organization:
      2. In the General tab, find the Log in and Provisioning section. Click the Update Log In Settings link.
      3. Decide if you want to Make login via SAML SSO mandatory.
      4. At the bottom of the SAML SSO section click Configure SAML
      5. In the Identity Provider section, select Other.
      6. Enter the details from your Identity Provider:
        • IdP Entity ID
        • IdP SSO Target URL
      7. Upload your Signing Certificate.
      8. Click Review. Figma will prompt you to review and confirm the details are correct.
      9. Check the box to confirm This information is correct... and click Configure SAML SSO

        You will be able to address any typos, or update your settings. Return to the Log in and Provisioning page and click the Edit Configuration button.

      10. In the SAML SSO section, you can view the details of your configuration. You'll need these to complete the configuration process with your Identity Provider:
        • The SP Entity ID
        • The SP ACS URL

      Note: To complete the configuration with your Identity Provider, you will need to make sure you have configured the NameId correctly. The format you need to use is: Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

    See more