Guide to SAML SSO
Who can use this feature
Supported on the Organization and Enterprise plan.
Only organization admins can configure SAML SSO.
Security Assertion Markup Language (SAML) is a security standard for logging into applications. Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.
In a SAML SSO set up, the identity provider manages the organization's user accounts and credentials. The service provider (Figma) is the app or website that provides services to the user or organization.
When using SAML SSO, Figma won't store passwords for any accounts managed by Single Sign On. Members log in to the organization and authenticate using the organization's identity provider.
How SAML SSO works:
- Member attempts to log in to Figma via SAML SSO
- Figma sends a SAML request to the identity provider
- The identity provider checks this member's credentials
- The identity provider sends a response to Figma to verify the member's identity
- Figma accepts the response and logs the member into their Figma account
Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.
Set up SAML SSO
The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO below.
SAML SSO only applies to members of an organization. Guests can log in via Google SSO or their email and unique password, regardless of an organization's SAML SSO settings.
Confirm domains
Domains are the way we identify entities on the internet. They let Figma know who to treat as a member and who to treat as a guest. Domains and domain capture →
Organizations can have more than one domain, including subdomains. Organization admins can request to add or remove domains to their organization at any time.
For example: ACME Corp has three domains registered to their organization: acme.org, acmecorp.org, and dev.acme.org
.
Anyone with an acme.org
, acmecorp.org
, or dev.acme.org
email address is a member. Members can log in via SAML SSO.
Anyone with an email address that doesn't match those domains is a guest and can't log in via SAML. For example: name@gmail.com
or name@notyourdomain.com
Note: If you plan on using SAML SSO, you need to register every domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.
Caution: To keep access to existing files and projects, members need to have an account registered to their company email. We recommend ensuring everyone is using the right emails in Figma before you set up SAML SSO.
Add Figma to your identity provider
This usually involves adding an app to your identity provider. Your identity provider will provide you with a Metadata URL during this process. This is an XML link that Figma uses to connect your identity provider, and authenticate users when they login.
Figma supports dedicated integrations with the following identity providers:
- Azure Active Directory (Azure AD)
- Okta
- OneLogin
- Google SSO*
- Active Directory Federation Services (AD FS)
Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Set up a custom SAML configuration →
*If you want to use Google SAML SSO and SCIM, you need to set up a custom SAML configuration instead of using the Google SSO option. Learn more about Google SAML SSO →
Turn on SAML SSO in Figma
Next, you'll need to set up SAML SSO in Figma. This will:
- Turn on SAML SSO for your organization
- Connect your identity provider to your Figma account
- Let you choose what methods members can use to log in
Figma provides you with a Tenant ID, which you'll need to complete the configuration process with your provider.
You'll need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. We recommend allow logging in via any method during the set up process.
If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Set login or authentication method →
Set up SAML SSO in your identity provider
Complete the rest of the set up process with your identity provider. The articles below cover this process in detail.
- SAML SSO with Okta
- SAML SSO with Azure Active Directory
- SAML SSO with OneLogin
- SAML SSO for ADFS
- Set up a custom SAML configuration
For supported providers, you'll only need your Tenant ID. For custom configurations, you need both the SP Entity ID and SP ACS URL.
Set up SCIM provisioning (optional)
All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma. JIT applies changes to a user's profile when they next log in, not when the admin makes changes.
You can choose to enable automatic provisioning via SCIM. SCIM pushes changes immediately and allows you to import and deactivate users.
- Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
- Custom SAML configuration: you can set up SCIM with your chosen identity provider.Learn more about setting up a custom SCIM configuration →
On the Organization plan, it's not possible to assign a person's role outside of Figma. Figma gives everyone who joins the organization an introductory viewer role. Roles in Figma →
On the Enterprise plan, you can also set member roles via SCIM. This allows you to set a member's Figma design and FigJam roles before they join the organization. If you set a member's role via SCIM, Figma will ignore the organization's default role settings.
Need to make changes to your SAML SSO settings? You can edit your settings at any time.