Before you start
Who can use this feature
Users on the Figma Organization Plan
Only Organization Admins can configure SAML SSO.
Organizations that need enhanced security requirements can configure SAML SSO.
Security Assertion Markup Language (SAML) is a security standard for logging into applications.
Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.
The Identity Provider (IdP) manages the Organization's user accounts and credentials.
The Service Provider (SP) is the app or website that provides services to the User or Organization. That's Figma.
- The User attempts to log in to Figma via SAML SSO
- Figma creates a SAML request and sends this to the IdP
- The IdP checks this user's credentials to confirm they are correct
- The IdP sends a response to Figma to verify the user's identity
- Figma accepts the response and logs the user into their Figma account
Set up SAML for an Organization
The process for configuring SAML will depend on your specific Identity Provider. We've outlined the general process for implementing SAML SSO in your Organization below.
- Confirm your Company Domain(s)
- Add the Figma app to your IdP
- Configure SAML SSO in Figma
- Add your SAML details to your IdP
- Set up SCIM Provisioning
- Users Log In to Figma via SAML
- Manage Member Permissions in Figma
Confirm your company domain(s)
In a Figma Organization, Organization Admins can define any domains associated with the Organization. This allows anyone with a company email address to log in to the Organization e.g. firstname.lastname@example.org.
It's possible to define more than one domain for your Organization. For example: figma.com and dev.figma.com. You will need to register every domain with your Identity Provider for this to work with Figma.
Everyone currently using Figma will need to be using their correct company email to join the Organization. Email aliases do not work with SAML SSO.
We recommend ensuring this is in place, before you set up SAML. This ensures current Figma users will be able to access Files and Projects from their existing login.
Domain Capture controls how Figma treats accounts that match a company's domain(s). This includes adding and removing members, draft ownership, and more.
Add the Figma app to your Identity Provider
You will need to add a Figma app to your Identity Provider (IdP). During this process your Identity Provider will provide you with a Metadata URL.
This is an XML link that we'll use to connect the two applications. We also use this link to authenticate your users when they log in to Figma.
Figma has dedicated integrations with the following providers:
Note: You can also set up a custom SAML configuration with a provider that isn't on this list. Learn more in our Set up a Custom SAML Configuration article.
Enable SAML SSO in Figma
Next, you'll need to set up SAML SSO in Figma. This does the following:
- Enables SAML SSO in your Organization
- Connects your IdP to your Figma account
- Determines if login via SAML SSO is mandatory
At this point, you can choose if users may or must log in via SAML. Learn more in our Make login via SAML SSO mandatory article.
At the end of the configuration process, Figma will provide you with a Tenant ID. You will need this to complete the configuration process with your IdP.
Note: If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users.
Add your SAML details to your IdP
Complete the rest of the set up process with your IdP.
- Supported Identity Providers: you'll only need the Tenant ID Figma created.
- Custom SAML configuration: you'll need both the SP Entity ID and SP ACS URL Figma generated.
Set up SCIM provisioning
All SAML configurations support "Just In Time" (JIT) or manual provisioning.
JIT provisioning allows Figma to create and update users in Figma. JIT applies any changes to a user's profile when a user next logs in not when an Admin first makes the changes.
System for Cross-domain Identity Management or SCIM is an automatic provisioning standard. SCIM pushes any changes you make in your identity provider to Figma, as soon as they happen.
As well as supporting the ability to create and update users, SCIM also allows you to import and deactivate users.
If you're using a supported identity provider: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
If you are using a custom SAML configuration: you can set up SCIM with your chosen identity provider. Learn more in our Set up automatic provisioning via SCIM article.
Manage member permissions in Figma
It's not possible to define a user's permissions via your Identity Provider. You can only manage a user's permissions in Figma.
For every user that you provision with your Identity Provider, Figma will add them to your Organization as a Viewer. This is a provisional Role, which means there are no restrictions around upgrading.
To manage user permissions:
- Add a Member to your Organization
- Downgrade a Member in an Organization
- Upgrade a Member of your Organization
- Remove a Member from your Organization
- Grant a Member Admin Access
Learn more about Permissions in an Organization.
SAML SSO setup complete
Users can now access Figma using their company email address and password.