Guide to SAML SSO – Figma Learn - Help Center

Who can use this feature

Available on the Organization and Enterprise plans

Organization admins only

Single Sign On (SSO) allows users to log into many applications or websites using an identity provider. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

In a SAML SSO set up, the identity provider manages the organization's user accounts and credentials. The service provider (Figma) is the app or website that provides services to the user or organization.

When using SAML SSO, members log in to their Figma organization using the organization's identity provider.

How SAML SSO works:

Member attempts to log in to Figma via SAML SSO
Figma sends a SAML request to the identity provider
The identity provider checks this member's credentials
The identity provider sends a response to Figma to verify the member's identity
Figma accepts the response and logs the member into their Figma account

Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

Set up SAML SSO

The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO below.

SAML SSO only applies to members of a Figma organization. Guests can log in via Google SSO or their email and unique password, regardless of an organization's SAML SSO settings.

For Figma for Government users: All users using the Figma for Government solution are required to use SAML SSO. Figma marketplace identity provider applications, such as Microsoft or Okta, are not compatible with Figma for Government. Please use the custom app SAML SSO setup flow, as described below, for your identity provider.

1. Confirm domains

Adding and verifying domains via domain capture lets us know who to treat as a member and who to treat as a guest.

For example: ACME Corp has three domains registered to their organization: acme.org, acmecorp.org, and dev.acme.org.

Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member. Members can log in via SAML SSO.

Anyone with an email address that doesn't match those domains is a guest and can't log in via SAML. For example: name@gmail.com or name@notyourdomain.com

Note: If you plan on using SAML SSO, you need to register every domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.

Caution: To keep access to existing files and projects, members need to have an account registered to their company email. We recommend ensuring everyone is using the right emails in Figma before you set up SAML SSO.

2. Add Figma to your identity provider

When you add Figma to your identity provider, they will provide you with a Metadata URL. This is an XML link that Figma uses to connect to your identity provider and authenticate users when they login.

Figma supports dedicated integrations with the following identity providers:

Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Set up a custom SAML configuration →

3. Turn on SAML SSO in Figma

Next, you'll need to set up SAML SSO in Figma. This will:

Turn on SAML SSO for your organization
Connect your identity provider to your Figma account
Let you choose what methods members can use to log in

You'll need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. We recommend you allow logging in via any method during the set up process.

If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Set login or authentication method →

4. Set up SAML SSO in your identity provider

Complete the rest of the set up process with your identity provider.

Note: Besides the username or nameid, Figma supports four attributes in a SAML assertion: givenName, familyName, displayName, and title. Figma will ignore any additional attributes.

5. Set up SCIM provisioning (optional)

All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma.

When creating a user, Figma uses information from the four supported attributes in the SAML response from the identity provider.
When updating a user in the identity provider, changes will apply when the user next logs in.

You can choose to enable automatic provisioning via SCIM. SCIM pushes changes immediately and allows you to import and deactivate users.

Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
Custom SAML configuration: you can set up SCIM with your chosen identity provider. Learn more about setting up a custom SCIM configuration →

On the Organization plan, it's not possible to assign a person's seat type outside of Figma. Figma gives everyone who joins the organization a free View seat. Learn more about free and paid seats in Figma →

On the Enterprise plan, you can set members' seats via SCIM. This allows you to set someone's seat before they join the organization.

Need to make changes to your SAML SSO settings? You can edit your settings at any time.

6. Let your users know about the change

The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.

To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.