SAML SSO with Okta
Before you start
Who can use this feature
Available on the Organization and Enterprise plans.
Organization admins only.
You will need to have an existing Okta account to set up SAML SSO with Okta.
Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →
You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).
Add the Figma app to Okta
To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.
- Log in to your Okta account and head to the Applications page.
- Select Add Application from the options.
- Search for Figma and click the Add button to add Figma to your account.
- Once installed, go to the Sign On page.
- Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this:
https://example.okta.com/app/abc123/sso/saml/metadata
Set up SAML SSO in Figma
- From the file browser, click Admin.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SAML SSO.
- Click Configure SAML and select Okta from the options.
- Enter the IdP Metadata IRL from Okta and click Review.
- Check the box to confirm This information is correct... and click Configure SAML SSO.
- Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.
You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →
Set up Figma in Okta
Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.
Configure SAML SSO
- Open the Figma app in Okta.
- Go to Sign On tab and click Edit.
- Scroll down to the Advanced Sign-On Settings section.
- Enter your Tenant ID in the field provided.
- In the Application username format field, select Email from the options.
- Click Save to complete the process.
Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start
Make sure to replace [Tenant ID]
with your Organization's actual Tenant Id!
Assign users to the application
Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.
Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.
Start adding users to the application in the Assignments tab on the far right.
Supported Basic Attributes
Variable Name | External Name | External Namespace | Suggested Mapping |
givenName | givenName | urn:ietf:params:scim:schemas:core:2.0:User | user.firstName |
familyName | familyName | urn:ietf:params:scim:schemas:core:2.0:User | user.lastName |
displayName | displayName | urn:ietf:params:scim:schemas:core:2.0:User | user.displayName |
title | title | urn:ietf:params:scim:schemas:core:2.0:User | user.title |
Supported SCIM Enterprise User Attributes
Variable Name | External Name | External Namespace | Suggested Mapping | |
employeeNumber | employeeNumber | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.employeeNumber | |
costCenter | costCenter | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.costCenter | |
organization | organization | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.organization | |
division | division | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.division | |
department | department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.department | |
managerValue | manager.value | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.managerId | |
managerDisplayName | manager.displayName | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | user.manager |
Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please submit a request through our contact form for assistance.
- Select Account and file management from the list of issues.
- Select Managing users and teams.
- Under Subject, type in 'SSO / SAML' and provide details of your request in the description box.
Set up automatic provisioning with SCIM
Okta supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.
Tip: You can also use SCIM in Okta to manage seats for members in your organization and assign billing groups or workspaces.
Generate an API token in Figma
- From the file browser, click Admin .
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SCIM provisioning.
- Click Generate API Token in the dialog.
- Copy the API token to your clipboard. You'll need this to complete the process in Okta.
Configure automatic provisioning in Okta
Make sure the following functions are enabled in Okta:
- Create users
- Update user attributes
- Deactivate users
Warning: If a user is deactivated in Okta, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in Okta and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files.
- Open the Figma app in Okta.
- Go to the Provisioning tab in the Figma app.
- Click the Configure API Integration button.
- Check the box next to Enable API Integration.
- Enter the API Token in the field provided.
- Click Test API Credentials to ensure it's set up correctly.
- When you get a success message, click Save to apply.
- A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
- Click Save to apply.
Let your users know about the change
The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.
To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.