SAML SSO with Azure Active Directory
Before you start
Supported on the Organization and Enterprise plans
Only organization admins can set up SAML SSO.
You need an existing Microsoft Azure Active Directory account
Organizations that manage users with Azure Active Directory can configure SAML SSO in Figma. Figma supports both identity (Azure AD) and service (Figma) initiated configurations.
We recommend having both Figma and Azure AD open in separate tabs. This allows you to switch between them throughout the setup process.
Configure SAML in an active organization
Microsoft recommends testing SAML configurations in a sandbox environment. However, there isn’t a way to create a sandbox or test environment in Figma. We recommend testing the Figma application with a test user, such as yourself, or a small group of users first.
To make sure existing users can still access Figma during the set up process, set the login and authentication method to Members may log in with any method, including email and password (default).
Once everything is up and running, you can update this setting to Members must log in with SAML SSO. Learn more in Microsoft's tutorial: Azure Active Directory SSO Integration with Figma.
Set up SAML SSO
Open SAML in Figma
Open your organization's SAML SSO settings in Figma. We'll come back to this page to configure SAML SSO in Figma, later on in the process.
- Open the organization in Figma.
- In the sidebar, select Admin settings.
- Select the Settings tab.
- In the Login and provisioning section, click Authentication.
- Make sure authentication is set to Members may log in with any available method... Click Done.
- From the Login and provisioning section, click SAML SSO.
- Figma opens a modal dialog with some key information for the SAML process.
- Tenant ID:
123456789123456789
- SP entity ID:
http://www.figma.com/saml/123456789123456789
- SP ACS URL:
http://www.figma.com/saml/123456789123456789/consume
- Tenant ID:
Figma uses your Tenant ID to generate your SP identity ID and SP ACS URL. You’ll need these when configuring SAML in Azure AD. You’ll use the SP entity ID to create a URL for service-provider initiated authentication.
Add Figma to Azure
Add Figma to your Azure portal.
- Open Azure in the overview page
- Select Enterprise applications
- Land on the All applications section
- Click Add application to browse Azure AD Gallery
- Search for Figma and select the correct result
- Click Create to add the application to Azure AD
- Azure will show a success message and redirect you to the Figma application overview:
Assign a test user
Assign a test user to Figma in Azure. This allows you to complete the SAML setup process and test the application.
- Select Assign users and groups from the options.
- Click + Add user/group to open the assignments page.
- Click Users and groups, click None selected.
- Search for test user. We recommend using your own account so that you can test the login at the end of the setup process.
- Click to add and return to the assignments page.
- Click Assign button to return to application page.
Configure SAML in Azure
Set up SAML in Azure. You’ll need the Tenant ID Figma provides to complete the process.
We recommend having both Figma and Azure AD open in separate tabs. This allows you to switch between them throughout the setup process.
- Select Single sign-on in panel
- Select SAML from options
- Under Basic SAML Configuration, click Edit to make changes
- Switch to the Figma tab in your browser.
- Next to the Tenant ID, click Copy
- Switch to the Azure tab in your browser.
- Under Identifier (Identity ID), click Add identifier
- Type in
https://www.figma.com/saml/
in the field provided, then paste your Tenant ID to complete the URL. - Copy the entire URL from the field to your clipboard.
- Under Reply URL (ACS link), click Add reply URL.
- Paste the identity URL in the field, then add
/consume
to the end of the link. - In the Sign on URL (Optional) field, paste the identity URL again, then add
/start
to the end of the link. - Click Save at the top of the screen:
- Click X in the top-right corner to return to the Figma application page.
Configure SAML in Figma
Now you can configure SAML in Figma. You’ll need the metadata link from Azure AD to complete the process in Figma.
- Open the Figma application in Azure AD.
- Scroll down to the SAML Signing Certificate section.
- Next to the App Federation Metadata XML, click Copy.
- Switch to the Figma tab in your browser.
- Click Configure SAML in the dialog.
- Select Microsoft Azure Active Directory from the options.
- Paste the link in the IdP metadata URL field.
- Click Review to make sure the details are correct.
- Check the box next to This information is correct.
- Click Configure SAML SSO. Figma will return you to the Settings tab where you’ll see SAML SSO is now enabled:
Map user attributes
Map your user attributes between Figma and Azure Active Directory.
Figma expects certain attributes in the SAML response. Some of these are required attributes and some are pre-populated but optional. You can review and adjust the optional attributes.
- Switch to the Azure AD tab in your browser and make sure you’re on the SAML sign-on page.
- Find the Attributes & Claims section. Click the pencil icon to edit these attributes.
- You can review and adjust any optional attributes. Make sure you don’t remove or adjust any required attributes.
Name |
Source attribute |
Required |
---|---|---|
GivenName |
user.givename |
Required |
Surname |
user.surname |
Required |
Emailaddress |
user.mail |
Required |
Name |
user.userprincipalname |
Required |
Unique User Identifier |
user.userprincipalname |
Required |
displayName |
user.displayname |
Pre-populated (Optional) |
title |
user.jobtitle |
Pre-populated (Optional) |
emailaddress |
user.mail |
Pre-populated (Optional) |
familyName |
user.surname |
Pre-populated (Optional) |
givenName |
givenName |
Pre-populated (Optional) |
userName |
user.userprincipalname |
Pre-populated (Optional) |
Test the application
With both Figma and Azure configured you can test the application. You’ll need to test this process with the user you added earlier.
If you skipped this step, you’ll need to assign a user to Figma ↑ first. We recommend adding your own account.
- Switch to the Azure AD tab in your browser and make sure you’re on the SAML sign-on page.
- Select Test this application at the top of the page.
- Click the Test sign in button. Azure AD will open a new tab and log you into Figma using SAML SSO.
Make SAML SSO mandatory
If the test process was successful, you can now allow other members to log in using their SAML SSO credentials. If you want to make log in via SAML mandatory for members, you can update the organization's authentication settings.
- Open the organization in Figma.
- In the sidebar, select Admin settings and go to the Settings tab.
- In the Login and provisioning section, click Authentication.
- Make sure authentication is set to Members may log in with any available method... Click Done.
Set up automatic provisioning with SCIM
You'll need an API token from Figma to set up SCIM in Azure AD. We recommend having both Figma and Azure AD open to make it easier to copy between them.
Generate Figma API token
- From the file browser, click Admin settings.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SCIM provisioning.
- Click Generate API Token in the dialog.
- Copy the API token to your clipboard. You'll need this to complete the process in Azure.
Configure SCIM in Azure AD
You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID>
placeholder in the URL below with the Tenant ID Figma generated.
Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.
- In your Azure Portal go to Enterprise Applications > All Applications
- Select the Figma app.
- Go to the Manage section and select Provisioning.
- Set the Provisioning Mode to Automatic.
- Enter the following details in the Admin Credentials section:
- Enter the URL in the Tenant URL field:
https://www.figma.com/scim/v2/<TenantID>
- Enter the API Token in the Secret Token field.
- Click Test Connection to make sure that Azure AD can connect to Figma.
- Enter the URL in the Tenant URL field:
- Enter the desired email address in the Notification Email field.
- Check the box next to Send an email notification when a failure occurs and click Save to apply.
- In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
- In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
- Click the Save button to apply any changes.
- Under Settings, toggle the Provisioning Status > On.
- Define which users and/or groups you would like to provision to Figma. Choose from:
- Sync all users and groups
- Sync only assigned users and groups
- Click Save to apply your provisioning settings.
Warning: If a user is deactivated in Azure AD, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in Azure AD and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files.