Try FigJam, our new digital whiteboarding product for free! Missed the keynote? Read about it here.

    SAML SSO with Azure Active Directory

    Before you start

    Who can use this feature

    Supported on the Figma Organization plan

    Only Organization Admins can set up SAML SSO.

    You will need to have an existing Microsoft Azure Active Directory account

    Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

    You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

    Note: Microsoft recommends testing your SAML Configuration in a sandbox environment. You can do this before you configure Automatic Provisioning via SCIM. Find detailed instructions in Microsoft's Azure Active Directory SSO Integration with Figma article.

    Add Figma to Azure AD

    Add Figma to your Azure Portal and enable SAML SSO. This generates an App Federation Metadata URL, which you can then use to connect the two applications.

    1. Log in to your Azure Portal and using the left navigation menu open Azure Active Directory.
    2. Select Enterprise Applications and then All Applications.
    3. Click on the Enterprise Applications setting.
    4. In the Manage section, select All Applications.
    5. Click the + New application button.
    6. Search for Figma in the field provided and click Add to add the application to your portal.
    7. Go to the Single Sign-On configuration page.
    8. Set the Mode as SAML-based Sign-On.
    9. Copy the App Federation Metadata URL.

    Set up SAML SSO in Figma

    Next you'll need to set up SAML SSO in your Organization's Admin Settings.

    1. Open Figma in the file browser.
    2. Click Admin Settings under the Organization name in the sidebar.
    3. Select Settings at the top of the screen.
    4. In the Login and provisioning section, click SAML SSO.
    5. Click Configure SAML and select Microsoft Azure Active Directory.
    6. Enter the App Federation Metadata URL from Azure AD and click Review.
    7. Check the box to confirm This information is correct... and click Configure SAML SSO.
    8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Azure AD.

    You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

    Set up SAML SSO in Azure

    Complete these steps to configure SAML SSO in Azure Active Directory. You can choose to initiate SAML from the Azure Active Directory or Figma.

    Configure SAML SSO

    Remember: Swap the <TENANT ID> placeholder with the Tenant ID generated by Figma.

    1. In your Azure Portal open the Figma app.
    2. In the Manage section, select Single Sign-On
    3. On the Select a single sign-on method page, select SAML.
    4. Click the pen icon next to Basic SAML Configuration
    5. To configure in in IDP initiated mode:
      1. In the Identifier field enter the URL: https://www.figma.com/saml/<TENANT ID>
      2. In the Reply URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/consume
    6. To configure in SP initiated mode:
      1. Click Set additional URLs
      2. In the Sign-on URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/start

    Map user attributes

    Map your user attributes between Figma and Azure Active Directory.

    Required

    There are some required attributes that you will need to keep.

    GivenName user.givenname
    Surname user.surname
    Emailaddress user.mail
    Name user.userprincipalname
    Unique User Identifier user.userprincipalname
       

    Pre-Populated

    Figma will pre-populate some other attributes. You can review and adjust these as required.

    externalId user.mailnickname
    displayName user.displayname
    title user.jobtitle
    emailaddress user.mail
    familyName user.surname
    givenName givenName
    userName user.userprincipalname

    Test your SAML Configuration

    Microsoft recommends testing your SAML configuration before adding or importing your accounts.

    1. Create a test user in Azure AD.
    2. Assign the test user to Figma in Azure AD.
    3. Figma will create a corresponding test user account in Figma
    4. Test the SSO process with this user.

    Find detailed instructions in Microsoft Azure's Tutorial: Azure Active Directory single sign-on (SSO) integration with Figma.

    Set up automatic provisioning with SCIM

    You'll need an API token from Figma to set up SCIM in Azure AD. We recommend having both Figma and Azure AD open to make copying between them easier.

    Generate an API token in Figma

    1. Click Admin Settings under the Organization name in the sidebar.
    2. Select Settings at the top of the screen.
    3. In the Login and provisioning section, click SCIM provisioning.
    4. Click Generate API Token in the dialog.
    5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

    Configure SCIM in Azure AD

    Note: You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID> placeholder in the URL below with the Tenant ID Figma generated.

    1. In your Azure Portal go to Enterprise Applications > All Applications
    2. Select the Figma app.
    3. Go to the Manage section select Provisioning.
    4. Set the Provisioning Mode to Automatic.
    5. Enter the following details in the Admin Credentials section:
      1. Enter the URL in the Tenant URL field: https://www.figma.com/scim/v2/<TenantID>
      2. Enter the API Token in the Secret Token field.
      3. Click Test Connection to make sure that Azure AD can connect to Figma.
    6. Enter the desired email address in the Notification Email field.
    7. Check the box next to Send an email notification when a failure occurs and click Save to apply.
    8. In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
    9. In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
    10. Click the Save button to apply any changes.
    11. Under Settings, toggle the Provisioning Status > On.
    12. Define which users and/or groups you would like to provision to Figma. Choose from:
      • Sync all users and groups
      • Sync only assigned users and groups
    13. Click Save to apply your provisioning settings.

    Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.

    Related Videos

    • Guide to SAML SSO in Figma

      Before you start

      Who can use this feature

      Supported on theFigma Organization plan.

      Only organization admins can configure SAML SSO.

      SAML SSO only applies to members of an organization. Guests can always log in to an organization via Google SSO or using their email and a unique password.

      Organizations that need enhanced security requirements can configure SAML SSO.

      Security Assertion Markup Language (SAML) is a security standard for logging into applications. Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

      In a SAML SSO set up, the identity provider manages the organization's user accounts and credentials. The service provider is the app or website that provides services to the user or organization. Figma is a service provider in this scenario.

      SAML SSO only applies to members of an organization. Guests can't log in via SAML SSO, but can log in via Google SSO or their email and unique password.

      How SAML SSO works:

      1. Member attempts to log in to Figma via SAML SSO.
      2. Figma sends a SAML request to the identity provider.
      3. The identity provider checks this user's credentials.
      4. The identity provider sends a response to Figma to verify the user's identity.
      5. Figma accepts the response and logs the user into their Figma account.

      Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with any of our supported identity providers, as well as any custom configurations.

      Set up SAML SSO

      The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO in your Organization below.

      Confirm your company domain(s)

      Domains are the way we identify entities on the internet. We can view domains in a website's URL www.figma.com or email address support@figma.com.

      Organization Admins will define what domains are associated with their business as part of the set up process. Organizations can have more than one domain, including subdomains. Learn more about domains and domain capture →

      Domains let Figma know who to treat as a member of the Organization, and who to treat as a guest. Only members of the organization can log in using SAML SSO.

      Tip! Guests can login using Google SSO, or their email address and a unique password. Learn how to log in to Figma →

      For example: ACME Corp has three domains registered to their Figma Organization: acme.org, acmecorp.org, and dev.acme.org.

      • Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member.
      • Anyone with an email address that doesn't match those domains is a guest and can't log in via SAML. For example: name@gmail.com or name@notyourdomain.com

      Note: If you plan on using SAML SSO, you will need to register each domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.

      Caution: For a member to access their existing files and projects in the Organization, they will need to be using their correct company email to join the Organization. We recommend making sure everyone is using their company email in Figma before you set up SAML SSO.

      Add Figma app to your identity provider

      This usually involves adding an app to your identity provider. Your identity provider will provide you with a Metadata URL during this process.

      This is an XML link that Figma will use to connect your identity provider, and authenticate users when they login.

      Figma supports dedicated integrations with the following identity providers:

      Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Learn more about custom SAML configurations →

      *If you want to use Google SAML SSO and SCIM, you need to set up a custom SAML configuration instead of using the Google SSO option. Learn more about Google SAML SSO →

      Turn on SAML SSO in Figma

      Next, you'll need to set up SAML SSO in Figma. This does the following:

      • Turns on SAML SSO in your Organization
      • Connects your identity provider to your Figma account
      • Lets you decide if how members can login

      Figma will provide you with a Tenant ID as part of this process, which you'll need to complete the configuration process with your provider.

      You also need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. This only applies to members, guests can login via Google SSO or email and unique password.

      If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Learn more about authentication options →

      Set up SAML SSO in your identity provider

      Complete the rest of the set up process with your identity provider. The articles below cover this process in detail.

      For supported providers, you'll only need your Tenant ID. For custom configurations, you'll need both the SP Entity ID and SP ACS URL.

      Set up SCIM provisioning (optional)

      All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma.

      JIT only applies any changes to a user's profile when they next log into their account, not when the Admin first makes the changes.

      You can choose to enable automatic provisioning via SCIM. SCIM pushes any changes you make to Figma, as soon as they happen.

      SCIM gives you greater control as it allows you to also import and deactivate users.

      • Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
      • Custom SAML configuration: you can set up SCIM with your chosen identity provider.Learn more about setting up a custom SCIM configuration →

      Users can now access Figma using their company email address and password. If they have already been using Figma, they can log in to their account. If they are new to Figma, they can create a new account.

      When you provision a user with your identity provider, Figma will add them to your Organization as a Viewer. This is a provisional Role, which means there are no restrictions around upgrading.

      It's not possible to define a user's permissions via your identity provider. You can only manage a user's permissions in Figma. Learn more about managing members →

      Edit a SAML configuration

      Organization Admins can make changes to the SAML SSO settings at any time. This is perfect when you need to fix errors, update an expired certificate, or switch to another provider.

      You will need to update your Authentication settings to Members may log in with any method, including email and password to edit your configuration. This allows members to log in with email address and password, while you make any changes.

      1. Open Figma in the file browser.
      2. Select Admin Settings in the sidebar.
      3. Select the Settings tab at the top of the screen.
      4. In the Login and provisioning section, click the Authentication setting.
      5. Select Members may log in with any method, including email and password.
      6. Click Done to return to the screen.
      7. Click on the SAML SSO option to adjust your settings.

      Learn more about choosing an authentication method →

    • Choose organization authentication method

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only organization admins can adjust the organization's log in and authentication settings.

      SAML SSO only applies to members of an organization. Guests can always log in to an organization via Google SSO or using their email and a unique password.

      Organization admins can choose what method members can use to log in to the organization. These settings will apply to any member that has an email address that matches your organization's domain(s).update the

      You can update these settings at any time. If you want to make change to your SAML SSO configuration, you will need to temporarily update these settings to allow members to log in via any methods.

      Adjust authentication method

      Adjust the authentication method in the organization's Admin settings.

      1. Open Figma in the file browser.
      2. Select Admin Settings in the sidebar.
      3. Select the Settings tab at the top of the screen.
      4. In the Login and provisioning section, click the Authentication setting.

      Authentication option highlighted in the Login and Provisioning section of the Settings page

      The authenticated methods you can choose from in an Organization are:

      • Members may log in with any method, including email and password (default)
      • Members must log in with a Google account
      • Members must log in with SAML SSO

      Authentication modal with the methods available in an Organization

      Note: These settings only apply to members of your organization. Guests can still log in to Figma with an email address and password, even if SAML SSO or Google SSO is mandatory in your organization.

      Make SAML SSO mandatory

      Organizations with enhanced security requirements can configure SAML SSO.

      SAML SSO lets you connect your external identity provider to Figma, like Okta or Azure AD. Members of the organization can then log in to Figma using their company email.

      You can choose whether users must log in via SAML SSO, or if they can login with another authentication method.

      • Select Members must log in with SAML SSO to make logging in via SAML SSO mandatory for members.
      • Select Members may log in with any method, including email and password to make SAML SSO optional.

      When you make SAML SSO mandatory, Figma will require members to use SAML SSO when they next log in. Guests can still use their company email address and password to access Figma.

      Make Google SSO mandatory

      If you are using G Suite to manage your company email, then you have two approaches available for authentication.

      Google SSO

      You can enable Google SSO in your Figma Organization. Members must use the Log in with Google option to log in using their Google-managed company email and password.

      • Select Members must sign in with a Google Account to make Google SSO mandatory.
      • Select Members may log in with any method, including email and password to make Google SSO optional.

      Note: You can disable this requirement at any time, if required. Return to this page and select Members may sign in with any available method, including email and password instead. You will need to update your authentication method to this setting, if you want make changes to your SAML SSO or SCIM settings.

      Google SAML SSO

      Google also supports both SAML SSO and SCIM configurations. If you want to use Google SAML SSO and SCIM with Figma, you will need to:

      1. Set up a custom app for Figma in GSuite (Opens Google Support article)
      2. Decide if you want to make SAML SSO mandatory
      3. Set up a custom SAML configuration in Figma

      Note: We've heard that there can be delays when setting up a custom SAML SSO app with Google. If you see a "Not a SAML app" error, or similar, we recommend trying again in a few hours. Google has some recommendations for common errors: Troubleshoot single sign-on (SSO).

    • SAML SSO with Okta

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You will need to have an existing Okta account to set up SAML SSO with Okta.

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

      Add the Figma app to Okta

      To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.

      1. Log in to your Okta account and head to the Applications page.
      2. Select Add Application from the options.
      3. Search for Figma and click the Add button to add Figma to your account.
      4. Once installed, go to the Sign On page.
      5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

      Set up SAML SSO in Figma

      Next you'll need to set up SAML SSO in your Organization's Admin Settings.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Click Configure SAML and select Okta from the options.
      6. Enter the IdP Metadata IRL from Okta and click Review.
      7. Check the box to confirm This information is correct... and click Configure SAML SSO.
      8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Set up Figma in Okta

      Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.

      Configure SAML SSO

      1. Open the Figma app in Okta.
      2. Go to Sign On tab and click Edit.
      3. Scroll down to the Advanced Sign-On Settings section.
      4. Enter your Tenant ID in the field provided.
      5. In the Application username format field, select Email from the options.
      6. Click Save to complete the process.

      Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start 

      Make sure to replace [Tenant ID] with your Organization's actual Tenant Id!

      Assign users to the application

      Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

      Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.

      Start adding users to the application in the Assignments tab on the far right.

      Supported Basic Attributes

      Variable Name External Name External Namespace Suggested Mapping
      givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
      familyName familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
      displayName displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
      title title urn:ietf:params:scim:schemas:core:2.0:User user.title

      Supported SCIM Enterprise User Attributes

      Variable Name External Name External Namespace Suggested Mapping  
      employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
      costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
      organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
      division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
      department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
      managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
      managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

      Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

      Set up automatic provisioning with SCIM

      Okta also supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.

      We recommend having both windows open to make copying between the two easier.

      Generate an API token in Figma

      1. Click Admin Settings under the Organization name in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Login and provisioning section, click SCIM provisioning.
      4. Click Generate API Token in the dialog.
      5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

      Configure automatic provisioning in Okta

      Important! Make sure the following functions are enabled in Okta:

      • Create Users
      • Update User Attributes
      • Deactivate Users
      1. Open the Figma app in Okta.
      2. Go to the Provisioning tab in the Figma app.
      3. Click the Configure API Integration button.
      4. Check the box next to Enable API Integration.
      5. Enter the API Token in the field provided.
      6. Click Test API Credentials to ensure it's set up correctly.
      7. When you get a success message, click Save to apply.
      8. A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
      9. Click Save to apply.
    • SAML SSO with OneLogin

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You will need to have an existing OneLogin account

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

      Add Figma to OneLogin

      First, you'll need to add the Figma App to your OneLogin account.

      1. Log in to your OneLogin account and go the Administration section.
      2. Head over to the Apps page and select Add Apps.
      3. Search for Figma in the Find apps field.
      4. On the Info tab, click Save to add the app to your Company Apps.
      5. You will then be able to access the additional configuration settings. Click on the SSO tab:
      6. Copy the contents of the Issuer URL field:

        The SSO tab in the Figma app in OneLogin

      Set up SAML SSO in Figma

      Next you'll need to set up SAML SSO in your Organization's Admin Settings.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Click Configure SAML and select OneLogin from the options.
      6. Enter the IdP Metadata IRL from OneLogin and click Review.
      7. Check the box to confirm This information is correct... and click Configure SAML SSO.
      8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Configure SAML SSO in OneLogin

      Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

      1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
      2. Go to the Configuration Tab for the Figma app:

        The Configuration tab in the Figma app in OneLogin

      3. Enter the Tenant ID that you copied from Figma.
      4. Click SAVE to complete the process.

      Set up automatic provisioning via SCIM

      To set up automatic provisioning you will need to:

      1. Generate an API Token in Figma
      2. Configure Automatic Provisioning in OneLogin
      3. Map Custom Attributes

      Tip! We recommend having both of these windows open at the same time, to make that process easier.

      Generate an API token in Figma

      1. Click Admin Settings under the Organization name in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Login and provisioning section, click SCIM provisioning.
      4. Click Generate API Token in the dialog.
      5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

      Configure SCIM in OneLogin

      You'll need your API Token from Figma

      1. Open the Figma app in OneLogin.
      2. Go to the Configuration Tab for the Figma app.
      3. Under API connection, enter your API token in the SCIM Bearer Token field.
      4. Click ENABLE.
      5. Go to the Provisioning tab and check the box next to Enable Provisioning.
      6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
        • Create User
        • Delete User
        • Update User
      7. Decide the appropriate action for When user accounts are suspended in OneLogin..

        The provisioning tab in the Figma app with the above settings in place and suspend chosen for the appropriate action

      Add custom attributes

      Some Figma attributes are mapped to OneLogin attributes by default:

      • Email
      • First Name
      • Last Name
      • NameID
      • SCIM Username
      • Title
      • Manager
      • Department

      Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

      • employeeNumber
      • costCenter
      • organization
      • division

      To create a custom field in OneLogin:

      1. Login to your OneLogin account.
      2. Go to Users > Custom User Fields in the main menu:
      3. Complete the New User Field inputs.
      4. Click SAVE to apply your changes.
    • Set up SAML SSO for ADFS

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

      To use this integration you will need to:

      • Have an ADFS instance of 3.0 or later
      • Expose the SAML endpoint for ADFS

      You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).

      Add Figma to ADFS

      Required information

      There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.

      Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Add Figma to your ADFS instance

      Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

      1. Open your ADFS instance.
      2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process. ADFS instance with panels showing an overview of the instanc and a list of actions, including the add relying party trust option
      3. On the Welcome screen, click “Start” to start the set up process.
      4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

      5. Add a Display name, like Figma or similar, then click Next to proceed.

      6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
      7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

      8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://figma.com/saml/123456789123456789/consume. Click Next to proceed. The Configure URL step of the process with the Enable support for the SAML 2.0 option checked and the URL pasted in the field provided

      9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://figma.com/saml/123456789123456789. Click Next to proceed. Configure identifiers page with the SP Entity ID url listed in the Relying party trust identifier section
      10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed. The Choose Access Control Policy with Permit Everyone selected
      11. On the Ready to Add Trust step, click the Next button to complete the process.
      12. Click Close to finish the Wizard.

      Add attributes to ADFS

      Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

      1. On the Edit Claim Issuance Policy page, click the Add rule button.
      2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
      3. On the Configure Claim Rule step:
        1. Enter a Claim rule name.
        2. For your Attribute store, select Active Director.
        3. In the LDAP Attribute... column, select E-Mail Address.
        4. In the Outgoing Claim Type... column, select E-Mail Address.
        5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
      4. Click Apply to apply the rule and return to the Issue Transform rules page.
      5. Click Add Rule to add a second Transform rule.
      6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
      7. On the Configure Claim Rule step:
        1. For Claim rule name, enter Transform email address as NameID
        2. In the Incoming claim type, select E-Mail Address.
        3. In the Outgoing Claim Type column, select NameID
        4. In the Outgoing name ID format column, select Email
        5. Toggle Pass through all claim values.
        6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
      8. Click Apply to apply the rules to your instance.

      Export signing certificate

      Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

      1. In your ADFS instance, go to Service > Certifications
      2. Click on the certificate under Token-signing and select View Certificate. certificate
      3. Click Copy to File > Ok.
      4. Click Next on Certificate Export Wizard.
      5. Select Base-64 encoded... from the options and click Next.
      6. Name your certificate file figma.cer and click Next.
      7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

      Complete the set up process in Figma

      Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

      You'll need the following information from ADFS:

      • IdP Entity Id: This lets Figma know which Identity Provider you are using.
      • IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://**sso.yourdomain.tld**/adfs/ls/
      • Signing Certificate: This is the certificate that you have just downloaded.
    • Set up a custom SAML configuration

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You must use SAML 2.0 to set up SAML SSO with Figma.

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      If you do not use one of our supported identity providers, you can set up a custom SAML configuration. You must use SAML 2.0, Figma doesn't support earlier versions of SAML.

      Note: you will need the following information from your identity provider to set up SAML SSO in Figma:

      • IdP Entity Id: This lets us know which Identity Provider you are using.
      • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO.
      • Signing Certificate: Usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

      Set up SAML SSO in Figma

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      1. Open Figma in the file browser and select Admin Settings in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Log in and provisioning section, click SAML SSO.
      4. Figma will generate the information you need to complete the process with your identity provider. Find this in the Your configuration details are section.
      5. In the Identity Provider section, select Other.
      6. Enter the details from your identity provider:
        • IdP Entity ID
        • IdP SSO Target URL
      7. Upload your Signing Certificate and click Review.
      8. Check the box to confirm This information is correct... and click Configure SAML SSO.

      Complete the set up with your identity provider

      1. View the details of your SAML SSO configuration in Figma. You'll need these to complete the configuration process with your Identity Provider:
        • The SP Entity ID
        • The SP ACS URL
      2. Make sure to configure the NameId using the following format:  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

      Tip! You can address any typos, or update your SAML SSO configuration at any time. Return to these settings and click the Edit Configuration button. Learn more about editing your SAML SSO settings →

    • Set up automatic provisioning via SCIM

      All SAML SSO configurations in Figma support Just In Time (JIT) provisioning. This is manual provisioning which only applies any changes when a user next logs into their account, not when the Admin makes the changes. JIT supports creating and updating users in Figma.

      You can choose to enable automatic provisioning with SCIM. SCIM pushes any changes you make to Figma, as soon as they happen. SCIM also support importing and deactivating users.

      To set up automatic provisioning you will need to an API token in Figma and a SCIM URL. This will allow you to configure automatic provisioning in your identity provider.

      Copy your details from Figma

      To make the set up process easier, we recommend having both Figma and your identity provider open at the same time.

      You can generate an API token and find your Tenant ID on the Settings page of your Organization's Admin Settings:

      1. Open Figma in the file browser and select Admin Settings in the sidebar.
      2. Select the Settings tab.

      Generate an API token

      1. In the Login and provisioning section, click SCIM Provisioning.
      2. Click Generate API Token.
      3. Copy the API Token value.

      Find your Tenant Id

      Your identity provider will need a SCIM base URL to configure SCIM. Your Tenant Id will make up part of this URL.

      1. In the Login and provisioning section, click SAML SSO.
      2. Copy the Tenant ID.
      3. Use the tenant Id to create the SCIM base URL: https://www.figma.com/scim/v2/[tenant]

      Set up SCIM with your identity provider

      The process for setting up provisioning depends on your identity provider.

      Configure SCIM

      If you're using one of our supported identity providers, you can follow our help articles:

      If you're using an identity provider we haven't listed here, you can still set up SCIM with Figma.

      You'll need to set up SAML SSO configuration with your identity provider, before you can configure SCIM. This may require you to set up a custom application.

      We aren't able to provide documentation for custom configurations. Please reach out to your identity provider for any assistance with a custom configuration.

      IMPORTANT

      As part of the set up process with your identity provider, you'll need to choose which provisioning functions to use. Make sure the following functions are enabled:

      • Create Users
      • Update User Attributes
      • Deactivate Users

      Assign users to the application

      When you set up automatic provisioning, you will be asked to assign users to the application.

      As part of this process, you may be asked to provide additional information about each user. Figma supports the following common basic attributes, as well as some optional extras.

      Basic attributes

      Scroll to view table

      Variable Name

      External Name

      External Namespace

      Suggested Mapping

      givenName

      givenName

      urn:ietf:params:scim:schemas:core:2.0:User

      user.firstName

      familyName

      familyName

      urn:ietf:params:scim:schemas:core:2.0:User

      user.lastName

      displayName

      displayName

      urn:ietf:params:scim:schemas:core:2.0:User

      user.displayName

      title

      title

      urn:ietf:params:scim:schemas:core:2.0:User

      user.title

      Advanced attributes

      Scroll to view table

      Variable Name

      External Name

      External Namespace

      Suggested Mapping

      employeeNumber

      employeeNumber

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.employeeNumber

      costCenter

      costCenter

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.costCenter

      organization

      organization

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.organization

      division

      division

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.division

      department

      department

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.department

      managerValue

      manager.value

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.managerId

      managerDisplayName

      manager.displayName

      urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

      user.manager

      Note: It's not possible to assign permissions in Figma via your identity provider. Figma will add provisioned users to your Organization as Viewers.

      This is a provisional role, which means there are no restrictions around upgrading. Learn more about Members in an Organization.

      Display SCIM member metadata

      When you have SCIM set up, you can choose which of these attributes you want to access in Figma. That attribute will be shown in the Members tab alongside Figma's default data.

      1. Open Admin settings > Settings
      2. In the Other section, click Member metadata.
      3. Choose from Cost center, organization, division, or department.
      4. Figma will show this data in the Members tab. You'll be able to sort your member list based on this column.

      Guide to organization admin →

    Connect, share, and learn from a global community of Figma users

    Join the Support forum