SAML SSO with Azure Active Directory

    Before you start

    Who can use this feature

    Supported on the Figma Organization plan

    Only Organization Admins can set up SAML SSO.

    You will need to have an existing Microsoft Azure Active Directory account

    Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

    You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

    Note: Microsoft recommends testing your SAML Configuration in a sandbox environment. You can do this before you configure Automatic Provisioning via SCIM. Find detailed instructions in Microsoft's Azure Active Directory SSO Integration with Figma article.

    Add Figma to Azure AD

    Add Figma to your Azure Portal and enable SAML SSO. This generates an App Federation Metadata URL, which you can then use to connect the two applications.

    1. Log in to your Azure Portal and using the left navigation menu open Azure Active Directory.
    2. Select Enterprise Applications and then All Applications.
    3. Click on the Enterprise Applications setting.
    4. In the Manage section, select All Applications.
    5. Click the + New application button.
    6. Search for Figma in the field provided and click Add to add the application to your portal.
    7. Go to the Single Sign-On configuration page.
    8. Set the Mode as SAML-based Sign-On.
    9. Copy the App Federation Metadata URL.

    Set up SAML SSO in Figma

    Next you'll need to set up SAML SSO in your Organization's Admin Settings.

    1. Open Figma in the file browser.
    2. Click Admin Settings under the Organization name in the sidebar.
    3. Select Settings at the top of the screen.
    4. In the Login and provisioning section, click SAML SSO.
    5. Click Configure SAML and select Microsoft Azure Active Directory.
    6. Enter the App Federation Metadata URL from Azure AD and click Review.
    7. Check the box to confirm This information is correct... and click Configure SAML SSO.
    8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Azure AD.

    You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

    Set up SAML SSO in Azure

    Complete these steps to configure SAML SSO in Azure Active Directory. You can choose to initiate SAML from the Azure Active Directory or Figma.

    Configure SAML SSO

    Remember: Swap the <TENANT ID> placeholder with the Tenant ID generated by Figma.

    1. In your Azure Portal open the Figma app.
    2. In the Manage section, select Single Sign-On
    3. On the Select a single sign-on method page, select SAML.
    4. Click the pen icon next to Basic SAML Configuration
    5. To configure in in IDP initiated mode:
      1. In the Identifier field enter the URL: https://www.figma.com/saml/<TENANT ID>
      2. In the Reply URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/consume
    6. To configure in SP initiated mode:
      1. Click Set additional URLs
      2. In the Sign-on URL field enter the URL: https://www.figma.com/saml/<TENANT ID>/start

    Map user attributes

    Map your user attributes between Figma and Azure Active Directory.

    Required

    There are some required attributes that you will need to keep.

    GivenName user.givenname
    Surname user.surname
    Emailaddress user.mail
    Name user.userprincipalname
    Unique User Identifier user.userprincipalname
       

    Pre-Populated

    Figma will pre-populate some other attributes. You can review and adjust these as required.

    externalId user.mailnickname
    displayName user.displayname
    title user.jobtitle
    emailaddress user.mail
    familyName user.surname
    givenName givenName
    userName user.userprincipalname

    Test your SAML Configuration

    Microsoft recommends testing your SAML configuration before adding or importing your accounts.

    1. Create a test user in Azure AD.
    2. Assign the test user to Figma in Azure AD.
    3. Figma will create a corresponding test user account in Figma
    4. Test the SSO process with this user.

    Find detailed instructions in Microsoft Azure's Tutorial: Azure Active Directory single sign-on (SSO) integration with Figma.

    Set up automatic provisioning with SCIM

    You'll need an API token from Figma to set up SCIM in Azure AD. We recommend having both Figma and Azure AD open to make copying between them easier.

    Generate an API token in Figma

    1. Click Admin Settings under the Organization name in the sidebar.
    2. Select Settings at the top of the screen.
    3. In the Login and provisioning section, click SCIM provisioning.
    4. Click Generate API Token in the dialog.
    5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

    Configure SCIM in Azure AD

    Note: You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID> placeholder in the URL below with the Tenant ID Figma generated.

    1. In your Azure Portal go to Enterprise Applications > All Applications
    2. Select the Figma app.
    3. Go to the Manage section select Provisioning.
    4. Set the Provisioning Mode to Automatic.
    5. Enter the following details in the Admin Credentials section:
      1. Enter the URL in the Tenant URL field: https://www.figma.com/scim/v2/<TenantID>
      2. Enter the API Token in the Secret Token field.
      3. Click Test Connection to make sure that Azure AD can connect to Figma.
    6. Enter the desired email address in the Notification Email field.
    7. Check the box next to Send an email notification when a failure occurs and click Save to apply.
    8. In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
    9. In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
    10. Click the Save button to apply any changes.
    11. Under Settings, toggle the Provisioning Status > On.
    12. Define which users and/or groups you would like to provision to Figma. Choose from:
      • Sync all users and groups
      • Sync only assigned users and groups
    13. Click Save to apply your provisioning settings.

    Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.

    Related Videos

    • Privacy and security in an Organization

      Before you start

      Who can use this feature

      Anyone on the Figma Organization plan

      Anyone with Admin access to the Organization can manage an Organization's settings.

      Figma Organization gives you greater control over what's shared within your business.

      Privacy and security by design

      Security is part of everything we do. It’s top of mind in how we work, treat customer data, and develop our product.

      • Figma has completed a SOC 2 Type II audit. SOC 2 is a security compliance standard for software companies in the United States. Its guidelines and policies help businesses, like Figma, protect customer data.
      • Figma is also certified under the EU-US and Swiss-US Privacy Shield Frameworks. Privacy Shield protects the transfer of customer data between the United States and European Union (EU).

      Learn more about Figma's Privacy and Security policies.

      Intellectual property

      The Organization has ownership over all the Files created within the Organization. This includes Files within a member's Drafts, or Personal Space.

      When you remove a member, all their Teams, Files and Projects will stay in the Organization.

      Figma will also move Files a deleted member's Drafts to a shared folder in the Organization. Organization Admins can access these Files and delete or redistribute them.

      Control link sharing

      There are a few ways members can get access to files in an Organization:

      • A member invites them to the file
      • They are a member of the team or project
      • They open a link to a Figma file (link sharing)

      Use link sharing settings to define who can open the file, and whether they have view or edit access. This includes members of the Organization and guests outside of the Organizatio

      You can update the link sharing settings for each file. The default settings are Anyone at Organization with link and can view.

      Discover files

      Choose how members of your Organization can share and access files via links. Guests of an Organization can only access files and teams to which they have been invited.

      • Choose Anyone with the link to allow people inside and outside the Organization to access the file. This includes both members of the Organization and Guests who have the link.
      • Choose Anyone at Organization with the link: **Organization members will need to have a link to the file to access it. When they open the link, they can view the file.
      • Choose Anyone at Organization to allow anyone in the Organization to access the file. Use this setting for library files you want to share with the whole Organization. Guests of the Organization won't be able to access these files unless you invite them to the file or team.
      • Choose Only people invited to this file if you only want team members or people you explicitly invite to the file to access it.

      Interact with files

      Choose what level of access other members of the Organization have, once they open the file.

      This setting applies to anyone who opens the file, unless they're a member of the team or have an explicit role on the file.

      • Choose can edit to give anyone who opens the file the option to edit.
      • Choose can view to allow people to view the file without being able to make any edits.
      • Choose can view prototypes only to only allow them to access the prototype, and not the designs in the file itself.

      Link sharing settings in the shar modal for a file in an Organization

      It's possible to disable public link sharing in an Organization. This prevents anyone outside the Organization from accessing files via the file link.

      Organization Admins can contact the Figma Support team to turn off this functionality. This will remove the Anyone with the link option from the link sharing options.

      Permissions

      In a Team, Permissions determine how members can interact with Files and Projects in the Team.

      In an Organization, every member of an Organization has a Role and an Account Type. This controls what they can access, and how they interact with the Organization.

      • Register official company domains for email addresses
      • Invite members to your Organization as Members or Guests. Guests can only access resources you invite them to.
      • Set and update Permissions at any time. Downgrade members to Viewer [Restricted] to restrict their access.
      • Set different levels of Organization access levels for Teams

      Learn more about permissions in an Organization →

      Activity logs

      Activity Logs provide a record of how users are interacting with Files and resources. This allows you to track what's happening within your Organization:

      • See who is accessing, copying and sharing Files
      • Track changes made to Teams, Projects and File Permissions
      • View Activity for individual members
      • Track changes made by Organization Admins
      • Identify and prevent misuse of Organization Resources

      Learn more about activity logs →.

      SAML SSO

      Organizations that need enhanced security requirements can configure SAML SSO.

      Security Assertion Markup Language (SAML) is a security standard for logging into applications.

      Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

      Figma has integrations with the following providers:

      You can also set up a custom SAML configuration with a provider that isn't on this list.

      Learn more about SAML SSO →.

      Two-factor authentication

      If you don't have SAML or Google SSO enabled, members of your Organization can add extra security via two-factor authentication (2FA).

      When enabled, members will need to confirm their identity every time they log in to Figma.

      Members will need to set this up individually, in their Account Settings. There isn't a way to enable 2FA or make it mandatory across an entire Organization.

      If you're using SAML SSO, you may be able to enable 2FA with your Identity Provider.

      Learn more about two-factor authentication →

    • Guide to SAML SSO in Figma

      Organizations that need enhanced security requirements can configure SAML SSO.

      Security Assertion Markup Language (SAML) is a security standard for logging into applications. Single Sign On (SSO) allows users to log into many applications or websites via one set of login details.

      In a SAML SSO set up, the identity provider  manages the Organization's user accounts and credentials. The service provider is the app or website that provides services to the User or Organization. That's Figma.

      How SAML SSO works:

      1. User attempts to log in to Figma via SAML SSO.
      2. Figma creates a SAML request and sends this to the identity provider.
      3. The identity provider checks this user's credentials to confirm they are correct.
      4. The identity provider then sends a response to Figma to verify the user's identity.
      5. Figma accepts the response and logs the user into their Figma account.

      Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with any of our supported identity providers, as well as any custom configurations.

      Set up SAML SSO

      The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO in your Organization below.

      Confirm your company domain(s)

      Domains are the way we identify entities on the internet. We can view domains in a website's URL www.figma.com or email address support@figma.com.

      Organization Admins will define what domains are associated with their business as part of the set up process. Organizations can have more than one domain, including subdomains.

      Domains let Figma know who to treat as a member of the Organization, and who to treat as a guest.

      For example: ACME Corp has three domains registered to their Figma Organization: acme.org, acmecorp.org, and dev.acme.org.

      • Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member.
      • Anyone with an email address that doesn't match those domains is a guest. For example: name@gmail.com or name@notyourdomain.com

      Learn more about domains and domain capture →

      If you plan on using SAML SSO, you will need to register each domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.

      For a member to access their existing files and projects in the Organization, they will need to be using their correct company email to join the Organization. We recommend making sure everyone is using their company email in Figma before you set up SAML SSO.

      Add Figma app to your identity provider

      This usually involves adding an app to your identity provider. Your identity provider will provide you with a Metadata URL during this process.

      This is an XML link that Figma will use to connect your identity provider, and authenticate users when they login.

      Figma supports dedicated integrations with the following identity providers:

      Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Learn more about custom SAML configurations →

      *If you want to use Google SAML SSO and SCIM, you need to set up a custom SAML configuration instead of using the Google SSO option. Learn more about Google SAML SSO →

      Turn on SAML SSO in Figma

      Next, you'll need to set up SAML SSO in Figma. This does the following:

      • Turns on SAML SSO in your Organization
      • Connects your identity provider to your Figma account
      • Lets you decide if how members can login

      Figma will provide you with a Tenant ID as part of this process, which you'll need to complete the configuration process with your provider.

      You also need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password.

      If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Learn more about authentication options →

      Set up SAML SSO in your identity provider

      Complete the rest of the set up process with your identity provider. The articles below cover this process in detail.

      For supported providers, you'll only need your Tenant ID. For custom configurations, you'll need both the SP Entity ID and SP ACS URL.

      Set up SCIM provisioning (optional)

      All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma.

      JIT only applies any changes to a user's profile when they next log into their account, not when the Admin first makes the changes.

      You can choose to enable automatic provisioning via SCIM. SCIM pushes any changes you make to Figma, as soon as they happen.

      SCIM gives you greater control as it allows you to also import and deactivate users.

      • Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
      • Custom SAML configuration: you can set up SCIM with your chosen identity provider.Learn more about setting up a custom SCIM configuration →

      Users can now access Figma using their company email address and password. If they have already been using Figma, they can log in to their account. If they are new to Figma, they can create a new account.

      When you provision a user with your identity provider, Figma will add them to your Organization as a Viewer. This is a provisional Role, which means there are no restrictions around upgrading.

      It's not possible to define a user's permissions via your identity provider. You can only manage a user's permissions in Figma. Learn more about managing members →

      Edit a SAML configuration

      Organization Admins can make changes to the SAML SSO settings at any time. This is perfect when you need to fix errors, update an expired certificate, or switch to another provider.

      You will need to update your Authentication settings to Members may log in with any method, including email and password to edit your configuration. This allows members to log in with email address and password, while you make any changes.

      1. Open Figma in the file browser.
      2. Select Admin Settings in the sidebar.
      3. Select the Settings tab at the top of the screen.
      4. In the Login and provisioning section, click the Authentication setting.
      5. Select Members may log in with any method, including email and password.
      6. Click Done to return to the screen.
      7. Click on the SAML SSO option to adjust your settings. 

      Learn more about choosing an authentication method →

    • Domains and domain capture in Organizations

      Domains are the way we identify entities on the internet. We can view domains in a website's URL www.figma.com or email address support@figma.com.

      Organization Admins will define what domains are associated with their business as part of the set up process. Organizations can have more than one domain, including subdomains.

      Domains let Figma know who to treat as a member of the Organization, and who to treat as a guest.

      ACME Corp has three domains registered to their Figma Organization: acme.org, acmecorp.org, and dev.acme.org.

      • Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member.
      • Anyone with an email address that doesn't match those domains is a guest. For example: name@gmail.com or name@notyourdomain.com

      View or update domains

      Organization Admins let Figma know which domains they have, as part of the upgrade process. You can submit requests to add and remove domains, as needed.

      Organization Admins can view domains in the Organization's Admin Settings:

      1. Open Figma in the file browser.
      2. Click Admin Settings in the sidebar.
      3. Select the Settings tab.
      4. View the current domains in the Domains section.
      5. Click Contact support to request a change to your settings.

      Domain capture

      Domain capture defines how members and guests can join the Organization. It also impacts other aspects of the Organization, including draft ownership.

      How do I tell if domain capture is on? The way you signed up for a Figma Organization will usually determine if domain capture is active:

      • Upgraded via a Figma Account Executive: domain capture is on by default.
      • Upgraded in the Figma product: domain capture is off. Reach out to the Figma support team to turn this on for your Organization.

      Add members

      Domain capture on

      Figma adds all accounts registered under a company email to the Organization. This includes both new and existing Figma accounts.

      There are many ways to add both members and guests to an Organization with domain capture:

      ACME Corp has two domains registered to their Figma Organization: acme.org and dev.acme.org.

      They have already migrated their chosen teams to their Figma Organization account. They want ensure everyone at ACME is a part of the same Figma Organization, so they turn on domain capture.

      Figma will now add anyone with a verified company email to the existing Organization. This includes anyone that:

      • Uses an email address with an acme.org or dev.acme.org domain
      • Already has a Figma account registered under their company email
      • Creates a new Figma account using their company email

      Domain capture off

      When domain capture is off, you can choose exactly who you would to invite to the Organization. This allows companies to:

      • Choose exactly who they want in the Organization
      • Have Professional teams that live outside of the Organization
      • Create more than one Organization

      Anyone with a company domain is a member, and anyone with an external domain is a guest.

      FASH Corp is a multi-national with teams in locations all around the world. They want each location to be its own Organization, so they can pay for them separately.

      The New York branch of FASH creates an Organization. They select their North American teams to migrate and register both fash.un and na.fash.un as domains.

      The Tokyo branch of FASH also creates an Organization. They select their APAC teams to migrate register both fash.un and ap.fash.un as domains.

      The Paris branch of FASH also creates an Organization. They select their European teams to migrate register both fash.un and eu.fash.un as domains.

      • Invite anyone with a fash.un email to any FASH Organization. This allows people to be members of all three Organizations.
      • Invite anyone with a na.fash.un email to the New York Organization
      • Invite anyone with a ap.fash.un email to the Tokyo Organization
      • Invite anyone with a eu.fash.un email to the Paris Organization
      • Members can create new accounts that aren't linked to the existing Organizations. This allows them to create a separate Professional team or Organization.

      Draft ownership

      Organizations usually have extra requirements or restrictions around privacy and security. One important factor protecting intellectual property and defining who owns what content.

      In an Organization, every member will have an Organization space and a Personal space. Everything in the Organization Space is the intellectual property of the Organization.

      • Organization space: teams, files, and resources that are part of the Organization.
      • Personal space: teams that aren't part of that Organization. This could be teams excluded from the upgrade, as well as external teams.

      Domain capture on

      Figma will migrate any accounts with company emails into the new Figma Organization.

      Figma moves any Files in their Drafts to the Drafts in their Organization space. These will become the property of the Organization.

      Domain capture off

      When you're added to the Organization will determine where Figma moves your drafts.

      • At initial migration: Figma will move a members' Drafts into the Organization space, making them the property of the Organization. They will remain there if they leave the Organization, or they are removed.
      • After initial migration: a member's drafts will stay in their Personal space. The Organozation does not have ownership of these files. The member will keep these files if they leave the Organization, or are removed.

      Remove members

      Everything in the Organization space is the intellectual property of the Organization.

      Regardless of the Organization's domain capture settings, Figma will do the following when you remove a member from your Organization:

      • Remove their access to the Organization space
      • Prevent them from accessing teams, files or libraries in the Organization.
      • Transfer ownership of any teams to the member with the highest permissions on that team. If they also own individual files and projects, Figma will transfer ownership to an existing Editor.
      • Move any Drafts from the Organization space to the Organization's Shared Projects.

      Files in the Shared Projects folder are locked for all other collaborators. Organization Admins will need to claim ownership of the project to unlock files and assign a new owner.

      Domain capture on

      Members or guests will no longer have access to the Figma account under their company email. This means they will also lose access to:

      • Drafts in their personal space
      • Any teams, files, and projects that were in their personal space

      Domain capture off

      Figma will detach the user's email address from the Organization. This allows them to access everything that was in their personal space.

      • Keep the existing Figma account they registered under their company email
      • Access any teams, files, and projects that were in their personal space
      • Access the Drafts in their personal space
    • Choose Organization authentication method

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can adjust the Organization's log in and authentication settings.

      Organization Admins can choose what method members can use to log in to the Organization. These settings will apply to any member that has an email address that matches your Organization's domain(s).update the

      You can update these settings at any time. If you want to make change to your SAML SSO configuration, you will need to temporarily update these settings to allow members to log in via any methods.

      Adjust authentication method

      Adjust the authentication method in the Organization's Admin Settings.

      1. Open Figma in the file browser.
      2. Select Admin Settings in the sidebar.
      3. Select the Settings tab at the top of the screen.
      4. In the Login and provisioning section, click the Authentication setting.

      Authentication option highlighted in the Login and Provisioning section of the Settings page

      The authenticated methods you can choose from in an Organization are:

      • Members may log in with any method, including email and password (default)
      • Members must log in with a Google account
      • Members must log in with SAML SSO

      Authentication modal with the methods available in an Organization

      Note: These settings only apply to members of your Organization. Guests can still log in to Figma with an email address and password, even if SAML SSO or Google SSO is mandatory in your Organization.

      Make SAML SSO mandatory

      Organizations with enhanced security requirements can configure SAML SSO.

      SAML SSO lets you connect your external identity provider to Figma, like Okta or Azure AD. Members of the Organization can then log in to Figma using their company email.

      You can choose whether users must log in via SAML SSO, or if they can login with another authentication method.

      • Select Members must log in with SAML SSO to make logging in via SAML SSO mandatory for members.
      • Select Members may log in with any method, including email and password to make SAML SSO optional.

      When you make SAML SSO mandatory, Figma will require members to use SAML SSO when they next log in. Guests can still use their company email address and password to access Figma.

      Make Google SSO mandatory

      If you are using G Suite to manage your company email, then you have two approaches available for authentication.

      Google SSO

      You can enable Google SSO in your Figma Organization. Members must use the Log in with Google option to log in using their Google-managed company email and password.

      • Select Members must sign in with a Google Account to make Google SSO mandatory.
      • Select Members may log in with any method, including email and password to make Google SSO optional.

      Note: You can disable this requirement at any time, if required. Return to this page and select Members may sign in with any available method, including email and password instead. You will need to update your authentication method to this setting, if you want make changes to your SAML SSO or SCIM settings.

      Google SAML SSO

      Google also supports both SAML SSO and SCIM configurations. If you want to use Google SAML SSO and SCIM with Figma, you need to:

      1. Set up a custom app for Figma in GSuite
      2. Decide if you want to make SAML SSO mandatory
      3. Set up a custom SAML configuration in Figma
    • SAML SSO with Okta

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You will need to have an existing Okta account to set up SAML SSO with Okta.

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

      Add the Figma app to Okta

      To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.

      1. Log in to your Okta account and head to the Applications page.
      2. Select Add Application from the options.
      3. Search for Figma and click the Add button to add Figma to your account.
      4. Once installed, go to the Sign On page.
      5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

      Set up SAML SSO in Figma

      Next you'll need to set up SAML SSO in your Organization's Admin Settings.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Click Configure SAML and select Okta from the options.
      6. Enter the IdP Metadata IRL from Okta and click Review.
      7. Check the box to confirm This information is correct... and click Configure SAML SSO.
      8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Set up Figma in Okta

      Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.

      Configure SAML SSO

      1. Open the Figma app in Okta.
      2. Go to Sign On tab and click Edit.
      3. Scroll down to the Advanced Sign-On Settings section.
      4. Enter your Tenant ID in the field provided.
      5. In the Application username format field, select Email from the options.
      6. Click Save to complete the process.

      Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start 

      Make sure to replace [Tenant ID] with your Organization's actual Tenant Id!

      Assign users to the application

      Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

      Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.

      Start adding users to the application in the Assignments tab on the far right.

      Supported Basic Attributes

      Variable Name External Name External Namespace Suggested Mapping
      givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
      familyName familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
      displayName displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
      title title urn:ietf:params:scim:schemas:core:2.0:User user.title

      Supported SCIM Enterprise User Attributes

      Variable Name External Name External Namespace Suggested Mapping  
      employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
      costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
      organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
      division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
      department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
      managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
      managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

      Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

      Set up automatic provisioning with SCIM

      Okta also supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.

      We recommend having both windows open to make copying between the two easier.

      Generate an API token in Figma

      1. Click Admin Settings under the Organization name in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Login and provisioning section, click SCIM provisioning.
      4. Click Generate API Token in the dialog.
      5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

      Configure automatic provisioning in Okta

      Important! Make sure the following functions are enabled in Okta:

      • Create Users
      • Update User Attributes
      • Deactivate Users
      1. Open the Figma app in Okta.
      2. Go to the Provisioning tab in the Figma app.
      3. Click the Configure API Integration button.
      4. Check the box next to Enable API Integration.
      5. Enter the API Token in the field provided.
      6. Click Test API Credentials to ensure it's set up correctly.
      7. When you get a success message, click Save to apply.
      8. A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
      9. Click Save to apply.
    • SAML SSO with OneLogin

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You will need to have an existing OneLogin account

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

      Add Figma to OneLogin

      First, you'll need to add the Figma App to your OneLogin account.

      1. Log in to your OneLogin account and go the Administration section.
      2. Head over to the Apps page and select Add Apps.
      3. Search for Figma in the Find apps field.
      4. On the Info tab, click Save to add the app to your Company Apps.
      5. You will then be able to access the additional configuration settings. Click on the SSO tab:
      6. Copy the contents of the Issuer URL field:

        The SSO tab in the Figma app in OneLogin

      Set up SAML SSO in Figma

      Next you'll need to set up SAML SSO in your Organization's Admin Settings.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Click Configure SAML and select OneLogin from the options.
      6. Enter the IdP Metadata IRL from OneLogin and click Review.
      7. Check the box to confirm This information is correct... and click Configure SAML SSO.
      8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Configure SAML SSO in OneLogin

      Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

      1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
      2. Go to the Configuration Tab for the Figma app:

        The Configuration tab in the Figma app in OneLogin

      3. Enter the Tenant ID that you copied from Figma.
      4. Click SAVE to complete the process.

      Set up automatic provisioning via SCIM

      To set up automatic provisioning you will need to:

      1. Generate an API Token in Figma
      2. Configure Automatic Provisioning in OneLogin
      3. Map Custom Attributes

      Tip! We recommend having both of these windows open at the same time, to make that process easier.

      Generate an API token in Figma

      1. Click Admin Settings under the Organization name in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Login and provisioning section, click SCIM provisioning.
      4. Click Generate API Token in the dialog.
      5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

      Configure SCIM in OneLogin

      You'll need your API Token from Figma

      1. Open the Figma app in OneLogin.
      2. Go to the Configuration Tab for the Figma app.
      3. Under API connection, enter your API token in the SCIM Bearer Token field.
      4. Click ENABLE.
      5. Go to the Provisioning tab and check the box next to Enable Provisioning.
      6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
        • Create User
        • Delete User
        • Update User
      7. Decide the appropriate action for When user accounts are suspended in OneLogin..

        The provisioning tab in the Figma app with the above settings in place and suspend chosen for the appropriate action

      Add custom attributes

      Some Figma attributes are mapped to OneLogin attributes by default:

      • Email
      • First Name
      • Last Name
      • NameID
      • SCIM Username
      • Title
      • Manager
      • Department

      Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

      • employeeNumber
      • costCenter
      • organization
      • division

      To create a custom field in OneLogin:

      1. Login to your OneLogin account.
      2. Go to Users > Custom User Fields in the main menu:
      3. Complete the New User Field inputs.
      4. Click SAVE to apply your changes.
    • Set up SAML SSO for ADFS

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

      To use this integration you will need to:

      • Have an ADFS instance of 3.0 or later
      • Expose the SAML endpoint for ADFS

      You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).

      Add Figma to ADFS

      Required information

      There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

      1. Open Figma in the file browser.
      2. Click Admin Settings under the Organization name in the sidebar.
      3. Select Settings at the top of the screen.
      4. In the Login and provisioning section, click SAML SSO.
      5. Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.

      Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      Add Figma to your ADFS instance

      Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

      1. Open your ADFS instance.
      2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process. ADFS instance with panels showing an overview of the instanc and a list of actions, including the add relying party trust option
      3. On the Welcome screen, click “Start” to start the set up process.
      4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

      5. Add a Display name, like Figma or similar, then click Next to proceed.

      6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
      7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

      8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://figma.com/saml/123456789123456789/consume. Click Next to proceed. The Configure URL step of the process with the Enable support for the SAML 2.0 option checked and the URL pasted in the field provided

      9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://figma.com/saml/123456789123456789. Click Next to proceed. Configure identifiers page with the SP Entity ID url listed in the Relying party trust identifier section
      10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed. The Choose Access Control Policy with Permit Everyone selected
      11. On the Ready to Add Trust step, click the Next button to complete the process.
      12. Click Close to finish the Wizard.

      Add attributes to ADFS

      Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

      1. On the Edit Claim Issuance Policy page, click the Add rule button.
      2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
      3. On the Configure Claim Rule step:
        1. Enter a Claim rule name.
        2. For your Attribute store, select Active Director.
        3. In the LDAP Attribute... column, select E-Mail Address.
        4. In the Outgoing Claim Type... column, select E-Mail Address.
        5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
      4. Click Apply to apply the rule and return to the Issue Transform rules page.
      5. Click Add Rule to add a second Transform rule.
      6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
      7. On the Configure Claim Rule step:
        1. For Claim rule name, enter Transform email address as NameID
        2. In the Incoming claim type, select E-Mail Address.
        3. In the Outgoing Claim Type column, select NameID
        4. In the Outgoing name ID format column, select Email
        5. Toggle Pass through all claim values.
        6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
      8. Click Apply to apply the rules to your instance.

      Export signing certificate

      Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

      1. In your ADFS instance, go to Service > Certifications
      2. Click on the certificate under Token-signing and select View Certificate. certificate
      3. Click Copy to File > Ok.
      4. Click Next on Certificate Export Wizard.
      5. Select Base-64 encoded... from the options and click Next.
      6. Name your certificate file figma.cer and click Next.
      7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

      Complete the set up process in Figma

      Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

      You'll need the following information from ADFS:

      • IdP Entity Id: This lets Figma know which Identity Provider you are using.
      • IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://**sso.yourdomain.tld**/adfs/ls/
      • Signing Certificate: This is the certificate that you have just downloaded.
    • Set up a custom SAML configuration

      Before you start

      Who can use this feature

      Supported on the Figma Organization plan

      Only Organization Admins can set up SAML SSO.

      You must use SAML 2.0 to set up SAML SSO with Figma.

      Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

      If you do not use one of our supported identity providers, you can set up a custom SAML configuration. You must use SAML 2.0, Figma doesn't support earlier versions of SAML.

      Note: you will need the following information from your identity provider to set up SAML SSO in Figma:

      • IdP Entity Id: This lets us know which Identity Provider you are using.
      • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO.
      • Signing Certificate: Usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

      Set up SAML SSO in Figma

      You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

      1. Open Figma in the file browser and select Admin Settings in the sidebar.
      2. Select Settings at the top of the screen.
      3. In the Log in and provisioning section, click SAML SSO.
      4. In the Identity Provider section, select Other.
      5. Enter the details from your identity provider:
        • IdP Entity ID
        • IdP SSO Target URL
      6. Upload your Signing Certificate and click Review.
      7. Check the box to confirm This information is correct... and click Configure SAML SSO
      8. Figma will generate the information you need to complete the process with your identity provider.

      Complete the set up with your identity provider

      1. View the details of your SAML SSO configuration in Figma. You'll need these to complete the configuration process with your Identity Provider:
        • The SP Entity ID
        • The SP ACS URL
      2. Make sure to configure the NameId using the following format:  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

      Tip! You can address any typos, or update your SAML SSO configuration at any time. Return to these settings and click the Edit Configuration button. Learn more about editing your SAML SSO settings →

    • Set up automatic provisioning via SCIM

      All SAML SSO configurations in Figma support Just In Time (JIT) provisioning. This is manual provisioning which only applies any changes when a user next logs into their account, not when the Admin makes the changes. JIT supports creating and updating users in Figma.

      You can choose to enable automatic provisioning with SCIM. SCIM pushes any changes you make to Figma, as soon as they happen. SCIM also support importing and deactivating users.

      To set up automatic provisioning you will need to an API token in Figma and a SCIM URL. This will allow you to configure automatic provisioning in your identity provider.

      Copy your details from Figma

      To make the set up process easier, we recommend having both Figma and your identity provider open at the same time.

      You can generate an API token and find your Tenant ID on the Settings page of your Organization's Admin Settings:

      1. Open Figma in the file browser and select Admin Settings in the sidebar.
      2. Select the Settings tab.

      Generate an API token

      1. In the Login and provisioning section, click SCIM Provisioning.
      2. Click Generate API Token.
      3. Copy the API Token value.

      Find your Tenant Id

      Your identity provider will need a SCIM base URL to configure SCIM. Your Tenant Id will make up part of this URL.

      1. In the Login and provisioning section, click SAML SSO.
      2. Copy the Tenant ID.
      3. Use the tenant Id to create the SCIM base URL: https://www.figma.com/scim/v2/[tenant]

      Set up SCIM with your identity provider

      The process for setting up provisioning depends on your identity provider.

      Configure SCIM

      If you're using one of our supported identity providers, you can follow our help articles:

      If you're using an identity provider we haven't listed here, you can still set up SCIM with Figma.

      You'll need to set up SAML SSO configuration with your identity provider, before you can configure SCIM. This may require you to set up a custom application.

      We aren't able to provide documentation for custom configurations. Please reach out to your identity provider for any assistance with a custom configuration.

      IMPORTANT

      As part of the set up process with your identity provider, you'll need to choose which provisioning functions to use. Make sure the following functions are enabled:

      • Create Users
      • Update User Attributes
      • Deactivate Users

      Assign users to the application

      When you set up automatic provisioning, you will be asked to assign users to the application.

      As part of this process, you may be asked to provide additional information about each user. Figma supports the following common basic attributes, as well as some optional extras.

      Basic attributes

      Scroll to view table

      Variable Name External Name External Namespace Suggested Mapping
      givenName givenName urn:ietf:params:scim:schemas:core:2.0:User user.firstName
      familyName familyName urn:ietf:params:scim:schemas:core:2.0:User user.lastName
      displayName displayName urn:ietf:params:scim:schemas:core:2.0:User user.displayName
      title title urn:ietf:params:scim:schemas:core:2.0:User user.title

      Advanced attributes

      Scroll to view table

      Variable Name External Name External Namespace Suggested Mapping  
      employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.employeeNumber
      costCenter costCenter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.costCenter
      organization organization urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.organization
      division division urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.division
      department department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.department
      managerValue manager.value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.managerId
      managerDisplayName manager.displayName urn:ietf:params:scim:schemas:extension:enterprise:2.0:User user.manager

      Note: It's not possible to assign permissions in Figma via your identity provider. Figma will add provisioned users to your Organization as Viewers.

      This is a provisional role, which means there are no restrictions around upgrading. Learn more about Members in an Organization.