Related Videos

• SAML SSO with Okta

  Before you start

  Who can use this feature

  Supported on the Figma Organization plan

  Only Organization Admins can set up SAML SSO.

  You will need to have an existing Okta account to set up SAML SSO with Okta.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

  Add the Figma app to Okta

  To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.

  1. Log in to your Okta account and head to the Applications page.
  2. Select Add Application from the options.
  3. Search for Figma and click the Add button to add Figma to your account.
  4. Once installed, go to the Sign On page.
  5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select Okta from the options.
  6. Enter the IdP Metadata IRL from Okta and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Set up Figma in Okta

  Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.

  Configure SAML SSO

  1. Open the Figma app in Okta.
  2. Go to Sign On tab and click Edit.
  3. Scroll down to the Advanced Sign-On Settings section.
  4. Enter your Tenant ID in the field provided.
  5. In the Application username format field, select Email from the options.
  6. Click Save to complete the process.

  Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start 

  Make sure to replace [Tenant ID] with your Organization's actual Tenant Id!

  Assign users to the application

  Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

  Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.

  Start adding users to the application in the Assignments tab on the far right.

  Supported Basic Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  givenName	givenName	urn:ietf:params:scim:schemas:core:2.0:User	user.firstName
  familyName	familyName	urn:ietf:params:scim:schemas:core:2.0:User	user.lastName
  displayName	displayName	urn:ietf:params:scim:schemas:core:2.0:User	user.displayName
  title	title	urn:ietf:params:scim:schemas:core:2.0:User	user.title

  Supported SCIM Enterprise User Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  employeeNumber	employeeNumber	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.employeeNumber
  costCenter	costCenter	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.costCenter
  organization	organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.organization
  division	division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.division
  department	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.department
  managerValue	manager.value	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.managerId
  managerDisplayName	manager.displayName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.manager

  Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

  Set up automatic provisioning with SCIM

  Okta also supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.

  We recommend having both windows open to make copying between the two easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure automatic provisioning in Okta

  Important! Make sure the following functions are enabled in Okta:

  • Create Users
  • Update User Attributes
  • Deactivate Users

  1. Open the Figma app in Okta.
  2. Go to the Provisioning tab in the Figma app.
  3. Click the Configure API Integration button.
  4. Check the box next to Enable API Integration.
  5. Enter the API Token in the field provided.
  6. Click Test API Credentials to ensure it's set up correctly.
  7. When you get a success message, click Save to apply.
  8. A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
  9. Click Save to apply.
• SAML SSO with OneLogin

  Before you start

  Who can use this feature

  Supported on the Figma Organization plan

  Only Organization Admins can set up SAML SSO.

  You will need to have an existing OneLogin account

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

  Add Figma to OneLogin

  First, you'll need to add the Figma App to your OneLogin account.

  1. Log in to your OneLogin account and go the Administration section.
  2. Head over to the Apps page and select Add Apps.
  3. Search for Figma in the Find apps field.
  4. On the Info tab, click Save to add the app to your Company Apps.
  5. You will then be able to access the additional configuration settings. Click on the SSO tab:
  6. Copy the contents of the Issuer URL field:

     

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select OneLogin from the options.
  6. Enter the IdP Metadata IRL from OneLogin and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Configure SAML SSO in OneLogin

  Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

  1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
  2. Go to the Configuration Tab for the Figma app:

     

  3. Enter the Tenant ID that you copied from Figma.
  4. Click SAVE to complete the process.

  Set up automatic provisioning via SCIM

  To set up automatic provisioning you will need to:

  1. Generate an API Token in Figma
  2. Configure Automatic Provisioning in OneLogin
  3. Map Custom Attributes

  Tip! We recommend having both of these windows open at the same time, to make that process easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure SCIM in OneLogin

  You'll need your API Token from Figma

  1. Open the Figma app in OneLogin.
  2. Go to the Configuration Tab for the Figma app.
  3. Under API connection, enter your API token in the SCIM Bearer Token field.
  4. Click ENABLE.
  5. Go to the Provisioning tab and check the box next to Enable Provisioning.
  6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
     • Create User
     • Delete User
     • Update User
  7. Decide the appropriate action for When user accounts are suspended in OneLogin..

     

  Add custom attributes

  Some Figma attributes are mapped to OneLogin attributes by default:

  • Email
  • First Name
  • Last Name
  • NameID
  • SCIM Username
  • Title
  • Manager
  • Department

  Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

  • employeeNumber
  • costCenter
  • organization
  • division

  To create a custom field in OneLogin:

  1. Login to your OneLogin account.
  2. Go to Users > Custom User Fields in the main menu:
  3. Complete the New User Field inputs.
  4. Click SAVE to apply your changes.
• Set up SAML SSO for ADFS

  Before you start

  Who can use this feature

  Supported on the Figma Organization plan

  Only Organization Admins can set up SAML SSO.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

  To use this integration you will need to:

  • Have an ADFS instance of 3.0 or later
  • Expose the SAML endpoint for ADFS

  You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).

  Add Figma to ADFS

  Required information

  There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

  1. Open Figma in the file browser.
  2. Click Admin Settings under the Organization name in the sidebar.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.

  Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Add Figma to your ADFS instance

  Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

  1. Open your ADFS instance.
  2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process.
  3. On the Welcome screen, click “Start” to start the set up process.
  4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

  5. Add a Display name, like Figma or similar, then click Next to proceed.

  6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
  7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

  8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://www.figma.com/saml/123456789123456789/consume. Click Next to proceed.

  9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://www.figma.com/saml/123456789123456789. Click Next to proceed.
  10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed.
  11. On the Ready to Add Trust step, click the Next button to complete the process.
  12. Click Close to finish the Wizard.

  Add attributes to ADFS

  Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

  1. On the Edit Claim Issuance Policy page, click the Add rule button.
  2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
  3. On the Configure Claim Rule step:
     1. Enter a Claim rule name.
     2. For your Attribute store, select Active Director.
     3. In the LDAP Attribute... column, select E-Mail Address.
     4. In the Outgoing Claim Type... column, select E-Mail Address.
     5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
     
  4. Click Apply to apply the rule and return to the Issue Transform rules page.
  5. Click Add Rule to add a second Transform rule.
  6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
  7. On the Configure Claim Rule step:
     1. For Claim rule name, enter Transform email address as NameID
     2. In the Incoming claim type, select E-Mail Address.
     3. In the Outgoing Claim Type column, select NameID
     4. In the Outgoing name ID format column, select Email
     5. Toggle Pass through all claim values.
     6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
  8. Click Apply to apply the rules to your instance.

  Export signing certificate

  Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

  1. In your ADFS instance, go to Service > Certifications
  2. Click on the certificate under Token-signing and select View Certificate. certificate
  3. Click Copy to File > Ok.
  4. Click Next on Certificate Export Wizard.
  5. Select Base-64 encoded... from the options and click Next.
  6. Name your certificate file figma.cer and click Next.
  7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

  Complete the set up process in Figma

  Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

  You'll need the following information from ADFS:

  • IdP Entity Id: This lets Figma know which Identity Provider you are using.
  • IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://sso.yourdomain.tld/adfs/ls/
  • Signing Certificate: This is the certificate that you have just downloaded.