SAML SSO with Microsoft Entra ID
Before you start
Supported on the Organization and Enterprise plans
Only organization admins can set up SAML SSO.
You need an existing Microsoft Entra ID account
Organizations that manage users with Microsoft Entra ID can configure SAML SSO in Figma. Figma supports both identity (Entra ID) and service (Figma) initiated configurations.
We recommend having both Figma and Entra ID open in separate tabs. This allows you to switch between them throughout the setup process.
Configure SAML in an active organization
Microsoft recommends testing SAML configurations in a sandbox environment. However, there isn’t a way to create a sandbox or test environment in Figma. We recommend testing the Figma application with a test user, such as yourself, or a small group of users first.
To make sure existing users can still access Figma during the set up process, set the login and authentication method to Members may log in with any method, including email and password (default).
Once everything is up and running, you can update this setting to Members must log in with SAML SSO. Learn more in Microsoft's tutorial: Microsoft Entra SSO Integration with Figma.
Set up SAML SSO
Open SAML in Figma
Open your organization's SAML SSO settings in Figma. We'll come back to this page to configure SAML SSO in Figma, later on in the process.
- Open the organization in Figma.
- In the sidebar, select Admin.
- Select the Settings tab.
- In the Login and provisioning section, click Authentication.
- Make sure authentication is set to Members may log in with any available method... Click Done.
- From the Login and provisioning section, click SAML SSO.
- Figma opens a modal dialog with some key information for the SAML process.
-
Tenant ID:
123456789123456789
-
SP entity ID:
https://www.figma.com/saml/123456789123456789
-
SP ACS URL:
https://www.figma.com/saml/123456789123456789/consume
-
Tenant ID:
Figma uses your Tenant ID to generate your SP identity ID and SP ACS URL. You’ll need these when configuring SAML in Entra ID. You’ll use the SP entity ID to create a URL for service-provider initiated authentication.
Add Figma to Entra ID
Add Figma to your Entra ID portal.
- Open Entra ID in the overview page
- Select Enterprise applications
- Land on the All applications section
- Click Add application to browse Entra ID Gallery
- Search for Figma and select the correct result
- Click Create to add the application to Entra ID
- Entra ID will show a success message and redirect you to the Figma application overview:
Assign a test user
Assign a test user to Figma in Entra ID. This allows you to complete the SAML setup process and test the application.
- Select Assign users and groups from the options.
- Click + Add user/group to open the assignments page.
- Click Users and groups, click None selected.
- Search for test user. We recommend using your own account so that you can test the login at the end of the setup process.
- Click to add and return to the assignments page.
- Click Assign button to return to application page.
Configure SAML in Entra ID
Set up SAML in Entra ID. You’ll need the Tenant ID Figma provides to complete the process.
We recommend having both Figma and Entra ID open in separate tabs. This allows you to switch between them throughout the setup process.
- Select Single sign-on in panel
- Select SAML from options
- Under Basic SAML Configuration, click Edit to make changes
- Switch to the Figma tab in your browser.
- Next to the Tenant ID, click Copy
- Switch to the Entra ID tab in your browser.
- Under Identifier (Identity ID), click Add identifier
- Type in
https://www.figma.com/saml/
in the field provided, then paste your Tenant ID to complete the URL. - Copy the entire URL from the field to your clipboard.
- Under Reply URL (ACS link), click Add reply URL.
- Paste the identity URL in the field, then add
/consume
to the end of the link. - In the Sign on URL (Optional) field, paste the identity URL again, then add
/start
to the end of the link. - Click Save at the top of the screen:
- Click X in the top-right corner to return to the Figma application page.
Configure SAML in Figma
Now you can configure SAML in Figma. You’ll need the metadata link from Entra ID to complete the process in Figma.
- Open the Figma application in Entra ID.
- Scroll down to the SAML Signing Certificate section.
- Next to the App Federation Metadata XML, click Copy.
- Switch to the Figma tab in your browser.
- Click Configure SAML in the dialog.
- Select Microsoft Entra ID from the options.
- Paste the link in the IdP metadata URL field.
- Click Review to make sure the details are correct.
- Check the box next to This information is correct.
- Click Configure SAML SSO. Figma will return you to the Settings tab where you’ll see SAML SSO is now enabled:
Map user attributes
Map your user attributes between Figma and Entra ID.
Figma expects certain attributes in the SAML response. Some of these are required attributes and some are pre-populated but optional. You can review and adjust the optional attributes.
- Switch to the Entra ID tab in your browser and make sure you’re on the SAML sign-on page.
- Find the Attributes & Claims section. Click the pencil icon to edit these attributes.
- You can review and adjust any optional attributes. Make sure you don’t remove or adjust any required attributes.
Name |
Source attribute |
Required |
---|---|---|
GivenName |
user.givename |
Required |
Surname |
user.surname |
Required |
Emailaddress |
user.mail |
Required |
Name |
user.userprincipalname |
Required |
Unique User Identifier |
user.userprincipalname |
Required |
displayName |
user.displayname |
Pre-populated (Optional) |
title |
user.jobtitle |
Pre-populated (Optional) |
emailaddress |
user.mail |
Pre-populated (Optional) |
familyName |
user.surname |
Pre-populated (Optional) |
givenName |
givenName |
Pre-populated (Optional) |
userName |
user.userprincipalname |
Pre-populated (Optional) |
Test the application
With both Figma and Entra ID configured you can test the application. You’ll need to test this process with the user you added earlier.
If you skipped this step, you’ll need to assign a user to Figma ↑ first. We recommend adding your own account.
- Switch to the Entra ID tab in your browser and make sure you’re on the SAML sign-on page.
- Select Test this application at the top of the page.
- Click the Test sign in button. Entra ID will open a new tab and log you into Figma using SAML SSO.
Make SAML SSO mandatory
If the test process was successful, you can now allow other members to log in using their SAML SSO credentials. If you want to make log in via SAML mandatory for members, you can update the organization's authentication settings.
- Open the organization in Figma.
- In the sidebar, select Admin and go to the Settings tab.
- In the Login and provisioning section, click Authentication.
- Make sure authentication is set to Members may log in with any available method... Click Done.
Set up automatic provisioning with SCIM
You'll need an API token from Figma to set up SCIM in Entra ID. We recommend having both Figma and Entra ID open to make it easier to copy between them.
Generate Figma API token
- From the file browser, click Admin.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SCIM provisioning.
- Click Generate API Token in the dialog.
- Copy the API token to your clipboard. You'll need this to complete the process in Entra ID.
Configure SCIM in Entra ID
You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID>
placeholder in the URL below with the Tenant ID Figma generated.
Note: These instructions are modified from Microsoft's Entra ID Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.
- In your Entra ID Portal go to Enterprise Applications > All Applications
- Select the Figma app.
- Go to the Manage section and select Provisioning.
- Set the Provisioning Mode to Automatic.
- Enter the following details in the Admin Credentials section:
- Enter the URL in the Tenant URL field:
https://www.figma.com/scim/v2/<TenantID>
- Enter the API Token in the Secret Token field.
- Click Test Connection to make sure that Entra ID can connect to Figma.
- Enter the URL in the Tenant URL field:
- Enter the desired email address in the Notification Email field.
- Check the box next to Send an email notification when a failure occurs and click Save to apply.
- In the Mappings section, select Synchronize Entra ID Users to Figma.
- In the Attribute Mappings section, review the Entra ID Attribute and the corresponding Figma Attribute.
- Click the Save button to apply any changes.
- Under Settings, toggle the Provisioning Status > On.
- Define which users and/or groups you would like to provision to Figma. Choose from:
- Sync all users and groups
- Sync only assigned users and groups
- Click Save to apply your provisioning settings.
Warning: If a user is deactivated in Entra ID, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in Entra ID and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files.
Let your users know about the change
The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.
To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.