SAML SSO with OneLogin

Who can use this feature

Available on the Organization and Enterprise plans

Organization admins only

You need to have an existing OneLogin account

Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

Add Figma to OneLogin

First, you'll need to add the Figma App to your OneLogin account.

1. Log in to your OneLogin account and go the Administration section.
2. Head over to the Apps page and select Add Apps.
3. Search for Figma in the Find apps field.
4. On the Info tab, click Save to add the app to your Company Apps.
5. You will then be able to access the additional configuration settings. Click on the SSO tab:
6. Copy the contents of the Issuer URL field:

   

Set up SAML SSO in Figma

1. Open Figma in the file browser.
2. Click Admin.
3. Select Settings at the top of the screen.
4. In the Login and provisioning section, click SAML SSO.
5. Click Configure SAML and select OneLogin from the options.
6. Enter the IdP Metadata IRL from OneLogin and click Review.
7. Check the box to confirm This information is correct... and click Configure SAML SSO.
8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in OneLogin.

Configure SAML SSO in OneLogin

Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
2. Go to the Configuration Tab for the Figma app:

   

3. Enter the Tenant ID that you copied from Figma.
4. Click SAVE to complete the process.

Set up automatic provisioning via SCIM

To set up automatic provisioning you will need to:

1. Generate an API Token in Figma
2. Configure Automatic Provisioning in OneLogin
3. Map Custom Attributes

Generate an API token in Figma

1. From the file browser, click Admin.
2. Select Settings at the top of the screen.
3. In the Login and provisioning section, click SCIM provisioning.
4. Click Generate API Token in the dialog.
5. Copy the API token to your clipboard. You'll need this to complete the process in OneLogin.

Configure SCIM in OneLogin

You'll need your API Token from Figma

1. Open the Figma app in OneLogin.
2. Go to the Configuration Tab for the Figma app.
3. Under API connection, enter your API token in the SCIM Bearer Token field.
4. Click ENABLE.
5. Go to the Provisioning tab and check the box next to Enable Provisioning.
6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
   • Create User
   • Delete User
   • Update User
7. Decide the appropriate action for When user accounts are suspended in OneLogin..

   

Add custom attributes

Some Figma attributes are mapped to OneLogin attributes by default:

• Email
• First Name
• Last Name
• NameID
• SCIM Username
• Title
• Manager
• Department

Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

• employeeNumber
• costCenter
• organization
• division

To create a custom field in OneLogin:

1. Login to your OneLogin account.
2. Go to Users > Custom User Fields in the main menu:
3. Complete the New User Field inputs.
4. Click SAVE to apply your changes.

Let your users know about the change

The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.

To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.