SAML SSO with OneLogin
Who can use this feature
Available on the Organization and Enterprise plans
Organization admins only
You need to have an existing OneLogin account
Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →
You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).
Add Figma to OneLogin
First, you'll need to add the Figma App to your OneLogin account.
- Log in to your OneLogin account and go the Administration section.
- Head over to the Apps page and select Add Apps.
- Search for Figma in the Find apps field.
- On the Info tab, click Save to add the app to your Company Apps.
- You will then be able to access the additional configuration settings. Click on the SSO tab:
- Copy the contents of the Issuer URL field:
Set up SAML SSO in Figma
- Open Figma in the file browser.
- Click Admin.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SAML SSO.
- Click Configure SAML and select OneLogin from the options.
- Enter the IdP Metadata IRL from OneLogin and click Review.
- Check the box to confirm This information is correct... and click Configure SAML SSO.
- Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in OneLogin.
You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →
Configure SAML SSO in OneLogin
Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.
- Go back to the Figma App in OneLogin (Administration > Apps > Figma)
- Go to the Configuration Tab for the Figma app:
- Enter the Tenant ID that you copied from Figma.
- Click SAVE to complete the process.
Set up automatic provisioning via SCIM
To set up automatic provisioning you will need to:
Tip! We recommend having both of these windows open at the same time, to make that process easier.
Generate an API token in Figma
- From the file browser, click Admin.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SCIM provisioning.
- Click Generate API Token in the dialog.
- Copy the API token to your clipboard. You'll need this to complete the process in OneLogin.
Configure SCIM in OneLogin
You'll need your API Token from Figma
- Open the Figma app in OneLogin.
- Go to the Configuration Tab for the Figma app.
- Under API connection, enter your API token in the SCIM Bearer Token field.
- Click ENABLE.
- Go to the Provisioning tab and check the box next to Enable Provisioning.
- Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
- Create User
- Delete User
- Update User
- Decide the appropriate action for When user accounts are suspended in OneLogin..
Warning: If a user is deactivated in OneLogin, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in OneLogin and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files.
Add custom attributes
Some Figma attributes are mapped to OneLogin attributes by default:
Email
First Name
Last Name
NameID
SCIM Username
Title
Manager
Department
Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:
employeeNumber
costCenter
organization
division
To create a custom field in OneLogin:
- Login to your OneLogin account.
- Go to Users > Custom User Fields in the main menu:
- Complete the New User Field inputs.
- Click SAVE to apply your changes.
Let your users know about the change
The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.
To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.