Set up SAML SSO for ADFS
Before you start
Who can use this feature
Supported on the Organization and Enterprise plans
Only Organization Admins can set up SAML SSO.
Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →
If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.
To use this integration you will need to:
- Have an ADFS instance of 3.0 or later
- Expose the SAML endpoint for ADFS
You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).
Add Figma to ADFS
Required information
There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.
- Open Figma in the file browser.
- Click Admin.
- Select Settings at the top of the screen.
- In the Login and provisioning section, click SAML SSO.
- Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.
Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume
added to the end of it.
You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →
Add Figma to your ADFS instance
Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.
- Open your ADFS instance.
- In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process.
- On the Welcome screen, click “Start” to start the set up process.
- On the Select Data Source step, select Enter data about the relying party manually and click Next.
-
Add a Display name, like Figma or similar, then click Next to proceed.
- On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
- On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol
-
On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this:
https://www.figma.com/saml/123456789123456789/consume
. Click Next to proceed. - On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this:
https://www.figma.com/saml/123456789123456789
. Click Next to proceed. - On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed.
- On the Ready to Add Trust step, click the Next button to complete the process.
- Click Close to finish the Wizard.
Add attributes to ADFS
Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.
- On the Edit Claim Issuance Policy page, click the Add rule button.
- Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
- On the Configure Claim Rule step:
- Enter a Claim rule name.
- For your Attribute store, select Active Director.
- In the LDAP Attribute... column, select E-Mail Address.
- In the Outgoing Claim Type... column, select E-Mail Address.
- Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
- Click Apply to apply the rule and return to the Issue Transform rules page.
- Click Add Rule to add a second Transform rule.
- Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
- On the Configure Claim Rule step:
- For Claim rule name, enter Transform email address as NameID
- In the Incoming claim type, select E-Mail Address.
- In the Outgoing Claim Type column, select NameID
- In the Outgoing name ID format column, select Email
- Toggle Pass through all claim values.
- Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
-
Click Apply to apply the rules to your instance.
Export signing certificate
Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.
- In your ADFS instance, go to Service > Certifications
- Click on the certificate under Token-signing and select View Certificate. certificate
- Click Copy to File > Ok.
- Click Next on Certificate Export Wizard.
- Select Base-64 encoded... from the options and click Next.
- Name your certificate file
figma.cer
and click Next. - Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.
Complete the set up process in Figma
Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.
You'll need the following information from ADFS:
- IdP Entity Id: This lets Figma know which Identity Provider you are using.
-
IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this:
https://sso.yourdomain.tld/adfs/ls/
- Signing Certificate: This is the certificate that you have just downloaded.
Let your users know about the change
The first time a user logs into Figma using SSO, or after they are provisioned via SCIM, they'll receive a verification email from SendGrid. This email contains a unique 6-digit pin, which they'll use just once as an additional security measure during their initial login.
To make sure users don't mistake the email for spam or a phishing attempt, you may wish to let them know about this extra step in advance.