Related Videos

• Set login and authentication method

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plan

  Only organization admins can adjust the organization's log in and authentication settings.

  Organization admins can choose what method members can use to log in to the organization. These settings will apply to any member that has an email address that matches your organization's domain(s).

  You can update these settings at any time. If you want to make change to your SAML SSO configuration, you will need to temporarily update these settings to allow members to log in via any methods.

  SAML SSO only applies to members of an organization. Guests can always log in to an organization using Google SSO or their email and password.

  Available methods

  The authentication methods you can choose from in an organization are:

  • Members may log in with any method, including email and password (default)
  • Members must log in with a Google account
  • Members must log in with SAML SSO

  Any method

  When authentication is set to "Members may log in with any method (default)", members can log in using any method. This includes Google SSO, SAML SSO, or a company email and unique password.

  To allow members to log in via SAML SSO, you still need to configure SAML SSO for your organization. 

  You can also use this setting to prevent members being locked out during the configuration process. This is handy when you're setting up or updating your SAML SSO settings, or switching to another identity provider. 

  Enforce Google SSO

  If you are using Google Workspaces to manage your company email, you have two approaches available for authentication.

  • Google SSO: Use Google's traditional single sign on (SSO) process. This allows members to log in using their Google managed email address and password.
  • Google SAML SSO: If you use SAML and SCIM with Google Workspace, you can set up a custom SAML SSO configuration with Figma.

  Enforce SAML SSO for members

  Organizations with enhanced security requirements can configure SAML SSO.

  SAML SSO lets you connect your external identity provider—like Okta, Onelogin, or Azure Active Directory— to Figma. Members can then log in and authenticate using a third-party provider.

  This also allows you to pre-provision members to Figma via SCIM. If you're on the Enterprise plan, you can also set member roles via SCIM.

  Once you have configure SAML SSO, you can choose if this is optional or required:

  • Select Members must log in with SAML SSO to make logging in via SAML SSO mandatory for members.
  • Select Members may log in with any method, including email and password to make SAML SSO optional.

  When you make SAML SSO mandatory, Figma will require members to use SAML SSO when they next log in. Guests can still use their company email address and password to access Figma.

  Set authentication method

  Adjust the authentication method in the organization's admin settings.

  1. Open the organization in Figma.
  2. Select Admin settings in the sidebar.
  3. Select the Settings tab at the top of the screen.
  4. In the Login and provisioning section, click the Authentication setting.
  5. Select your desired method and click Done to apply.
• Guide to SAML SSO

  Who can use this feature

  Supported on the Organization and Enterprise plan.

  Only organization admins can configure SAML SSO.

  Single Sign On (SSO) allows users to log into many applications or websites using an identity provider. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access. 

  In a SAML SSO set up, the identity provider manages the organization's user accounts and credentials. The service provider (Figma) is the app or website that provides services to the user or organization.

  When using SAML SSO, members log in to their Figma organization using the organization's identity provider.

  How SAML SSO works:

  1. Member attempts to log in to Figma via SAML SSO
  2. Figma sends a SAML request to the identity provider
  3. The identity provider checks this member's credentials
  4. The identity provider sends a response to Figma to verify the member's identity
  5. Figma accepts the response and logs the member into their Figma account

  Note: Figma uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

  Set up SAML SSO

  The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO below.

  SAML SSO only applies to members of a Figma organization. Guests can log in via Google SSO or their email and unique password, regardless of an organization's SAML SSO settings.

  Confirm domains

  Domains are the way we identify entities on the internet. They let Figma know who to treat as a member and who to treat as a guest. Domains and domain capture →

  Organizations can have more than one domain, including subdomains. Organization admins can request to add or remove domains to their organization at any time.

  For example: ACME Corp has three domains registered to their organization: acme.org, acmecorp.org, and dev.acme.org.

  Anyone with an acme.org, acmecorp.org, or dev.acme.org email address is a member. Members can log in via SAML SSO.

  Anyone with an email address that doesn't match those domains is a guest and can't log in via SAML. For example: name@gmail.com or name@notyourdomain.com

  Note: If you plan on using SAML SSO, you need to register every domain you want to use in Figma with your identity provider. Email aliases do not work with SAML SSO.

  Caution: To keep access to existing files and projects, members need to have an account registered to their company email. We recommend ensuring everyone is using the right emails in Figma before you set up SAML SSO.

  Add Figma to your identity provider

  When you add Figma to your identity provider, they will provide you with a Metadata URL. This is an XML link that Figma uses to connect to your identity provider and authenticate users when they login.

  Figma supports dedicated integrations with the following identity providers:

  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • Google SSO*
  • Active Directory Federation Services (ADFS)

  Note: You can also set up a custom SAML configuration with a provider that isn't on this list. This will involve setting up a custom app with your identity provider. Set up a custom SAML configuration →

  *If you want to use Google SAML SSO and SCIM, you need to set up a custom SAML configuration instead of using the Google SSO option. Learn more about Google SAML SSO →

  Turn on SAML SSO in Figma

  Next, you'll need to set up SAML SSO in Figma. This will:

  • Turn on SAML SSO for your organization
  • Connect your identity provider to your Figma account
  • Let you choose what methods members can use to log in

  You'll need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. We recommend you allow logging in via any method during the set up process.

  If you want to set up Google SSO, all users must login via Google SSO. There is no way to make this optional or enable this for only some users. Set login or authentication method →

  Set up SAML SSO in your identity provider

  Complete the rest of the set up process with your identity provider.

  • SAML SSO with Okta
  • SAML SSO with Azure Active Directory
  • SAML SSO with OneLogin
  • SAML SSO for ADFS
  • Set up a custom SAML configuration

  Note: Besides the username or nameid, Figma supports four attributes in a SAML assertion: givenName, familyName, displayName, and title. Figma will ignore any additional attributes.

  Set up SCIM provisioning (optional)

  All SAML SSO configurations support "Just In Time" (JIT) or manual provisioning. JIT provisioning allows Figma to create and update users in Figma.

  • When creating a user, Figma uses information from the four supported attributes in the SAML response from the identity provider.
  • When updating a user in the identity provider, changes will apply when the user next logs in.

  You can choose to enable automatic provisioning via SCIM. SCIM pushes changes immediately and allows you to import and deactivate users.

  • Supported identity providers: you can enable provisioning via SCIM. We include instructions for setting up automatic provisioning via SCIM in each provider's article.
  • Custom SAML configuration: you can set up SCIM with your chosen identity provider. Learn more about setting up a custom SCIM configuration →

  On the Organization plan, it's not possible to assign a person's role outside of Figma. Figma gives everyone who joins the organization an introductory viewer role. Roles in Figma →

  On the Enterprise plan, you can also set member roles via SCIM. This allows you to set a member's Figma design and FigJam roles before they join the organization. If you set a member's role via SCIM, Figma will ignore the organization's default role settings.

  Need to make changes to your SAML SSO settings? You can edit your settings at any time.

• Authenticate with Google (Google SSO)

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only organization admins can configure SSO.

  If you are using Google Workspaces to manage your company email, you have two approaches available for authentication.

  • Google SSO: Use Google's traditional single sign on (SSO) process. This allows members to log in using their Google managed email address and password.
  • Google SAML SSO: If you use SAML and SCIM with Google Workspace, you can set up a custom SAML SSO configuration with Figma.

  Google SSO and SAML SSO only to members of the organization. Guests can log in with their external email address and a password.

  Google SSO

  You can enable Google SSO in your Figma Organization. Members must use the Log in with Google option to log in using their Google-managed company email and password.

  • Select Members must sign in with a Google Account to make Google SSO mandatory.
  • Select Members may log in with any method, including email and password to make Google SSO optional.

  Note: You can disable this requirement at any time, if required. Return to this page and select Members may sign in with any available method, including email and password instead. You will need to update your authentication method to this setting, if you want make changes to your SAML SSO or SCIM settings.

  Google SAML SSO

  Google also supports both SAML SSO and SCIM configurations. If you want to use Google SAML SSO and SCIM with Figma, you will need to:

  1. Set up a custom app for Figma in GSuite (Google Support article)
  2. Decide if you want to make SAML SSO mandatory
  3. Set up a custom SAML configuration in Figma

  Note: We've heard that there can be delays when setting up a custom SAML SSO app with Google. If you see a "Not a SAML app" error, or similar, we recommend trying again in a few hours. Google has some recommendations for common errors: Troubleshoot single sign-on (SSO).

• SAML SSO with Okta

  Before you start

  Who can use this feature

  Available on the Organization and Enterprise plans.

  Organization admins only.

  You will need to have an existing Okta account to set up SAML SSO with Okta.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use Okta as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Okta (identity provider) and Figma (service provider).

  Add the Figma app to Okta

  To connect Figma and Okta, you will first need to add the Figma app to your Okta account. This will generate a IdP Metadata URL, which you'll need to configure SAML SSO in Figma.

  1. Log in to your Okta account and head to the Applications page.
  2. Select Add Application from the options.
  3. Search for Figma and click the Add button to add Figma to your account.
  4. Once installed, go to the Sign On page.
  5. Right click on the Identity Provider Metadata link and choose Copy link address. The link should look like this: https://example.okta.com/app/abc123/sso/saml/metadata

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. From the file browser, click Admin settings.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SAML SSO.
  4. Click Configure SAML and select Okta from the options.
  5. Enter the IdP Metadata IRL from Okta and click Review.
  6. Check the box to confirm This information is correct... and click Configure SAML SSO.
  7. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in Okta.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Set up Figma in Okta

  Now you have your Tenant ID, you can complete the configuration process in Okta. You will need to configure the Figma app and mapping user attributes between applications.

  Configure SAML SSO

  1. Open the Figma app in Okta.
  2. Go to Sign On tab and click Edit.
  3. Scroll down to the Advanced Sign-On Settings section.
  4. Enter your Tenant ID in the field provided.
  5. In the Application username format field, select Email from the options.
  6. Click Save to complete the process.

  Log in via Figma (service provider initiated SSO) To start the SAML SSO process from Figma's end, head to the following URL: https://www.figma.com/saml/[TenantID]/start 

  Make sure to replace [Tenant ID] with your Organization's actual Tenant Id!

  Assign users to the application

  Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

  Figma supports some basic attributes, as well as attributes only available to SCIM Enterprise users.

  Start adding users to the application in the Assignments tab on the far right.

  Supported Basic Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  givenName	givenName	urn:ietf:params:scim:schemas:core:2.0:User	user.firstName
  familyName	familyName	urn:ietf:params:scim:schemas:core:2.0:User	user.lastName
  displayName	displayName	urn:ietf:params:scim:schemas:core:2.0:User	user.displayName
  title	title	urn:ietf:params:scim:schemas:core:2.0:User	user.title

  Supported SCIM Enterprise User Attributes

  Variable Name	External Name	External Namespace	Suggested Mapping
  employeeNumber	employeeNumber	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.employeeNumber
  costCenter	costCenter	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.costCenter
  organization	organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.organization
  division	division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.division
  department	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.department
  managerValue	manager.value	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.managerId
  managerDisplayName	manager.displayName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.manager

  Note: Missing the SCIM Enterprise user attributes? Figma applications added in Okta prior to June 2019 may need to be upgraded. Please contact support@figma.com for assistance.

  Set up automatic provisioning with SCIM

  Okta also supports automatic provisioning with SCIM. To set up SCIM you will need to generate an API token in Figma then add this to Okta.

  We recommend having both windows open to make copying between the two easier.

  Generate an API token in Figma

  1. From the file browser, click Admin settings .
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Okta.

  Configure automatic provisioning in Okta

  Make sure the following functions are enabled in Okta:

  • Create users
  • Update user attributes
  • Deactivate users

  Warning: If a user is deactivated in Okta, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in Okta and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files. 

  1. Open the Figma app in Okta.
  2. Go to the Provisioning tab in the Figma app.
  3. Click the Configure API Integration button.
  4. Check the box next to Enable API Integration.
  5. Enter the API Token in the field provided.
  6. Click Test API Credentials to ensure it's set up correctly.
  7. When you get a success message, click Save to apply.
  8. A few more options will now appear under the Provisioning section. Select To App in the left-hand menu.
  9. Click Save to apply.
• SAML SSO with OneLogin

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only organization admins can set up SAML SSO.

  You need to have an existing OneLogin account

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  You can use OneLogin as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both OneLogin (identity provider) and Figma (service provider).

  Add Figma to OneLogin

  First, you'll need to add the Figma App to your OneLogin account.

  1. Log in to your OneLogin account and go the Administration section.
  2. Head over to the Apps page and select Add Apps.
  3. Search for Figma in the Find apps field.
  4. On the Info tab, click Save to add the app to your Company Apps.
  5. You will then be able to access the additional configuration settings. Click on the SSO tab:
  6. Copy the contents of the Issuer URL field:

     

  Set up SAML SSO in Figma

  Next you'll need to set up SAML SSO in your Organization's Admin Settings.

  1. Open Figma in the file browser.
  2. Click Admin Settings.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Click Configure SAML and select OneLogin from the options.
  6. Enter the IdP Metadata IRL from OneLogin and click Review.
  7. Check the box to confirm This information is correct... and click Configure SAML SSO.
  8. Click the Copy link next to your Tenant ID. You'll need this to complete the set up process in OneLogin.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Configure SAML SSO in OneLogin

  Once you've received your confirmation and Tenant ID, you can complete the configuration process in OneLogin.

  1. Go back to the Figma App in OneLogin (Administration > Apps > Figma)
  2. Go to the Configuration Tab for the Figma app:

     

  3. Enter the Tenant ID that you copied from Figma.
  4. Click SAVE to complete the process.

  Set up automatic provisioning via SCIM

  To set up automatic provisioning you will need to:

  1. Generate an API Token in Figma
  2. Configure Automatic Provisioning in OneLogin
  3. Map Custom Attributes

  Tip! We recommend having both of these windows open at the same time, to make that process easier.

  Generate an API token in Figma

  1. Click Admin Settings under the Organization name in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in OneLogin.

  Configure SCIM in OneLogin

  You'll need your API Token from Figma

  1. Open the Figma app in OneLogin.
  2. Go to the Configuration Tab for the Figma app.
  3. Under API connection, enter your API token in the SCIM Bearer Token field.
  4. Click ENABLE.
  5. Go to the Provisioning tab and check the box next to Enable Provisioning.
  6. Select which provisioning actions you want to require administrator approval for. You can choose to enable this for:
     • Create User
     • Delete User
     • Update User
  7. Decide the appropriate action for When user accounts are suspended in OneLogin..

     

  Warning: If a user is deactivated in OneLogin, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in OneLogin and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files. 

  Add custom attributes

  Some Figma attributes are mapped to OneLogin attributes by default:

  • Email
  • First Name
  • Last Name
  • NameID
  • SCIM Username
  • Title
  • Manager
  • Department

  Other SCIM Enterprise User attributes are optional. You will need to add these as custom user fields if you want to include them in your provisioning:

  • employeeNumber
  • costCenter
  • organization
  • division

  To create a custom field in OneLogin:

  1. Login to your OneLogin account.
  2. Go to Users > Custom User Fields in the main menu:
  3. Complete the New User Field inputs.
  4. Click SAVE to apply your changes.
• SAML SSO with Azure Active Directory

  Before you start

  Supported on the Organization and Enterprise plans

  Only organization admins can set up SAML SSO.

  You need an existing Microsoft Azure Active Directory account

  Organizations that manage users with Azure Active Directory can configure SAML SSO in Figma. Figma supports both identity (Azure AD) and service (Figma) initiated configurations.

  We recommend having both Figma and Azure AD open in separate tabs. This allows you to switch between them throughout the setup process.

  Configure SAML in an active organization

  Microsoft recommends testing SAML configurations in a sandbox environment. However, there isn’t a way to create a sandbox or test environment in Figma. We recommend testing the Figma application with a test user, such as yourself, or a small group of users first.

  To make sure existing users can still access Figma during the set up process, set the login and authentication method to Members may log in with any method, including email and password (default).

  Once everything is up and running, you can update this setting to Members must log in with SAML SSO. Learn more in Microsoft's tutorial: Azure Active Directory SSO Integration with Figma.

  Set up SAML SSO

  Open SAML in Figma

  Open your organization's SAML SSO settings in Figma. We'll come back to this page to configure SAML SSO in Figma, later on in the process.

  1. Open the organization in Figma.
  2. In the sidebar, select Admin settings.
  3. Select the Settings tab.
  4. In the Login and provisioning section, click Authentication.
  5. Make sure authentication is set to Members may log in with any available method... Click Done.
  6. From the Login and provisioning section, click SAML SSO.
  7. Figma opens a modal dialog with some key information for the SAML process.
     • Tenant ID: 123456789123456789
     • SP entity ID: http://www.figma.com/saml/123456789123456789
     • SP ACS URL: http://www.figma.com/saml/123456789123456789/consume

  Figma uses your Tenant ID to generate your SP identity ID and SP ACS URL. You’ll need these when configuring SAML in Azure AD. You’ll use the SP entity ID to create a URL for service-provider initiated authentication.

  Add Figma to Azure

  Add Figma to your Azure portal.

  1. Open Azure in the overview page
  2. Select Enterprise applications
  3. Land on the All applications section
  4. Click Add application to browse Azure AD Gallery
  5. Search for Figma and select the correct result
  6. Click Create to add the application to Azure AD
  7. Azure will show a success message and redirect you to the Figma application overview:

  Assign a test user

  Assign a test user to Figma in Azure. This allows you to complete the SAML setup process and test the application.

  1. Select Assign users and groups from the options.
  2. Click + Add user/group to open the assignments page.
  3. Click Users and groups, click None selected.
  4. Search for test user. We recommend using your own account so that you can test the login at the end of the setup process.
  5. Click to add and return to the assignments page.
  6. Click Assign button to return to application page.

  Configure SAML in Azure

  Set up SAML in Azure. You’ll need the Tenant ID Figma provides to complete the process.

  We recommend having both Figma and Azure AD open in separate tabs. This allows you to switch between them throughout the setup process.

  1. Select Single sign-on in panel
  2. Select SAML from options
  3. Under Basic SAML Configuration, click Edit to make changes
  4. Switch to the Figma tab in your browser.
  5. Next to the Tenant ID, click Copy
  6. Switch to the Azure tab in your browser.
  7. Under Identifier (Identity ID), click Add identifier
  8. Type in https://www.figma.com/saml/ in the field provided, then paste your Tenant ID to complete the URL.
  9. Copy the entire URL from the field to your clipboard.
  10. Under Reply URL (ACS link), click Add reply URL.
  11. Paste the identity URL in the field, then add /consume to the end of the link.
  12. In the Sign on URL (Optional) field, paste the identity URL again, then add /start to the end of the link.
  13. Click Save at the top of the screen:
  14. Click X in the top-right corner to return to the Figma application page.

  Configure SAML in Figma

  Now you can configure SAML in Figma. You’ll need the metadata link from Azure AD to complete the process in Figma.

  1. Open the Figma application in Azure AD.
  2. Scroll down to the SAML Signing Certificate section.
  3. Next to the App Federation Metadata XML, click Copy.
  4. Switch to the Figma tab in your browser.
  5. Click Configure SAML in the dialog.
  6. Select Microsoft Azure Active Directory from the options.
  7. Paste the link in the IdP metadata URL field.
  8. Click Review to make sure the details are correct.
  9. Check the box next to This information is correct.
  10. Click Configure SAML SSO. Figma will return you to the Settings tab where you’ll see SAML SSO is now enabled:

  Map user attributes

  Map your user attributes between Figma and Azure Active Directory.

  Figma expects certain attributes in the SAML response. Some of these are required attributes and some are pre-populated but optional. You can review and adjust the optional attributes.

  1. Switch to the Azure AD tab in your browser and make sure you’re on the SAML sign-on page.
  2. Find the Attributes & Claims section. Click the pencil icon to edit these attributes.
  3. You can review and adjust any optional attributes. Make sure you don’t remove or adjust any required attributes.

  Name	Source attribute	Required
  GivenName	user.givename	Required
  Surname	user.surname	Required
  Emailaddress	user.mail	Required
  Name	user.userprincipalname	Required
  Unique User Identifier	user.userprincipalname	Required
  displayName	user.displayname	Pre-populated (Optional)
  title	user.jobtitle	Pre-populated (Optional)
  emailaddress	user.mail	Pre-populated (Optional)
  familyName	user.surname	Pre-populated (Optional)
  givenName	givenName	Pre-populated (Optional)
  userName	user.userprincipalname	Pre-populated (Optional)

  Test the application

  With both Figma and Azure configured you can test the application. You’ll need to test this process with the user you added earlier.

  If you skipped this step, you’ll need to assign a user to Figma ↑ first. We recommend adding your own account.

  1. Switch to the Azure AD tab in your browser and make sure you’re on the SAML sign-on page.
  2. Select Test this application at the top of the page.
  3. Click the Test sign in button. Azure AD will open a new tab and log you into Figma using SAML SSO.

  Make SAML SSO mandatory

  If the test process was successful, you can now allow other members to log in using their SAML SSO credentials. If you want to make log in via SAML mandatory for members, you can update the organization's authentication settings.

  1. Open the organization in Figma.
  2. In the sidebar, select Admin settings and go to the Settings tab.
  3. In the Login and provisioning section, click Authentication.
  4. Make sure authentication is set to Members may log in with any available method... Click Done.

  Set up automatic provisioning with SCIM

  You'll need an API token from Figma to set up SCIM in Azure AD. We recommend having both Figma and Azure AD open to make it easier to copy between them.

  Generate Figma API token

  1. From the file browser, click Admin settings.
  2. Select Settings at the top of the screen.
  3. In the Login and provisioning section, click SCIM provisioning.
  4. Click Generate API Token in the dialog.
  5. Copy the API token to your clipboard. You'll need this to complete the process in Azure.

  Configure SCIM in Azure AD

  You'll need your Tenant ID and API Token from Figma. Remember to swap the <TENANT ID> placeholder in the URL below with the Tenant ID Figma generated.

  Note: These instructions are modified from Microsoft Azure's Tutorial. Check out Configure Figma for automatic user provisioning for screenshots and detailed explanations.

  1. In your Azure Portal go to Enterprise Applications > All Applications
  2. Select the Figma app.
  3. Go to the Manage section and select Provisioning.
  4. Set the Provisioning Mode to Automatic.
  5. Enter the following details in the Admin Credentials section:
     1. Enter the URL in the Tenant URL field: https://www.figma.com/scim/v2/<TenantID>
     2. Enter the API Token in the Secret Token field.
     3. Click Test Connection to make sure that Azure AD can connect to Figma.
  6. Enter the desired email address in the Notification Email field.
  7. Check the box next to Send an email notification when a failure occurs and click Save to apply.
  8. In the Mappings section, select Synchronize Azure Active Directory Users to Figma.
  9. In the Attribute Mappings section, review the Azure Active Directory Attribute and the corresponding Figma Attribute.
  10. Click the Save button to apply any changes.
  11. Under Settings, toggle the Provisioning Status > On.
  12. Define which users and/or groups you would like to provision to Figma. Choose from:
      • Sync all users and groups
      • Sync only assigned users and groups
  13. Click Save to apply your provisioning settings.

  Warning: If a user is deactivated in Azure AD, this will remove their Figma account from your organization and they will lose all permissions. If you reactivate the user in Azure AD and re-add them to your organization, someone will need to manually add them to their previous teams, projects and files. 

• Set up SAML SSO for ADFS

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  If you use Microsoft's Active Directory Federated Service (ADFS), you can set up SAML SSO for your Figma Organization.

  To use this integration you will need to:

  • Have an ADFS instance of 3.0 or later
  • Expose the SAML endpoint for ADFS

  You can use Micro as your identity provider to authenticate and provision users. Figma supports SAML SSO initiated from both Microsoft ADFS (identity provider) and Figma (service provider).

  Add Figma to ADFS

  Required information

  There are a few pieces of information that you'll need from Figma during the set up process. We recommend having this open in another tab or window, so you can quickly copy it across.

  1. Open Figma in the file browser.
  2. Click Admin Settings.
  3. Select Settings at the top of the screen.
  4. In the Login and provisioning section, click SAML SSO.
  5. Find the SP Entity ID and the SP ACS URL. You'll need both to set up the connection in ADFS.

  Tip! These URLs will look very similar as they both include your Tenant ID. The only difference is that your SP ACS URL will have /consume added to the end of it.

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn more about authentication options →

  Add Figma to your ADFS instance

  Now you need to add Figma as a "Relying Party Trust" to your ADFS instance.

  1. Open your ADFS instance.
  2. In the Actions column, click Add Relying Party Trust. This will open a wizard that will guide you through the set up process.
  3. On the Welcome screen, click “Start” to start the set up process.
  4. On the Select Data Source step, select Enter data about the relying party manually and click Next.

  5. Add a Display name, like Figma or similar, then click Next to proceed.

  6. On the Configure Certificate step, click the Browse button. Select ADFS profile from the options and click Next.
  7. On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol

  8. On the same page, paste the Figma SP ACS URL in the field provided. The link should look something like this: https://www.figma.com/saml/123456789123456789/consume. Click Next to proceed.

  9. On the Configure Identifiers step, paste in your SP Entity ID in the Relying party trust identifier field. The link should look something like this: https://www.figma.com/saml/123456789123456789. Click Next to proceed.
  10. On the Choose Access Control Policy step, choose an access control policy. This determines who can authenticate their Figma account via SSO. Click Next to proceed.
  11. On the Ready to Add Trust step, click the Next button to complete the process.
  12. Click Close to finish the Wizard.

  Add attributes to ADFS

  Next, you need to add a rule to ADFS. This will ensure the integration sends LDAP attributes as claims.

  1. On the Edit Claim Issuance Policy page, click the Add rule button.
  2. Under Claim rule template, select Send LDAP Attributes as Claims. Click Next to proceed.
  3. On the Configure Claim Rule step:
     1. Enter a Claim rule name.
     2. For your Attribute store, select Active Director.
     3. In the LDAP Attribute... column, select E-Mail Address.
     4. In the Outgoing Claim Type... column, select E-Mail Address.
     5. Click Finish to complete the process and return to the Edit Claim Issuance Policy screen.
     
  4. Click Apply to apply the rule and return to the Issue Transform rules page.
  5. Click Add Rule to add a second Transform rule.
  6. Under Claim rule template, select Transform an Incoming Claim. Click Next to proceed.
  7. On the Configure Claim Rule step:
     1. For Claim rule name, enter Transform email address as NameID
     2. In the Incoming claim type, select E-Mail Address.
     3. In the Outgoing Claim Type column, select NameID
     4. In the Outgoing name ID format column, select Email
     5. Toggle Pass through all claim values.
     6. Click OK to complete the process and return to the Edit Claim Issuance Policy screen.
  8. Click Apply to apply the rules to your instance.

  Export signing certificate

  Now you'll need to export your Signing Certificate, usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

  1. In your ADFS instance, go to Service > Certifications
  2. Click on the certificate under Token-signing and select View Certificate. certificate
  3. Click Copy to File > Ok.
  4. Click Next on Certificate Export Wizard.
  5. Select Base-64 encoded... from the options and click Next.
  6. Name your certificate file figma.cer and click Next.
  7. Click Finish to export the certificate. ADFS will export the certificate to your configured downloads folder.

  Complete the set up process in Figma

  Now that you have everything set up in ADFS, you'll need to add your ADFS details to Figma. Our Set up a custom SAML configuration article takes you through that process.

  You'll need the following information from ADFS:

  • IdP Entity Id: This lets Figma know which Identity Provider you are using.
  • IdP SSO Target URL: Figma will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO. For ADFS, it should look something like this: https://sso.yourdomain.tld/adfs/ls/
  • Signing Certificate: This is the certificate that you have just downloaded.
• Set up a custom SAML configuration

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  You must use SAML 2.0 to set up SAML SSO with Figma.

  Organizations that have stricter security requirements can configure SAML SSO. Learn more about SAML SSO in Figma →

  If you do not use one of our supported identity providers, you can set up a custom SAML configuration. You must use SAML 2.0, Figma doesn't support earlier versions of SAML.

  Note: you will need the following information from your identity provider to set up SAML SSO in Figma:

  • IdP Entity Id: This lets us know which Identity Provider you are using.
  • IdP SSO Target URL: We will use this link to connect to the Identity Provider when someone from your Organization attempts to login via SAML SSO.
  • Signing Certificate: Usually called the X509 certificate. We use this to verify your Organization via your Identity Provider.

  Set up SAML SSO in Figma

  You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password. Learn about authentication options →

  1. Open Figma in the file browser and select Admin settings in the sidebar.
  2. Select Settings at the top of the screen.
  3. In the Log in and provisioning section, click SAML SSO.
  4. Figma will generate the information you need to complete the process with your identity provider. Find this in the Your configuration details are section.
  5. In the Identity provider section, select Other.
  6. Enter the details from your identity provider:
     • IdP Entity ID
     • IdP SSO Target URL
  7. Upload your Signing certificate and click Review.
  8. Check the box to confirm This information is correct... and click Configure SAML SSO.

  Complete the set up with your identity provider

  1. View the details of your SAML SSO configuration in Figma. You'll need these to complete the configuration process with your Identity Provider:
     • The SP Entity ID
     • The SP ACS URL
  2. Make sure to configure the NameId using the following format:  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

  Tip! You can address any typos, or update your SAML SSO configuration at any time. Return to these settings and click the Edit configuration button. Learn more about editing your SAML SSO settings →

• Edit a SAML configuration

  Who can use this feature

  Supported on the Organization and Enterprise plan.

  Only organization admins can configure SAML SSO.

  Organization admins can make changes to the SAML SSO settings at any time. This is perfect when you need to fix errors, update an expired certificate, or switch to another provider.

  You will need to update your Authentication settings to Members may log in with any method, including email and password to edit your configuration. This allows members to log in with email address and password, while you make any changes.

  Once the process is complete, you can enforce log in via SAML SSO for members.

  Update login method

  1. Open the organization in Figma.
  2. Select Admin settings in the sidebar.
  3. Select the Settings tab.
  4. In the Login and provisioning section, click Authentication.
  5. Select Members may log in with any method, including email and password.
  6. Click Done to return to the screen.
  7. Click on the SAML SSO option to adjust your settings.

  Set login or authentication method →

• Set up automatic provisioning via SCIM

  Before you start

  Who can use this feature

  Supported on the Organization and Enterprise plans

  Only Organization Admins can set up SAML SSO.

  All SAML SSO configurations in Figma support Just In Time (JIT) provisioning. This is manual provisioning which only applies any changes when a user next logs into their account, not when the Admin makes the changes. JIT supports creating and updating users in Figma.

  You can choose to enable automatic provisioning with SCIM. SCIM pushes any changes you make to Figma, as soon as they happen. SCIM also support importing and deactivating users.

  To set up automatic provisioning you will need to an API token in Figma and a SCIM URL. This will allow you to configure automatic provisioning in your identity provider.

  Copy your details from Figma

  To make the set up process easier, we recommend having both Figma and your identity provider open at the same time.

  You can generate an API token and find your Tenant ID on the Settings page of your Organization's Admin Settings:

  1. Open Figma and select Admin Settings in the sidebar.
  2. Select the Settings tab.

  Generate an API token

  1. In the Login and provisioning section, click SCIM provisioning.
  2. Click Generate API token.
  3. Copy the API token value.

  Find your Tenant Id

  Your identity provider will need a SCIM base URL to configure SCIM. Your Tenant Id will make up part of this URL.

  1. In the Login and provisioning section, click SAML SSO.
  2. Copy the Tenant ID.
  3. Use the tenant Id to create the SCIM base URL: https://www.figma.com/scim/v2/[tenant]

  Set up SCIM with your identity provider

  The process for setting up provisioning depends on your identity provider.

  Configure SCIM

  If you're using one of our supported identity providers, you can follow our help articles:

  • SAML SSO with Okta
  • SAML SSO with Azure Active Directory
  • SAML SSO with OneLogin

  If you're using an identity provider we haven't listed here, you can still set up SCIM with Figma.

  You'll need to set up SAML SSO configuration with your identity provider, before you can configure SCIM. This may require you to set up a custom application.

  We aren't able to provide documentation for custom configurations. Please reach out to your identity provider for any assistance with a custom configuration.

  IMPORTANT

  As part of the set up process with your identity provider, you'll need to choose which provisioning functions to use. Make sure the following functions are enabled:

  • Create Users
  • Update User Attributes
  • Deactivate Users

  Assign users to the application

  When you set up automatic provisioning, you will be asked to assign users to the application.

  As part of this process, you may be asked to provide additional information about each user. Figma supports the following common basic attributes, as well as some optional extras.

  Basic attributes

  Scroll to view table

  Variable Name	External Name	External Namespace	Suggested Mapping
  givenName	givenName	urn:ietf:params:scim:schemas:core:2.0:User	user.firstName
  familyName	familyName	urn:ietf:params:scim:schemas:core:2.0:User	user.lastName
  displayName	displayName	urn:ietf:params:scim:schemas:core:2.0:User	user.displayName
  title	title	urn:ietf:params:scim:schemas:core:2.0:User	user.title

  Advanced attributes

  Scroll to view table

  Variable Name	External Name	External Namespace	Suggested Mapping
  employeeNumber	employeeNumber	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.employeeNumber
  costCenter	costCenter	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.costCenter
  organization	organization	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.organization
  division	division	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.division
  department	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.department
  managerValue	manager.value	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.managerId
  managerDisplayName	manager.displayName	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User	user.manager

  Note: It's not possible to assign permissions in Figma via your identity provider. Figma will add provisioned users to your Organization as viewers.

  This is a provisional role, which means there are no restrictions around upgrading.

  Learn more about members in an Organization →

  Display SCIM member metadata

  When you have SCIM set up, you can choose which of these attributes you want to access in Figma. That attribute will be shown in the Members tab alongside Figma's default data.

  1. Open Admin settings > Settings
  2. In the Other section, click Member metadata.
  3. Choose from Cost center, organization, division, or department.
  4. Figma will show this data in the Members tab. You'll be able to sort your member list based on this column.

  Guide to organization admin →