Give your users convenient but secure Single Sign On (SSO) access to Figma using their ºÚÁϺ£½Ç91Èë¿Ú credentials with the SSO integration. Automatically provision, update and deprovision users and groups in Figma from ºÚÁϺ£½Ç91Èë¿Ú using the Identity Management (SCIM) integration. Leverage this integration to allow users to login with with one set of credentials and to centralize user lifecycle, user identity, and group management in ºÚÁϺ£½Ç91Èë¿Ú for Figma. Save time and cost related to user account and password management. Avoid mistakes, as well as potential security risks, related to manually creating users and groups.
Read this article to learn how to setup the Figma integration.
Prerequisites
- A Figma .
- A Figma Organization Admin account.
- Single Sign On integration with Figma must be configured before you can create an Identity Management (SCIM) integration.
- Review Figma’s support article.
Important Considerations
- It is not possible to assign permissions in Figma from ºÚÁϺ£½Ç91Èë¿Ú. Figma will add provisioned users to your Organization as .
- When you have SCIM set up, you can choose which of the advanced attributes you want to access in Figma.
- You need to decide if logging in via SAML SSO is mandatory, or if users can still login via email address and password.Ìý.
- The sync will occur in real-time whenever changes are made to users and/or groups in ºÚÁϺ£½Ç91Èë¿Ú.
- ºÚÁϺ£½Ç91Èë¿Ú cannot take over management of user accounts created directly in Figma There is currently no option for converting these users to ºÚÁϺ£½Ç91Èë¿Ú SCIM managed users. Those accounts will need to continue to be managed manually or delete and recreated using the SCIM integration.
- Groups are supported.
Attribute Considerations
- A default set of attributes are managed for users. See the Attribute Mappings section for more details.
Group Management Considerations
Enabling Group Management
You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in the application from ºÚÁϺ£½Ç91Èë¿Ú.
Group Provisioning and Syncing
- Empty groups are not created
- ºÚÁϺ£½Ç91Èë¿Ú takes over management of existing groups in the application when the user group name in ºÚÁϺ£½Ç91Èë¿Ú matches the name of the group in the application
- All user groups associated with the application in ºÚÁϺ£½Ç91Èë¿Ú are synced. Syncing occurs whenever there is a membership or group change event
- Group renaming is supported
- If a user group is disassociated from the application in ºÚÁϺ£½Ç91Èë¿Ú, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from ºÚÁϺ£½Ç91Èë¿Ú
Group Deletion
- Managed groups deleted in ºÚÁϺ£½Ç91Èë¿Ú are deleted in the application
- All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from ºÚÁϺ£½Ç91Èë¿Ú
Disabling Group Management
- You can disable group and group membership management by unchecking theÌýEnable management of User Groups and Group Membership in this applicationÌý´Ç±è³Ù¾±´Ç²Ô
- The managed groups and group membership are left as-is in the application
- ºÚÁϺ£½Ç91Èë¿Ú stops sending group membership information for the user, but the user’s identity will continue to be managed from ºÚÁϺ£½Ç91Èë¿Ú
Creating a new ºÚÁϺ£½Ç91Èë¿Ú Application Integration
- Log in to the .
- Go toÌýUSER AUTHENTICATIONÌý&²µ³Ù;ÌýSSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.
- Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
Configuring the SSO integration
To configure ºÚÁϺ£½Ç91Èë¿Ú Part 1
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector.
- Note the IdP Entity Id and IdP URL values. You will need these values when configuring Figma.
- Select activate then continue.
- Click Download certificate from the slide out notification.
The certificate.pem file will download to your local Downloads folder.
To configure Figma
Read Figma’s article before you start.
- Open Figma and select Admin settings in the sidebar.
- Select Settings at the top of the screen.
- In the Log in and provisioning section, click SAML SSO.
- Figma will generate the information you need to complete the process with your identity provider. Find this in the Your configuration details are section.
- In the Identity provider section, select Other.
- Enter the details from your identity provider:
- IdP Entity ID
- IdP SSO Target URL (IDP URL)
- Upload your Signing certificate and click Review.
- Check the box to confirm This information is correct... and click Configure SAML SSO.
- Note the The SP Entity ID and SP ACS URL values. You will need these values to complete the configuration in ºÚÁϺ£½Ç91Èë¿Ú.
To configure ºÚÁϺ£½Ç91Èë¿Ú Part 2
- Access the .
- Go to USER AUTHENTICATION > SSO Applications.
- Find Figma in the application list on the SSO page and click anywhere in the row to reopen the application configuration panel.
- Select the SSO tab and update the SP Entity ID and ACS URL values with the values you noted in the previous section.
- Click save.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to ºÚÁϺ£½Ç91Èë¿Ú, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the
- Go toÌýApplications and click an application tile to launch it
- ºÚÁϺ£½Ç91Èë¿Ú asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- GoÌýto the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to ºÚÁϺ£½Ç91Èë¿Ú where the user enters their ºÚÁϺ£½Ç91Èë¿Ú credentials
- After the user is logged in successfully, they are redirectedÌýback to the SP and automatically logged in
Configuring the Identity Management Integration
To configure Figma
See Figma’s support article for the most current information.
- Open Figma and select Admin Settings in the sidebar.
- Select the Settings tab.
- In the Login and provisioning section, click SCIM provisioning.
- Click Generate API token.
- Copy the API token value and store it in a secure location. You will need this when configuring ºÚÁϺ£½Ç91Èë¿Ú.
- Your tenant id is needed to create the SCIM base URL. To get your tenant id, do the following:
- In the Login and provisioning section, click SAML SSO.
- Copy the Tenant ID.
- Use the tenant Id to create the SCIM base URL: https://www.figma.com/scim/v2/[tenant]
- You can choose which if any of the advanced attributes display in the Members tab.
- Open Admin settings > Settings
- In the Other section, click Member metadata.
- Choose from Cost center, organization, division, or department.
- Figma will show this data in the Members tab. You'll be able to sort your member list based on this column.
To configure ºÚÁϺ£½Ç91Èë¿Ú
- Create a new application or select it from the Configured Applications list.
- Click the Identity Management tab.
- Click the Enable management of User Groups and Group Membership in this application checkbox if you want to provision, manage, and sync groups in Figma from ºÚÁϺ£½Ç91Èë¿Ú.
- Click Configure.
- You’re presented with two fields:
- *Base URL: Paste the Tenant URL you copied when configuring Figma
- Token Key: Paste the SCIM token you generated when configuring Figma.
- Click Activate.
- You receive a confirmation that the Identity Management integration has been successfully verified.
- You can now connect user groups to the application in ºÚÁϺ£½Ç91Èë¿Ú to provision and manage those users and groups in Figma.
Attribute Mappings
The following table lists attributes that ºÚÁϺ£½Ç91Èë¿Ú sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about ºÚÁϺ£½Ç91Èë¿Ú Properties and how they work with system users in our .
ºÚÁϺ£½Ç91Èë¿Ú Property | ºÚÁϺ£½Ç91Èë¿Ú UI | SCIM v2 Mapping | Figma Attribute |
---|---|---|---|
Company Email | userName | User Name | |
Company Email | emails.work | ||
firstname | First Name | name.givenName | First Name |
lastname | Last Name | name.familyName | Last Name |
displayname | Display Name | displayName | DisplayName |
activated | activated | active:true | Ìý |
suspended | suspended | active:false | Ìý |
jobTitle | Job Title | title | Job Title |
Ìý | Ìý | local = "en-US" | Ìý |
Ìý | User Groups | groups:[obj] | Groups |
employeeidentifier | Employee ID | employeeNumber | Employee Number |
company | Company | organization | Organization |
department | Department | department | Department |
costCenter | Cost Center | costCenter | Cost Center |
id | Ìý | id | externalID |
Group Attributes
ºÚÁϺ£½Ç91Èë¿Ú Property | ºÚÁϺ£½Ç91Èë¿Ú UI Field Name | SCIM v2 Mapping | Application Value |
---|---|---|---|
name | Name | displayName | Name |
Removing the Integration
These are steps for removing the integration in ºÚÁϺ£½Ç91Èë¿Ú. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and ºÚÁϺ£½Ç91Èë¿Ú may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration or Bookmark
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select theÌýSSO or BookmarkÌýtab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.