Skip to main content
All CollectionsGet started with FiguresConfigure SAML SSO
SAML SSO Configuration Guide
SAML SSO Configuration Guide

Leverage SAML SSO on Figures to streamline your login experience

Updated over 2 weeks ago

This guide provides step-by-step instructions for configuring SAML SSO in Figures. It includes details on attribute mapping, automatic user account provisioning, enforcing SSO and domain-specific enforcement to ensure seamless and secure user authentication.

1. Setting Up SAML SSO

Follow the guide matching your SSO provider to setup your Entry Point URL and your Signing Certificate on the platform:

2. Attributes Mapping

Once setup and tested, you will most likely land on an error page letting you know that we had issues validating your SAML Profile.

ℹ️ Note: The first test login will fail intentionally to capture the provider's response format in order to map its attributes in Figures directly

To fix this, you need to map the user information from your identity provider (IdP) to Figures' user profiles.

How to map your SAML Attributes

  1. Go to Settings and scroll down to the SAML SSO section

  2. Click on Attributes Mapping tab

  3. If you have already performed a test of the integration, you can skip to 4

    1. Perform a test login to capture the provider’s response data by clicking on the blue button "Test integration"

  4. Map each required Figures field to the corresponding provider attribute.

    1. The required fields are:

      1. Email Address

      2. First Name

      3. Last Name

  5. Save your configuration and verify it by performing another test login.

Here is an example mapping:

3. Enforcing SAML SSO for your company

Enforcing SSO improves security by centralizing authentication and reducing the risk of password-related breaches. It also simplifies access management, saving time for both you and your employees.

ℹ️ Note: Users with the permission to manage SAML SSO settings will always be able to log in through other means.

3.1. Single Domain Setup

If your account is configured for a single domain, follow the steps below to enforce SSO:

  1. Go to Settings and scroll down to the SAML SSO section

  2. Click on the Options tab

  3. Check the Enforce SAML SSO authentication box

  4. Save your configuration

  5. SSO is now enforced for your account!

3.2. Multiple Domain Setup

If your account is configured with multiple domains, such as figures.hr and figures.fr, follow the steps below to enforce SSO:

  1. Go to Settings and scroll down to the SAML SSO section

  2. Click on the Options tab

  3. Check the Enforce SAML SSO authentication box

  4. Add all domains requiring SSO authentication

  5. Save your configuration

  6. SSO is now enforced for your account!

4. Automatic User Account Provisioning

Enabling automatic user account provisioning with SSO streamlines onboarding by creating user accounts during their first SSO login. It ensures consistency, reduces admin workload, and eliminates manual account setup errors.

ℹ️ Note: By default, the provisioned account is as restricted as possible. This means the user's role will be set to Employee. If you need a specific role to be automatically set, you can configure your SAML provider to send the user's role along with their profile, and map them to one of Figures' (see below).

4.1. Basic Setup

  1. Go to Settings and scroll down to the SAML SSO section

  2. Click on the Automatic User Account Provisioning tab

  3. Check the Enable automatic user provisioning box

  4. Then head to the next section

4.2. User Role Mapping

  1. Navigate to the Automatic User Account Provisioning tab

  2. Click on the green "+ Add user role mapping" button to add a mapping line

    1. You can create as many mappings as required

    2. You can create multiple role mappings for 1 Figures role

  3. Once done, continue on to the next section

4.3. Mapping Your Attributes

  1. Navigate to Attributes Mapping tab

  2. Optionally, you can:

    1. Map your employee correlation field to either an employee ID or an email address

    2. Map your provider’s role attribute for increased security

  3. Finally, you can save the configuration and test it one more time to make sure all works accordingly

Why do we need a correlation field mapping?


For the user to have the most adapted set of permissions, we need to be able to map the incoming SSO request to one of your employees. This correlation field will help us find the corresponding employee to set up the user account. It can be their professional email address or their employee number.

Related Articles
Map your employees jobs
Setup SAML SSO with Google
Setup SAML SSO with Microsoft Azure
Setup SAML SSO with Okta
Implement Business Units access control
Did this answer your question?