figma guide
Designing domain verification and SSO domain management UI in Figma: DNS, claimed domains, and handoff
Design domain verification and SSO domain management UI in Figma with DNS TXT records, claimed domain lists, SSO enforcement, and Dev Mode specs for enterprise identity.
- Published
- Updated
- Jul 12, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
Domain verification proves an organization owns an email domain (e.g. @acme.com) before enabling SSO, SCIM, or domain capture (force SSO for matching emails). Design a claimed domains list with status (pending, verified, failed); a verification wizard with DNS TXT or HTML file instructions and copy buttons; SSO enforcement toggles per domain; and conflict handling when another org already claimed a domain. Unverified domains should block JIT provisioning and seat invites from that domain. Log verify/remove events to audit activity. Start from the Figma guides hub and pair with Dev Mode handoff for DNS record format specs.
Who this is for
- Product designers building enterprise security settings, identity onboarding, and IT admin consoles.
- Design system teams connecting domain verification to SSO setup without duplicating DNS copy blocks.
- Engineers implementing TXT/CNAME checks, domain uniqueness, and login routing by email domain.
Why domain verification exists
| Capability | Requires verified domain? | Risk if skipped |
|---|---|---|
| SSO (SAML/OIDC) | Yes | Wrong org receives logins |
| SCIM provisioning | Yes | Users provisioned to attacker tenant |
| Domain capture | Yes | @acme.com users hijacked to wrong workspace |
| Auto-join by email | Recommended | Strangers join with lookalike domains |
| Branded login | Optional | Cosmetic only |
Verdict: treat verification as a prerequisite gate, not a settings footnote. SSO wizard step 1 should link here when domain is unverified.
Claimed domains list
| Column | Spec | Notes |
|---|---|---|
| Domain | acme.com | No protocol, lowercase |
| Status | Pending / Verified / Failed / Expired | Color + icon |
| Verification method | DNS TXT / HTML / CNAME | Badge |
| SSO enforcement | Off / Optional / Required | Per-domain toggle |
| Verified date | ISO + relative | Re-verify annually? |
| Actions | Verify, Re-check, Remove | Remove needs confirm |
ClaimedDomainsPage
├── Header: Domains + Add domain
├── InfoBanner: "Verify before enabling SSO or SCIM"
├── DomainsTable
│ └── Row: Domain, Status, Enforcement, Verified, Actions
├── PendingVerificationCard (expanded DNS instructions)
└── EmptyState: "Add your company domain to enable SSO"
Failed state must show actionable error: “TXT record not found—expected figma-verify=abc123 at _figma.acme.com.”
Add domain wizard
| Step | UI | Validation |
|---|---|---|
| 1. Enter domain | Text input acme.com | Block wildcards, subdomains as primary in v1 |
| 2. Choose method | DNS TXT (recommended) vs HTML file | Enterprise often DNS-only |
| 3. Instructions | Record host, value, TTL + copy buttons | Monospace values |
| 4. Verify | ”Check DNS” button + spinner | Poll with timeout message |
| 5. Success | Badge + next steps: Enable SSO | Link to SSO setup |
| Conflict | ”Domain claimed by another org” | Support contact CTA |
DNS instruction block (copy-friendly):
┌─────────────────────────────────────────────┐
│ Add this TXT record to your DNS │
│ Host / Name: _figma-verify.acme.com 📋 │
│ Value: figma-site-verification=xyz 📋 │
│ TTL: 300 (or default) │
│ [ Check DNS ] (may take up to 48 hours) │
└─────────────────────────────────────────────┘
Show last checked timestamp and Try again without forcing full wizard restart.
SSO enforcement per domain
After verification, admins choose login policy:
| Policy | Behavior | UI label |
|---|---|---|
| Off | SSO available; password login allowed | ”SSO optional” |
| Optional | SSO button prominent; password fallback | Default for rollout |
| Required | @acme.com must use SSO; block password | ”Enforce SSO” |
DomainPolicyRow
├── Domain: acme.com (verified ✓)
├── EnforcementSelect: Optional | Required
├── WarningModal (if Required): "Password login disabled for 142 users"
└── ExceptionsLink: "Break-glass accounts" (optional enterprise)
Required enforcement should trigger:
- Banner on login page for matching emails
- Block new password signups for that domain
- Email to affected users before enforcement date (scheduled toggle)
Pair with session timeout and connected accounts when disabling password paths.
Domain capture vs invite-only
| Model | What happens on signup | Admin UI |
|---|---|---|
| Invite-only | No auto-join; admin invites each user | Default for security |
| Verified domain auto-join | @acme.com lands in org workspace | Toggle + default role |
| SSO JIT | First SSO login creates user | Tied to SSO + verified domain |
Auto-join toggle (only when domain verified):
☑ Allow users with @acme.com to join this organization
Default role: [ Member ▼ ]
⚠ Requires verified domain and available seats
Link seat limits to org billing—block auto-join at seat cap.
Multiple domains and subdomains
| Scenario | UI treatment |
|---|---|
| Parent + subdomains | acme.com does not auto-verify eu.acme.com unless stated |
| Acquisition | Add second domain; separate verification |
| Primary domain | Star icon; used in branded login URL |
| Deprecated domain | ”Scheduled removal” with grace period |
Document in FAQ: wildcard verification is an enterprise exception—show support CTA, not self-serve.
Remove and re-verify flows
| Action | Confirmation | Side effects |
|---|---|---|
| Remove domain | Type domain name; warn SSO/SCIM impact | Disable enforcement first |
| Re-verify | Same DNS check | Needed if record expired |
| Transfer domain | Support workflow only | Show read-only conflict screen |
Remove blocked when SSO Required is on:
Turn off SSO enforcement before removing acme.com.
[ Go to SSO settings ] [ Cancel ]
Integration with SSO and SCIM
| Downstream feature | Depends on | UI link |
|---|---|---|
| SSO metadata | Verified primary domain | From domain success → Configure SSO |
| SCIM provisioning | Verified domain + SSO | Banner on SCIM wizard step 1 |
| Group mapping | SCIM + custom roles | Domain not re-entered |
| Audit log | All domain events | domain.verified, domain.enforcement_changed |
Keep one source of truth for domain list—SSO setup should not ask for domain again if already verified.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| SSO enabled before verify | Account takeover | Hard gate with checklist |
| No copy buttons on DNS values | IT typos, failed verify | Monospace + one-click copy |
| Vague “verification failed” | Endless support tickets | Expected vs found record |
| Allow duplicate claims | Two orgs fight for @acme.com | Global uniqueness + support |
| Enforce SSO without notice | Lockout on Monday morning | Scheduled enforcement + email |
| Subdomain confusion | mail.acme.com verified, login uses acme.com | Clear host field in instructions |
| Remove domain without cascade | Broken SSO mid-session | Ordered teardown checklist |
| No audit on enforcement change | Compliance gap | Log who toggled Required |
Recommended workflow
- Design claimed domains table with status and enforcement columns.
- Build add-domain wizard with DNS TXT instructions and polling verify.
- Add conflict and failed states with specific DNS errors.
- Wire SSO enforcement toggle with scheduled Required option.
- Connect gates on SSO, SCIM, and auto-join wizards.
- Prototype remove-blocked, enforcement warning, and seat-cap auto-join.
- Hand off record formats, poll intervals, and policy enums in Dev Mode.
FAQ
TXT vs CNAME vs HTML file—which default?
DNS TXT for enterprise IT; HTML file for marketing sites without DNS access. Default the wizard to TXT with “Other methods” collapsed.
How long should DNS polling wait?
Show “up to 48 hours” but poll every 30–60 seconds for 2–3 minutes on “Check DNS” for instant feedback. Then email when background job succeeds.
Can one user belong to two orgs with same domain?
Product policy varies. If allowed, domain verification is per-org; enforcement applies only to users joining that org. Document multi-org in enterprise FAQ.
What about personal Gmail users on a business plan?
Domain rules apply to email domain, not plan tier. @gmail.com users skip domain capture—use invite flow instead.
Branded login URL—separate from verification?
Often yes. acme.app.com/login is branding; verification is security. Link both under Security → Identity but separate pages.
Next steps
- Design SSO and enterprise login UI in Figma — SAML/OIDC after domain verify
- Design SCIM and directory sync UI in Figma — provisioning gated on domain
- Design team member roles and permissions UI in Figma — auto-join default role
- Design login, registration, and password recovery UI in Figma — enforcement on login
- Design audit log and security activity UI in Figma — domain and policy events
§ Keep reading