figma guide

Designing domain verification and SSO domain management UI in Figma: DNS, claimed domains, and handoff

Design domain verification and SSO domain management UI in Figma with DNS TXT records, claimed domain lists, SSO enforcement, and Dev Mode specs for enterprise identity.

Published
Updated
Jul 12, 2026
Read time
7 min
Level
Intermediate

Quick answer

Domain verification proves an organization owns an email domain (e.g. @acme.com) before enabling SSO, SCIM, or domain capture (force SSO for matching emails). Design a claimed domains list with status (pending, verified, failed); a verification wizard with DNS TXT or HTML file instructions and copy buttons; SSO enforcement toggles per domain; and conflict handling when another org already claimed a domain. Unverified domains should block JIT provisioning and seat invites from that domain. Log verify/remove events to audit activity. Start from the Figma guides hub and pair with Dev Mode handoff for DNS record format specs.


Who this is for

  • Product designers building enterprise security settings, identity onboarding, and IT admin consoles.
  • Design system teams connecting domain verification to SSO setup without duplicating DNS copy blocks.
  • Engineers implementing TXT/CNAME checks, domain uniqueness, and login routing by email domain.

Why domain verification exists

CapabilityRequires verified domain?Risk if skipped
SSO (SAML/OIDC)YesWrong org receives logins
SCIM provisioningYesUsers provisioned to attacker tenant
Domain captureYes@acme.com users hijacked to wrong workspace
Auto-join by emailRecommendedStrangers join with lookalike domains
Branded loginOptionalCosmetic only

Verdict: treat verification as a prerequisite gate, not a settings footnote. SSO wizard step 1 should link here when domain is unverified.


Claimed domains list

ColumnSpecNotes
Domainacme.comNo protocol, lowercase
StatusPending / Verified / Failed / ExpiredColor + icon
Verification methodDNS TXT / HTML / CNAMEBadge
SSO enforcementOff / Optional / RequiredPer-domain toggle
Verified dateISO + relativeRe-verify annually?
ActionsVerify, Re-check, RemoveRemove needs confirm
ClaimedDomainsPage
├── Header: Domains + Add domain
├── InfoBanner: "Verify before enabling SSO or SCIM"
├── DomainsTable
│   └── Row: Domain, Status, Enforcement, Verified, Actions
├── PendingVerificationCard (expanded DNS instructions)
└── EmptyState: "Add your company domain to enable SSO"

Failed state must show actionable error: “TXT record not found—expected figma-verify=abc123 at _figma.acme.com.”


Add domain wizard

StepUIValidation
1. Enter domainText input acme.comBlock wildcards, subdomains as primary in v1
2. Choose methodDNS TXT (recommended) vs HTML fileEnterprise often DNS-only
3. InstructionsRecord host, value, TTL + copy buttonsMonospace values
4. Verify”Check DNS” button + spinnerPoll with timeout message
5. SuccessBadge + next steps: Enable SSOLink to SSO setup
Conflict”Domain claimed by another org”Support contact CTA

DNS instruction block (copy-friendly):

┌─────────────────────────────────────────────┐
│  Add this TXT record to your DNS              │
│  Host / Name:  _figma-verify.acme.com  📋    │
│  Value:        figma-site-verification=xyz 📋 │
│  TTL:          300 (or default)               │
│  [ Check DNS ]  (may take up to 48 hours)     │
└─────────────────────────────────────────────┘

Show last checked timestamp and Try again without forcing full wizard restart.


SSO enforcement per domain

After verification, admins choose login policy:

PolicyBehaviorUI label
OffSSO available; password login allowed”SSO optional”
OptionalSSO button prominent; password fallbackDefault for rollout
Required@acme.com must use SSO; block password”Enforce SSO”
DomainPolicyRow
├── Domain: acme.com (verified ✓)
├── EnforcementSelect: Optional | Required
├── WarningModal (if Required): "Password login disabled for 142 users"
└── ExceptionsLink: "Break-glass accounts" (optional enterprise)

Required enforcement should trigger:

  • Banner on login page for matching emails
  • Block new password signups for that domain
  • Email to affected users before enforcement date (scheduled toggle)

Pair with session timeout and connected accounts when disabling password paths.


Domain capture vs invite-only

ModelWhat happens on signupAdmin UI
Invite-onlyNo auto-join; admin invites each userDefault for security
Verified domain auto-join@acme.com lands in org workspaceToggle + default role
SSO JITFirst SSO login creates userTied to SSO + verified domain

Auto-join toggle (only when domain verified):

☑ Allow users with @acme.com to join this organization
  Default role: [ Member ▼ ]
  ⚠ Requires verified domain and available seats

Link seat limits to org billing—block auto-join at seat cap.


Multiple domains and subdomains

ScenarioUI treatment
Parent + subdomainsacme.com does not auto-verify eu.acme.com unless stated
AcquisitionAdd second domain; separate verification
Primary domainStar icon; used in branded login URL
Deprecated domain”Scheduled removal” with grace period

Document in FAQ: wildcard verification is an enterprise exception—show support CTA, not self-serve.


Remove and re-verify flows

ActionConfirmationSide effects
Remove domainType domain name; warn SSO/SCIM impactDisable enforcement first
Re-verifySame DNS checkNeeded if record expired
Transfer domainSupport workflow onlyShow read-only conflict screen

Remove blocked when SSO Required is on:

Turn off SSO enforcement before removing acme.com.
[ Go to SSO settings ]  [ Cancel ]

Integration with SSO and SCIM

Downstream featureDepends onUI link
SSO metadataVerified primary domainFrom domain success → Configure SSO
SCIM provisioningVerified domain + SSOBanner on SCIM wizard step 1
Group mappingSCIM + custom rolesDomain not re-entered
Audit logAll domain eventsdomain.verified, domain.enforcement_changed

Keep one source of truth for domain list—SSO setup should not ask for domain again if already verified.


Common mistakes

MistakeWhy it hurtsFix
SSO enabled before verifyAccount takeoverHard gate with checklist
No copy buttons on DNS valuesIT typos, failed verifyMonospace + one-click copy
Vague “verification failed”Endless support ticketsExpected vs found record
Allow duplicate claimsTwo orgs fight for @acme.comGlobal uniqueness + support
Enforce SSO without noticeLockout on Monday morningScheduled enforcement + email
Subdomain confusionmail.acme.com verified, login uses acme.comClear host field in instructions
Remove domain without cascadeBroken SSO mid-sessionOrdered teardown checklist
No audit on enforcement changeCompliance gapLog who toggled Required

  1. Design claimed domains table with status and enforcement columns.
  2. Build add-domain wizard with DNS TXT instructions and polling verify.
  3. Add conflict and failed states with specific DNS errors.
  4. Wire SSO enforcement toggle with scheduled Required option.
  5. Connect gates on SSO, SCIM, and auto-join wizards.
  6. Prototype remove-blocked, enforcement warning, and seat-cap auto-join.
  7. Hand off record formats, poll intervals, and policy enums in Dev Mode.

FAQ

TXT vs CNAME vs HTML file—which default?

DNS TXT for enterprise IT; HTML file for marketing sites without DNS access. Default the wizard to TXT with “Other methods” collapsed.

How long should DNS polling wait?

Show “up to 48 hours” but poll every 30–60 seconds for 2–3 minutes on “Check DNS” for instant feedback. Then email when background job succeeds.

Can one user belong to two orgs with same domain?

Product policy varies. If allowed, domain verification is per-org; enforcement applies only to users joining that org. Document multi-org in enterprise FAQ.

What about personal Gmail users on a business plan?

Domain rules apply to email domain, not plan tier. @gmail.com users skip domain capture—use invite flow instead.

Branded login URL—separate from verification?

Often yes. acme.app.com/login is branding; verification is security. Link both under Security → Identity but separate pages.


Next steps

Share on X

§ Keep reading

Related guides.