figma guide

Designing SSO and enterprise login UI in Figma: domain discovery, IdP buttons, and admin setup

Design SSO and enterprise login UI in Figma with email domain discovery, SAML/OIDC sign-in, IdP selection, admin setup wizards, and Dev Mode specs for B2B auth flows.

Published
Updated
Jul 07, 2026
Read time
8 min
Level
Beginner

Quick answer

Enterprise SSO login routes users through their company’s identity provider (Okta, Azure AD, Google Workspace) instead of a local password—usually after email domain discovery or a dedicated “Sign in with SSO” path. Design a domain discovery step (“Enter your work email”), an IdP redirect/waiting screen, optional IdP picker when multiple providers exist, and admin setup flows for IT (metadata upload, ACS URL, test connection). Consumer social login belongs on a different path—see connected accounts. Start from the Figma guides hub and pair with login, session timeout, and account dashboard guides.


Who this is for

  • Product designers building B2B SaaS, workforce tools, or enterprise ecommerce portals.
  • Design system teams separating consumer auth from workforce SSO without duplicating every component.
  • Engineers implementing SAML 2.0, OIDC, SCIM provisioning, and domain-verified SSO routing.

Consumer login vs enterprise SSO

SurfaceAudiencePrimary action
Consumer loginIndividual shoppers or free accountsEmail/password + social
Enterprise SSOEmployees on verified domainsRedirect to company IdP
Hybrid productBoth B2C and B2B tenantsSplit entry: “Work email” vs “Personal account”
Just-in-time provisioningFirst SSO login creates userSuccess landing + profile completion
Admin SSO configIT admin in tenant settingsMetadata, certificates, test login

Verdict: add “Sign in with SSO” or “Use your work email” as a secondary path on the main login page—not buried in footer links. Route @company.com emails to SSO automatically when domain is verified.


Enterprise login entry patterns

PatternBest forFlow
Domain discovery firstSingle login page for B2B+B2CEmail field → detect domain → SSO or password
Dedicated SSO pageWorkforce-only products/login/sso with email or domain field
IdP-initiatedUsers start from Okta dashboardLanding page after SAML assertion
Magic subdomaintenant.app.comSkip discovery—tenant known from URL
Home realm discoveryMulti-tenant platformsEmail determines IdP without separate page
EnterpriseLoginEntry
├── Variant: pattern=domainDiscovery | dedicatedSso | subdomain
├── Variant: domainKnown=true | false
└── Layers:
    ├── WorkEmailField
    ├── ContinueButton
    ├── SsoDivider ("or sign in with password")
    ├── ConsumerAuthLink
    └── HelpLink ("SSO not working?")

Domain discovery screen

PartSpecNotes
Headline”Sign in to your organization”
Email fieldWork email; validate domain format
ContinuePrimary CTATriggers domain lookup
Unknown domainError or fallback to password signup”No SSO for this domain”
Unverified domainAdmin must verify firstLink to IT docs
Loading”Redirecting to your identity provider…”Full-page or inline
DomainDiscoveryForm
├── Variant: state=default | loading | error | redirecting
├── Variant: result=ssoRedirect | passwordFallback | inviteRequired
└── Layers:
    ├── Headline
    ├── WorkEmailInput
    ├── InlineError
    ├── ContinueButton
    ├── LoadingSpinner (redirecting)
    └── FallbackLinks

After Continue, never ask for password if SSO is mandatory for that domain—redirect immediately to IdP.


IdP redirect and waiting UI

Users leave your app briefly—set expectations.

ElementSpec
Message”Redirecting to Microsoft to sign you in”
Provider logoOkta, Azure AD, Google Workspace
SpinnerIndeterminate—redirect may take 1–3s
Cancel linkReturn to login
Error returnIdP error query params mapped to friendly copy
MobileSame screen; warn about app-switch to authenticator
IdpRedirectScreen
├── Variant: provider=okta | azure | google | generic
├── Variant: state=redirecting | error
└── Layers:
    ├── ProviderLogo
    ├── RedirectMessage
    ├── ProgressIndicator
    ├── CancelLink
    └── ErrorPanel (conditional)

Document popup vs full redirect—popup needs a “Complete sign-in in the popup window” helper.


Multiple IdP selection

When one domain maps to several providers (rare) or user picks manually:

RowContent
IdP buttonLogo + “Continue with Okta”
Last usedBadge on previously chosen IdP
Admin-configured orderMost common IdP first

Reuse button styling from login social row but label as organization sign-in, not personal Google.


SSO admin setup (IT admin UI)

Design for tenant admins configuring SAML/OIDC—often under Settings → Security → SSO.

StepUI
1. Enable SSOToggle + warning about password disable
2. Provider templateOkta / Azure / Custom SAML / OIDC
3. SP metadataCopy ACS URL, Entity ID, download XML
4. IdP metadataUpload XML or paste SSO URL + certificate
5. Attribute mappingEmail, name, groups fields
6. Test connection”Test SSO login” opens new tab
7. Enforce SSOCheckbox: disable password for domain users
SsoAdminWizard
├── Variant: step=enable | provider | spMetadata | idpMetadata | mapping | test | enforce
├── Variant: protocol=saml | oidc
└── Layers:
    ├── StepIndicator
    ├── InstructionPanel
    ├── CopyField (repeat)
    ├── FileUpload
    ├── TestResultBanner
    └── EnforceSsoToggle

Include rollback copy if test fails—do not lock all users out without break-glass admin login.


Post-login and provisioning states

StateUI
First SSO login (JIT)Welcome + complete profile (name, role)
Missing license”Contact your admin” empty state
Deprovisioned userError on next login—link to support
Session establishedRedirect to app home or returnUrl
SCIM syncedNo UI—note in admin docs

Link to session timeout for workforce idle policies—often stricter than consumer.


Error states (user-facing)

ErrorUser messageAction
SAML signature invalid”Sign-in configuration error”Contact admin (user) / fix cert (admin)
User not in app”Your account doesn’t have access”Request access CTA
SSO required”Use your work email to sign in”Hide password for domain
Clock skewGeneric retry messageSupport article link
IdP downtime”Your sign-in provider is unavailable”Status page + retry

Use inline alerts on login—not raw SAML error codes.


Mobile and WebView considerations

CaseDesign note
Corporate mobile SSOMay open system browser or Microsoft/Okta app
Embedded WebViewOften blocked—warn in IT setup docs
Deep link returnCustom URL scheme for native apps
Biometric after SSOOptional app-level lock—not IdP

Handoff checklist

ItemDev Mode annotation
Domain → tenant lookupAPI before redirect
SAML ACS URLFull URL with https
OIDC redirect URIWhitelist per environment
JIT provisioningCreate user on first assertion
Enforce SSO flagDisables password for domain
Break-glass adminEmergency local login path
Session durationOften synced from IdP
LogoutSP-initiated vs IdP SLO
a11yEmail field labeled “Work email”; errors announced

Clarify SP-initiated vs IdP-initiated flows in presenter notes—different entry components.


Common mistakes

MistakeWhy it hurtsFix
SSO hidden in footerEnterprise buyers bouncePrimary “Work email” path
Password field after SSO domainViolates IT policyAuto-redirect on known domain
Consumer Google labeled “SSO”Wrong expectationsSeparate enterprise IdP buttons
No waiting screen on redirectUsers double-click ContinueLoading state immediately
Admin wizard without test stepProduction outagesMandatory test login
Same session timeout as B2CCompliance gapsShorter idle for workforce
No error for unassigned userOpaque IdP errorsMap to in-app message
Mixing OAuth social with SAMLEngineering confusionSeparate components and routes

  1. Map personas: end user SSO login vs IT admin setup vs consumer login.
  2. Design domain discovery on login or /login/sso.
  3. Add IdP redirect/waiting screen with provider branding.
  4. Design IdP picker if multi-IdP tenants exist.
  5. Build admin wizard with SP metadata copy fields and test banner.
  6. Spec error mapping from SAML/OIDC failures to UI.
  7. Link consumer paths to login and connected accounts for personal identity linking edge cases.
  8. Prototype work email → redirect → success home on desktop and mobile.

FAQ

SAML or OIDC in the UI?

Same user flows—differences live in admin wizard steps (metadata vs client ID/secret). Label protocol in admin UI only.

Show password login for SSO domains?

When enforce SSO is on, hide password. Optional break-glass login is admin-only—not in public Figma consumer frames.

Account linking is a backend policy—design a one-time “Connect your work login” banner in account settings if supported.

Branding on Okta/Azure screens?

IdP controls login branding—you design only redirect/waiting screens and post-login app chrome.

Ecommerce B2B portals need SSO?

Yes for corporate buyers—domain discovery on checkout login reduces duplicate accounts; pair with guest checkout rules.


Next steps

Share on X

§ Keep reading

Related guides.