Skip to main content

Configure Azure AD OIDC SSO

Learn how to set up Azure AD SSO with OpenID Connect (OIDC).

Available on:Enterprise plan

To configure SSO with Azure Active Directory OIDC, you must:

  • Have permission to create an Azure Active Directory Enterprise application.
  • Have admin permissions on your Retool instance. For self-hosted deployments, you must also have the ability to configure environment variables.

1. Create an Azure AD Enterprise application

To create an Azure AD Enterprise application, follow the steps in Azure's documentation.

  1. In the Azure Active Directory portal, add a new Enterprise application.

  2. Retool is not listed in the Azure AD Gallery, so select Create your own application.

  3. Name the application.

  4. Select Register an application to integrate with Azure AD (App you're developing).

  5. Under Supported account types, select Accounts in this organizational directory only (Default Directory Only - Single tenant).

  6. Under Redirect URI, select Web. Enter https://retool.yourcompany.com/oauth2sso/callback under the path, replacing retool.yourcompany.com with your Retool instance domain. This specifies the path where Azure AD redirects users after they complete authentication.

2. Configure secrets

  1. In the settings for the new Retool enterprise application, select the Single sign-on menu. Select the App registrations experience.

  2. Select the Certifications & secrets menu. Add a new client secret and set an expiration period. You must update your Retool deployment when the secret expires, so you should set the maximum allowable period to 24 months.

  3. Save this secret for use in a later step.

3. Configure claims

  1. In the Azure app registration experience, select the Token configuration menu.

  2. Select Add optional claim for the ID token. At a minimum, add the following claims:

  • acct
  • email
  • family_name
  • given_name

  1. When you save the claims, turn on the Microsoft Graph email, profile permissions.

  2. Optionally, specify additional claims to include for the Access token.

4. Configure optional group claims

You can optionally map Azure AD groups to Retool groups to automatically assign users to groups when they authenticate using SSO. This requires adding group claims to the ID token.

  1. In the Azure app registration experience, select the Token configuration menu.

  2. Select Add optional claim for the ID token.

  • In the claim, include the groups you want to map to Retool groups.
  • Include the Group ID for ID, Access, and SAML.

5. Retrieve connection details

  1. In the Azure app registration experience, select the Overview menu and select Endpoints.

  2. Save the following fields:

  • Application (client) ID
  • OAuth 2.0 authorization endpoint (v2)
  • OAuth 2.0 token endpoint (v2)

6. Configure settings in Retool

Configure your Azure AD settings in Retool.

info

When possible, use the Settings UI to configure SSO for a more streamlined setup. Existing environment variables pre-populate in the Settings UI, which you can override or preserve. Some settings are only available as environment variables.

;

On Retool Cloud and self-hosted Retool versions 3.16 and later, enter settings on Settings > Single Sign-On (SSO).

SettingExample
Client IDCLIENT_ID
Client secretCLIENT_SECRET
Scopesopenid profile email offline_access
Auth URLhttps://login.microsoftonline.com/<issuer>/oauth2/v2.0/authorize
Token URLhttps://login.microsoftonline.com/<issuer>/oauth2/v2.0/token
Email keyidToken.email
User info URL (Fat token URL)https://yourcompany.idprovider.com/oauth2/v1/userinfo

See thin tokens and fat tokens for more detail on the User Info URL or CUSTOM_OAUTH2_SSO_USERINFO_URL environment variable. Azure AD does not include the groups attribute by default, so this field is required.

Optional settings

To pass the user's first name and last name to Retool, set the following settings.

SettingExample
First name keyidToken.given_name
Last name keyidToken.family_name
Use caution when syncing groups

Role mapping modify group memberships on subsequent logins. During initial configuration, test role mapping on a non-admin user or verify that a separate admin can log in with an alternate authentication method to avoid losing admin access.

If you configured group claims, construct a role mapping string to map Azure AD group object IDs to Retool group names. Find Azure AD group object IDs in the Azure Groups application.

For example, given an Azure AD group called Retool Editors with an object ID of fd951-f454-4b7a, use the mapping string fd951-f454-4b7a -> editor to assign its members to the Editor group in Retool.

To add role mapping, set the following environment variables in your Retool instance.

SettingExample
Roles keyidToken.groups
Role mappingfd951-f454-4b7a -> editor

7. Test SSO

  1. Navigate to the /auth/login page for your Retool instance.

  2. Click the Sign in with SSO button.

Retool redirects you to login.microsoft.com, where you are prompted for credentials. After entering credentials for a user assigned to the Retool app in Azure, you are redirected back to Retool and logged into the instance. In the Retool App IDE, confirm that an idToken and accessToken are available as keys on the current_user.metadata object.