Skip to main content

Configure Active Directory Federation Services SAML SSO

Learn how to configure SSO with Active Directory Federation Services SAML.

Available on:Enterprise plan

Use the following guide to integrate Retool with Active Directory Federation Services 3.0.

1. Create a relying party trust

Follow the Relying Party Trust wizard in Active Directory with the following settings.

  1. In Select Data Source, select Enter data about the relying party manually.
  2. In Choose Profile, select AD FS profile.
  3. In Configure Certificate, do not upload a certificate.
  4. In Configure URL, select Enable support for SAML 2.0 WebSSO Protocol. On Retool Cloud, enter https://your-sso-url.retool/api/saml/login. On self-hosted Retool, enter https://your-sso-url.retool/saml/login. Replace your-sso-url with your Retool single-sign on domain. This is often
  5. In Configure Identifiers, add your single-sign on domain without the protocol as a Relying party trust identifier. For example, use instead of
  6. Finish the wizard.

2. Send LDAP attributes as claims

Follow the steps to send LDAP attributes as claims.

  1. On the Choose rule type page, select Send LDAP Attributes as Claims.
  2. On the Configure claim rule page, choose Active Directory as the attribute store. Fill in the following settings.
LDAP AttributeOutgoing Claim Type
Email addressesemail
Email addressesAD FS 1.x Email address
Given NamefirstName
  1. Select Transform an Incoming Claim and select the following settings.
Incoming claim typeAD FS 1.x Email Address
Outgoing claim typeName ID
Outgoing claim ID formatEmail
  1. Select Pass through all claim values and save the settings.

3. Configure Retool with IdP metadata

Export the metadata to an XML file from your IdP. There is usually a button to download this from your IdP dashboard. Additionally, you can often find this by navigating to`

Copy the entire XML file to your clipboard and log in to Retool as an admin user.

  • Self-hosted Retool: Go to Settings > Advanced.
  • Retool Cloud: Go to Settings > Single Sign-On (SSO), select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field.

Configure Retool with IdP metadata