Skip to main content

Configure SSO with SAML authentication

Learn how to configure SSO with providers using SAML.

Available on:Enterprise plan

Retool Cloud and Self-hosted Retool deployments support Okta, Microsoft Entra ID, Active Directory Federation Services, and other SAML SSO providers.

If you don't use Okta or Active Directory, use the following steps to configure your SAML identity provider service.

1. Set your Entity ID in Retool

By default, Retool uses the Entity ID

2. Configure your Identity Provider

You should reference the provided documentation from your identity provider to complete its setup. However, you will likely be asked to supply values for the Sign on URL and Reply URL fields. Use the following pattern, replacing with the Entity ID you supplied in step 1:

  • Sign on URL:
  • Reply URL:

3. Match user attributes and claims

Retool requires exactly the following attributes to be asserted for each user on login:

  • email: The identifier for a user
  • firstName: The user's first name
  • lastName: The user's last name

4. Assign users access to Retool

Use your identity provider to assign users to have access to login to Retool.

5. Configure Retool with the Identity Provider Metadata

Export the metadata to an XML file from your identity provider and copy it. There's usually a button to trigger a download from your IdP dashboard. Additionally, you can often find this data by navigating to

You can configure Retool with the IdP metadata in the dashboard for Retool Cloud, or with the SAML IDP METADATA environment variable on self-hosted deployments. To use the dashboard, log in to Retool as an admin user.

On Retool Cloud, go to Settings > Single Sign-On (SSO), select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field. On self-hosted deployments, this setting is on Settings > Advanced.

Configuring Identity Provider Metadata in Retool