Skip to main content

Configure OneLogin OIDC SSO

Learn how to configure OneLogin SSO on Retool using OpenID Connect (OIDC).

Available on:Enterprise plan

Use this guide to configure OneLogin SSO with OpenID Connect (OIDC) on Retool. Once configured, users can log in to Retool with their OneLogin credentials.


To configure OneLogin SSO, you must:

  • Have permissions to add environment variables to your Retool instance.
  • Have permissions to create an OIDC application in OneLogin.

1. Create an OIDC application in OneLogin

Follow the steps in the OneLogin OpenID Connect Customer Connector guide to create a new OIDC application. Use the following settings.

Configuration page

On the Configuration page, under Redirect URIs, enter https://<your_retool_domain>/oauth2sso/callback.

Parameters page

On the Parameters page, select Configured by admin under Credentials. In this section, you can add custom claims—for example, user_id.

SSO page

On the SSO page, select Web as the Application type. Select POST as the Token endpoint.

Save the Client ID and Client secret to use in Retool.

2. Update Retool settings

Configure SSO settings in Retool.


When possible, use the Settings UI to configure SSO for a more streamlined setup. Existing environment variables pre-populate in the Settings UI, which you can override or preserve. Some settings are only available as environment variables.

On Retool Cloud and self-hosted Retool versions 3.16 and later, enter settings on Settings > Single Sign-On (SSO). Retrieve the values for Client ID and Client secret from the SSO page in OneLogin.

Scopesopenid email profile groups params
Auth URL
Token URL
First name keyidToken.given_name
Last name keyidToken.family_name
Roles keyidToken.groups
Role mappingdevops -> admin, support -> viewer

3. Save configuration

On self-hosted deployments, after you set environment variables, restart your Retool instance to reload the SSO configuration. On Retool Cloud, save your settings.