Configure SSO with SAML authentication
Learn how to configure SSO with providers using SAML.
Retool Cloud and Self-hosted Retool deployments support Okta, Microsoft Entra ID, Active Directory Federation Services, and other SAML SSO providers.
If you don't use Okta or Active Directory, use the following steps to configure your SAML identity provider service.
1. Set your Entity ID in Retool
- Retool Cloud
- Self-hosted Retool
By default, Retool uses the Entity ID https://tryretool.com
.
Add the following environment variable to your docker.env
file, replacing retool.yourcompany.com
with your domain. Note: adding a new environment variable requires restarting the container for it to take effect.
DOMAINS=retool.yourcompany.com
2. Configure your Identity Provider
You should reference the provided documentation from your identity provider to complete its setup. However, you will likely be asked to supply values for the Sign on URL and Reply URL fields. Use the following pattern, replacing retool.yourcompany.com
with the Entity ID you supplied in step 1:
- Retool Cloud
- Self-hosted Retool
- Sign on URL:
https://retool.yourcompany.com/api/saml/login
- Reply URL:
https://retool.yourcompany.com/api/saml/login
- Sign on URL:
https://retool.yourcompany.com/saml/login
- Reply URL:
https://retool.yourcompany.com/saml/login
3. Match user attributes and claims
Retool requires exactly the following attributes to be asserted for each user on login:
email
: The identifier for a userfirstName
: The user's first namelastName
: The user's last name
4. Assign users access to Retool
Use your identity provider to assign users to have access to login to Retool.
5. Configure Retool with the Identity Provider Metadata
Export the metadata to an XML file from your identity provider and copy it. There's usually a button to trigger a download from your IdP dashboard. Additionally, you can often find this data by navigating to https://your.identityprovider.com/federationmetadata/2007-06/federationmetadata.xml
.
You can configure Retool with the IdP metadata in the dashboard for Retool Cloud, or with the SAML IDP METADATA environment variable on self-hosted deployments. To use the dashboard, log in to Retool as an admin user.
On Retool Cloud, go to Settings > Single Sign-On (SSO), select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field. On self-hosted deployments, this setting is on Settings > Advanced.