Configure Okta SAML SSO
Learn how to configure SSO using Okta SAML.
To configure Okta SAML SSO, you must:
- Be in Admin mode in Okta.
- Have group names that match exactly between Okta and SAML.
- Have admin permissions in Retool.
- For organizations on Retool Cloud, the ability to create a custom SAML application.
Configuration
- Self-hosted deployments
- Retool Cloud
- In your Okta admin dashboard, click Add Application.
- Search for
Retooland follow the wizard. - Navigate to the Okta application you created. Click on the Sign On tab, then Actions > View IdP Metadata in the SAML Signing Certificates section.
- Save the page as an XML file. Consult Okta's documentation to confirm how to view the IdP metadata.
- Copy the contents of the XML file and log in to your Retool instance. Go to the Single-Sign On (SSO) > Custom SSO settings, select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field.
- If not set already, assign your app to your user in Okta.
- Create a custom SAML application in Okta. Use the following settings.
| Setting | Value |
|---|---|
| Single sign-on URL | <your-org-domain>/api/saml/login |
| Audience URI (SP Entity ID) | your-org-domain-without-https |
firstName attribute | user.firstName |
lastName attribute | user.lastName |
email attribute | user.email |
- In the Feedback tab, check I'm a software vendor. I'd like to integrate my app with Okta.
- In your app's settings, go to the Sign On tab. Under SAML Signing Certificates > SHA-2, click Actions > View IdP metadata.
- Copy the contents of the XML file and log in to Retool. Go to the Single-Sign On (SSO) settings, select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field.
- On the same page, enter
firstNameandlastNamein the Attributes section. - In your Okta app under Assignments, assign users or groups to your app.
