Configure Sign in with Google
Learn how to configure Sign in with Google for SSO on self-hosted deployments.
You can configure SSO using the Sign in with Google following this guide. This guide applies to self-hosted deployments, but Sign in with Google is also available on Retool Cloud, where it does not require additional configuration.
Follow this guide to configure Sign-in with Google. Refer to the Google SSO with OpenID Connect guide to configure Google SSO using OIDC.
1. Configure Google OAuth client
If you are prompted to configure a consent screen, select Internal as the User type.
Click Create Credentials > OAuth client ID to create a Google OAuth client. Use the following settings.
|Setting name||Setting values|
|Application type||Web application|
|Authorized redirect URIs|
2. Update settings in Retool
Click on your new OAuth application in the Credentials tab, and copy the Client ID and Client secret. Save each in your
docker.env file using the
CLIENT_SECRET environment variables.
If you use Kubernetes Secrets, place the base64-encoded version of these strings inside your Kubernetes secrets file instead of in
If you want to restrict sign-in to SSO and remove the option for users to sign in with a username and password, add the
RESTRICTED_DOMAIN environment variable.
RESTRICTED_DOMAIN, do not include the protocol or subdomain where you have Retool deployed. Only use
yourcompany.com, which should match the email address users use to sign in. See the environment variables reference for more details.
3. Restart the Retool instance
Restart your Retool instance to reload the configuration and enable Google SSO. If you use Docker, you can restart the instance with
sudo docker-compose up -d
4. Enable JIT user provisioning
Just-in-Time (JIT) user provisioning enables Retool to provision accounts when your users sign in with Google for the first time. JIT user provisioning is optional, but it is highly recommended so you don't need to manually invite each user to Retool first.
To enable JIT user provisioning, toggle the switch in the Settings > Advanced page in Retool, then set the
DEFAULT_GROUP_FOR_DOMAINS environment variable.
Updated 11 days ago