Single sign-on (SSO)

📘
SAML SSO, OIDC SSO, and group syncing are only available for organizations on the Enterprise plan.

Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using one set of credentials. Rather than require users to create additional usernames and passwords for Retool, you can centralize logins to a single identity provider (IdP). SSO is primarily used for authentication, though Retool also supports syncing groups for authorization.

Retool supports SSO using Sign in with Google, SAML, and OpenID Connect (OIDC) providers. You can also map the roles in your IdP to Retool permission groups, or use Retool's SCIM integration to automatically provision users.

Authentication overview

Retool officially supports the following options for single-sign on providers and group syncing, but additional configurations may be possible.

Provider	Supported group sync methods
Sign in with Google	LDAP Google Group sync
Google OIDC	Role mapping
Okta OIDC	Role mapping
OneLogin OIDC	Role mapping
Auth0 OIDC	Role mapping
Azure Active Directory OIDC	Role mapping
Generic OIDC	Role mapping
Okta SAML	SAML group sync, SCIM provisioning
OneLogin SAML	SAML group sync
Azure Active Directory SAML	SAML group sync
Generic SAML	SAML group sync, SCIM provisioning

Sign in with Google

Sign in with Google is a custom SDK on top of Google's Identity Platform. Retool supports Sign in with Google on Retool Cloud and Self-hosted Retool and on all pricing plans. On self-hosted deployments, follow the guide to configure Sign-in with Google.

Group sync

Retool supports mapping LDAP Google Groups to Retool permission groups using Google Secure LDAP service. Users are automatically included in Retool groups when they log in, so you don't need to manually assign individual users to groups in Retool.

SAML

SAML is an XML-based open standard for transferring identity data between an identity provider (IdP) and a service provider (SP). Retool supports SAML SSO with Okta, Azure Active Directory, and other SAML 2.0 identity providers.

Group sync

If you use Okta or Active Directory SSO, you can sync users at the time of login with SAML group syncing, or provision users with SCIM. Both methods allow you to automatically include users in Retool groups when they log in. With SCIM, you don't need to provision individual users in Retool.

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. Retool supports OIDC SSO using Okta, Auth0, Google, and other generic providers.

Group sync

To sync groups with OIDC, you can use role mapping for your provider, usually by setting CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY and CUSTOM_OAUTH2_SSO_ROLE_MAPPING environment variables. Role mapping allows you to map groups to Retool permission groups, so you don't need to manually assign users to groups in Retool.

You may be able to use SCIM with OIDC with some providers, but it is not officially supported by Retool.