While all cloud accounts support Google SSO by default, on On-Premise deployments you are able to connect Google, Okta, Active Directory, or other SAML SSO providers.

Google

First, create a Google OAuth client: https://developers.google.com/identity/sign-in/web/devconsole-project

Screen Shot 2018-06-08 at 2.28.14 AM.png

Continue through the wizard until you reach the following form, and then fill it as follows:

Screen Shot 2018-06-08 at 2.38.36 AM.png

You will then be presented with a Google Client ID and a Google Client Secret, but these values will not be the one that we care about.

Next, navigate to your Google developer console, and then on the left navbar navigate to credentials. Click on the auto-generated Web client (Auto-created for Google Sign-in)

Screen Shot 2019-04-24 at 9.12.06 PM.png

Then configure the screen to look like below:

Screen Shot 2018-06-08 at 2.40.54 AM.png

Add the Google Client ID and Client Secret that is on this page to your docker.env file like below.

📘
RESTRICTED_DOMAIN
Don't set your RESTRICTED_DOMAIN to retool.yourcompany.com -- just use yourcompany.com!

CLIENT_ID={YOUR_GOOGLE_CLIENT_ID}
CLIENT_SECRET={YOUR_GOOGLE_CLIENT_SECRET}
RESTRICTED_DOMAIN=yourcompany.com

Restart the server, and Google SSO should work.

In Kubernetes, place the base64 encoded version of these strings inside the Kubernetes secrets file instead of the docker.env file.

Okta

Go to "Add Application" in your Okta admin dashboard.
Search for Retool.
Follow the wizard to finish setting up Retool.

Screen Shot 2019-07-26 at 12.09.12 AM.png

Navigate into the Okta application you just created. Click on the Sign On tab, and then on the Identity Provider Metadata link.

Screen Shot 2019-08-28 at 4.02.35 PM.png

Copy the entire XML file onto your clipboard and login to Retool as an administrator. Navigate to Settings -> Advanced and add the copied XML file to the IdP Metadata XML field.

Screen Shot 2019-08-28 at 4.04.42 PM.png

Active Directory Federation Services

Another common Identity Provider is Active Directory Federation Service. Below is a step-by-step guide for integrating Retool with ADFS 3.0

Single sign on URL For Step 7 (Configure URL) you will need your Retool's Single Sign on URL. This will typically be https://retool.yourcompany.com/saml/login
Welcome: Open up the AD FS Manager, and start the Add Relying Party Trust Wizard

Screen Shot 2018-05-13 at 11.15.28 PM.png

Select Data Source: Select "Enter data about the relying party manually"

Screen Shot 2018-05-13 at 11.16.21 PM.png

Specify Display Name: Enter in a description in the next step for Retool in the next screen.

Screen Shot 2018-05-13 at 11.17.33 PM.png

Choose Profile: Choose the AD FS Profile, as Retool supports SAML 2.0

Screen Shot 2018-05-13 at 11.18.31 PM.png

Configure Certificate: Skip the next step (do not provide an optional token encryption certificate)

Screen Shot 2018-05-13 at 11.19.22 PM.png

Configure URL: Choose the "Enable support for SAML 2.0 WebSSO Protocol. For the entry box for "Relying party SAML 2.0 SSO service URL" use the following pattern: https://domain.of.onprem.retool/saml/login You may find this URL in the settings page of Retool where you can export Retool's Service Provider Metadata (see Step 1).

Screen Shot 2018-05-13 at 11.23.02 PM.png

Configure Identifiers: The Relying Party trust identifier should be of the form retool.yourcompany.com

Screen Shot 2018-05-13 at 11.29.31 PM.png

Finish wizard: Continue and press next for all the following steps in the wizard.
Edit Claim Rules We will create two rules in the Issuance Transform Rules section now.
First claim - Select "Send LDAP Attributes as Claims", and use the following screenshot as a guide.

Screen Shot 2018-05-13 at 11.33.07 PM.png

Second claim Select "Transform an Incoming Claim" and use the following screenshot as a guide.

Screen Shot 2018-05-13 at 11.34.49 PM.png

Save all settings.
Configure Retool with the Identity Provider Metadata Export the metadata to an XML file (usually found at - https://your.identityprovider.com/federationmetadata/2007-06/federationmetadata.xml. Then, copy the entire XML file onto your clipboard and login to Retool as an administrator. Navigate to Settings -> Advanced and add the copied XML file to the IdP Metadata XML field.

Other SAML Identity Providers

While ADFS and Okta are both common Identity Provider Services, it is sometimes necessary to integrate Retool with other SAML IDP providers. To do so, please follow the steps below.

Customize your Entity ID. Retool by default uses the EntityID "https://tryretool.com." However, in your organization you may want to customize to a different unique name. To do so, add this line to your docker.env file.

DOMAINS=your.custom.entity.id

Configure service provider information using the documentation for your IDP. As part of this step, you may be asked for the following fields.

Sign on URL: https://retool.yourcompany.com/saml/login
Reply URL: https://retool.yourcompany.com/saml/login

Matching attributes. Retool requires the following information for each user.
- email: This is the identifier for a user
- firstName: The user's first name
- lastName: The user's last name
Assign users so that they are able to login into Retool.

Retool | Documentation

What do you need help with?

SSO: Google and SAML

Google

📘
RESTRICTED_DOMAIN

Okta

Active Directory Federation Services

Other SAML Identity Providers

SSO: Google and SAML

Suggested Edits are limited on API Reference Pages

Google

📘RESTRICTED_DOMAIN

Okta

Active Directory Federation Services

Other SAML Identity Providers

📘
RESTRICTED_DOMAIN