Configure OneLogin OIDC SSO
Learn how to configure OneLogin SSO on Retool using OpenID Connect (OIDC).
SSO with OneLogin OIDC is only available for organizations on the Enterprise plan running self-hosted Retool.
Use this guide to configure OneLogin SSO with OpenID Connect (OIDC) on Retool. Once configured, users can log in to Retool with their OneLogin credentials.
To configure OneLogin SSO, you must:
- Have permissions to add environment variables to your Retool instance.
- Have permissions to create an OIDC application in OneLogin.
1. Create an OIDC application in OneLogin
Follow the steps in the OneLogin OpenID Connect Customer Connector guide to create a new OIDC application. Use the following settings.
On the Configuration page, under Redirect URIs, enter
On the Parameters page, select Configured by admin under Credentials. In this section, you can add custom claims—for example,
On the SSO page, select Web as the Application type. Select POST as the Token endpoint.
Save the Client ID and Client secret to use in Retool.
2. Set environment variables in Retool
In your Retool instance, set the following environment variables. Retrieve the values for
CUSTOM_OAUTH2_SSO_CLIENT_SECRET from the SSO page in OneLogin. Replace
ONELOGINDOMAIN with your OneLogin domain.
You should also set the
BASE_DOMAIN environment variable to ensure links using your domain are correct. Retool's backend tries to guess
BASE_DOMAIN if it is not set, but it can be incorrect if your website uses a proxy.
3. Restart Retool
After you set your environment variables, restart your Retool instance to reload the SSO configuration.
Updated 20 days ago