Enable JIT user provisioning for SSO

Learn how to enable JIT user provisioning for SSO.

Available on:Enterprise plan

JIT user provisioning is optional, but recommended. When you enable this setting, Retool provisions user accounts when users sign in over SSO for the first time. This saves time for admins, who then don't need to manually invite users to Retool. The identity provider is still the source of truth and determines which users have access to Retool. Users must also still be granted access in the identity provider before an account is created in Retool.

Cloud-hosted organizations

1. Navigate to your organization's Single Sign On (SSO) settings.
2. Select your configured SSO provider.
3. Toggle Enable JIT user provisioning.

Self-hosted organizations

1. Navigate to Settings > Single Sign-on (SSO).
2. Select your configured SSO provider.
3. Toggle Enable JIT user provisioning.

If you're setting up SSO with Google, you also need to set the DEFAULT_GROUP_FOR_DOMAINS environment variable.