SSO quickstart
Learn about the fundamental concepts of authenticating users in your Retool organization with single-sign on.
This guide serves as an introduction to single sign-on (SSO). It covers many of the concepts and terminology you would come across when configuring and authenticating with SSO. After reading this page, you should have a good understanding of the fundamentals for using SSO to authenticate users.
Introduction
SSO is a user authentication tool to securely access multiple applications and services using one set of credentials. Rather than require users to create additional usernames and passwords for Retool, you can centralize logins to a single identity provider (IdP). SSO is primarily used for authentication, though Retool also supports syncing groups for authorization.
Requirements
Retool supports OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) identity providers. Organizations can map IdP roles to Retool permission groups using OIDC role mapping or SAML group sync. Retool also supports LDAP Google Group sync when using Sign in with Google.
Setup tutorials are available for the following identity providers.
Provider | Protocol |
---|---|
Active Directory Federation Services (AD FS) | SAML |
Auth0 | OIDC |
OIDC and Sign In with Google | |
Microsoft Entra ID | OIDC and SAML |
Okta | OIDC and SAML |
OneLogin | OIDC |
Other IdP providers | OIDC and SAML |
If your organization uses Google Workspace and all users share the same domain, users can log in automatically to the same Retool organization.
SSO authentication flow
The following steps illustrate the authentication flow between the IdP and Retool when a user signs in.
- User navigates to a Retool organization URL.
- Retool redirects the user to the identity provider to sign in.
- The user signs in with their credentials.
- The user confirms with the IdP that they want to sign in to Retool.
- The user is redirected back to Retool.
- Retool checks with the IdP to confirm the user is authenticated.
- The IdP validates the authentication request.
- The user successfully signs in and can access Retool.
Enforce and restrict SSO
Retool includes support for enforcing SSO and disabling Retool's built-in authentication method. Organizations can also set session durations, restrict which email address domains are allowed, and trigger SSO automatically.
Each Retool Space can only have a single authentication method, and it's not possible to set the login method to username and password for some users and SSO for others within a single space. Refer to Spaces and SSO for more information.
To provide multiple authentication methods, you could utilize multiple spaces. For example, create one space for SSO authentication and another space for username and password authentication. Sync both spaces via Source Control, maintaining the same apps and resources for both. Each space requires independent setup of users, permissions, and other settings.