Skip to main content

SSO quickstart

Learn about the fundamental concepts of authenticating users in your Retool organization with single-sign on.

This guide serves as an introduction to single sign-on (SSO). It covers many of the concepts and terminology you would come across when configuring and authenticating with SSO. After reading this page, you should have a good understanding of the fundamentals for using SSO to authenticate users.

Introduction

SSO is a user authentication tool to securely access multiple applications and services using one set of credentials. Rather than require users to create additional usernames and passwords for Retool, you can centralize logins to a single identity provider (IdP). SSO is primarily used for authentication, though Retool also supports syncing groups for authorization.

Requirements

Retool supports OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) identity providers. Organizations can map IdP roles to Retool permission groups using OIDC role mapping or SAML group sync. Retool also supports LDAP Google Group sync when using Sign in with Google.

Setup tutorials are available for the following identity providers.

ProviderProtocol
Active Directory Federation Services (AD FS)SAML
Auth0OIDC
GoogleOIDC and Sign In with Google
Microsoft Entra IDOIDC and SAML
OktaOIDC and SAML
OneLoginOIDC
Other IdP providersOIDC and SAML

If your organization uses Google Workspace and all users share the same domain, users can log in automatically to the same Retool organization.

SSO authentication flow

The following steps illustrate the authentication flow between the IdP and Retool when a user signs in.

  1. User navigates to a Retool organization URL.
  2. Retool redirects the user to the identity provider to sign in.
  3. The user signs in with their credentials.
  4. The user confirms with the IdP that they want to sign in to Retool.
  5. The user is redirected back to Retool.
  6. Retool checks with the IdP to confirm the user is authenticated.
  7. The IdP validates the authentication request.
  8. The user successfully signs in and can access Retool.

Enforce and restrict SSO

Retool includes support for enforcing SSO and disabling Retool's built-in authentication method. Organizations can also set session durations, restrict which email address domains are allowed, and trigger SSO automatically.

Group syncing and user provisioning