Configure Active Directory Federation Services SAML SSO
Learn how to configure SSO with Active Directory Federation Services SAML.
Use the following guide to integrate Retool with Active Directory Federation Services 3.0.
1. Create a relying party trust
Follow the Relying Party Trust wizard in Active Directory with the following settings.
- In Select Data Source, select Enter data about the relying party manually.
- In Choose Profile, select AD FS profile.
- In Configure Certificate, do not upload a certificate.
- In Configure URL, select Enable support for SAML 2.0 WebSSO Protocol. On Retool Cloud, enter
https://your-sso-url.retool/api/saml/login. On self-hosted Retool, enterhttps://your-sso-url.retool/saml/login. Replaceyour-sso-urlwith your Retool single-sign on domain. This is oftenretool.yourcompany.com. - In Configure Identifiers, add your single-sign on domain without the protocol as a Relying party trust identifier. For example, use
retool.yourcompany.cominstead ofhttps://retool.yourcompany.com. - Finish the wizard.
2. Send LDAP attributes as claims
Follow the steps to send LDAP attributes as claims.
- On the Choose rule type page, select Send LDAP Attributes as Claims.
- On the Configure claim rule page, choose Active Directory as the attribute store. Fill in the following settings.
| LDAP Attribute | Outgoing Claim Type |
|---|---|
| Email addresses | email |
| Email addresses | AD FS 1.x Email address |
| Given Name | firstName |
| Surname | lastName |
- Select Transform an Incoming Claim and select the following settings.
| Setting | Value |
|---|---|
| Incoming claim type | AD FS 1.x Email Address |
| Outgoing claim type | Name ID |
| Outgoing claim ID format |
- Select Pass through all claim values and save the settings.
3. Configure Retool with IdP metadata
Export the metadata to an XML file from your IdP. There is usually a button to download this from your IdP dashboard. Additionally, you can often find this by navigating to https://your.identityprovider.com/federationmetadata/2007-06/federationmetadata.xml.`
Copy the entire XML file to your clipboard and log in to Retool as an admin user.
- Self-hosted Retool: Go to Settings > Advanced.
- Retool Cloud: Go to Settings > Single Sign-On (SSO), select SAML SSO, and paste the XML file contents to the Identity Provider Metadata field.
