You can configure SSO using the Sign in with Google following this guide. This guide applies to Retool Cloud and self-hosted deployments.
Follow this guide to configure Sign-in with Google. Refer to the Google SSO with OpenID Connect guide to configure Google SSO using OIDC.
1. Configure Google OAuth client
If you are prompted to configure a consent screen, select Internal as the User type.
Click Create Credentials > OAuth client ID to create a Google OAuth client. Use the following settings if you have a custom domain set on your organization.
|Setting name||Setting values|
|Application type||Web application|
|Authorized redirect URIs|
If you are using Retool Cloud, you must also set the following authorized redirect URIs to enable Sign-in with Google:
2. Update settings in Retool
Click on your new OAuth application in the Credentials tab, and copy the Client ID and Client secret.
- Retool Cloud
- Self-hosted deployments
Visit Settings > Custom SSO, select Google SSO, and add your Client ID and Client Secret.
docker.env file, set your Client ID and Client Secret as the values of the
CLIENT_SECRET environment variables. Set the BASE_DOMAIN environment variable as well so Google redirects requests correctly.
If you use Kubernetes Secrets, place the base64-encoded version of these strings inside your Kubernetes secrets file instead of in
To automatically provision users on sign-in, set the
DEFAULT_GROUP_FOR_DOMAINS environment variable.
DEFAULT_GROUP_FOR_DOMAINS=example1.org -> admin, example2.com -> viewer
If you want to restrict sign-in to SSO and remove the option for users to sign in with a username and password, add the
RESTRICTED_DOMAIN environment variable.
RESTRICTED_DOMAIN, do not include the protocol or subdomain where you have Retool deployed. Only use
yourcompany.com, which should match the email address users use to sign in. See the environment variables reference for more details.
Restart the Retool instance
Restart your Retool instance to reload the configuration and enable Google SSO. If you use Docker, you can restart the instance with
sudo docker-compose up -d
See the SSO overview for information on additional options, such as JIT user provisioning.