Configure Okta OIDC SSO
Learn how to set up Okta SSO using OpenID Connect (OIDC).
To configure Okta OIDC SSO, you need:
- An Okta account with permissions to create an OIDC integration.
- The ability to set environment variables on self-hosted Retool instance, or admin permissions for Retool Cloud.
1. Create a new app integration
Follow the steps in Okta to create a new OIDC integration. Use the following settings, replacing YOUR_RETOOL_DOMAIN with your Retool instance.
| Setting | Value |
|---|---|
| Sign-on method | OIDC - OpenID Connect |
| Application type | Web Application |
| Sign-in redirect URIs | https://YOUR_RETOOL_DOMAIN/oauth2sso/callback |
| Sign-out redirect URIs | https://YOUR_RETOOL_DOMAIN/api/logout |
To add a Retool tile in Okta, set the TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY environment variable to true or enable Trigger login automatically on Settings > Single Sign-On (SSO). In Okta, use the following settings:
| Setting | Value |
|---|---|
| Initiate login URI | YOUR_RETOOL_DOMAIN |
| Login initiated by | Either Okta or App |
| Login flow | Redirect to app to initiate login (OIDC Compliant) |
2. Configure settings in Retool
Configure your SSO settings in Retool.
When possible, use the Settings UI to configure SSO for a more streamlined setup. Existing environment variables pre-populate in the Settings UI, which you can override or preserve. Some settings are only available as environment variables.
- SSO settings
- Environment variables
On Retool Cloud and self-hosted Retool versions 3.16 and later, enter settings on Settings > Single Sign-On (SSO). Depending on your setup, you might not need to configure all of these values. If you aren't sure where to find token and auth URLs, try using the /.well-known/openid-configuration endpoint.
| Setting | Example |
|---|---|
| Client ID | CLIENT_ID |
| Client secret | CLIENT_SECRET |
| Scopes | openid email offline_access profile |
| Fat token URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/userinfo |
| Auth URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/authorize |
| Token URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/token |
| Email key | idToken.email |
| First name key | idToken.given_name |
| Last name key | idToken.family_name |
After you save your settings, you can log in using Okta SSO. You can test out your configuration by logging in from an incognito window.
On self-hosted Retool versions earlier than 3.16, configure the following environment variables on your Retool instance.
| Environment variable | Example |
|---|---|
CUSTOM_OAUTH2_SSO_CLIENT_ID | CLIENT_ID |
CUSTOM_OAUTH2_SSO_CLIENT_SECRET | CLIENT_SECRET |
CUSTOM_OAUTH2_SSO_SCOPES | openid email offline_access profile |
CUSTOM_OAUTH2_SSO_USERINFO_URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/userinfo |
CUSTOM_OAUTH2_SSO_AUTH_URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/authorize |
CUSTOM_OAUTH2_SSO_TOKEN_URL | https://yourcompany.okta.com/oauth2/YOUR_AUTH_SERVER_NAME/v1/token |
CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY | idToken.email |
CUSTOM_OAUTH2_SSO_JWT_FIRST_NAME_KEY | idToken.given_name |
CUSTOM_OAUTH2_SSO_JWT_LAST_NAME_KEY | idToken.family_name |
You can also configure an access token refresh time using the CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES environment variable.
You should also set the BASE_DOMAIN environment variable to ensure links using your domain are correct. Retool's backend tries to determine the BASE_DOMAIN if it is not set, but it can be incorrect if your website uses a proxy.
BASE_DOMAIN=https://retool.yourcompany.com
After you restart your Retool instance, you can log in using Okta SSO. You can test out your configuration by logging in from an incognito window.
Role mapping with Okta Group Claims
Role mapping modify group memberships on subsequent logins. During initial configuration, test role mapping on a non-admin user or verify that a separate admin can log in with an alternate authentication method to avoid losing admin access.
Use the following instructions to automatically map your Okta groups with Retool permission groups when a user logs in.
1. Create a new scope
Follow the instructions in Okta to create a new API access scope for your authorization server.
2. Create a new claim
Follow the instructions in Okta to create a new claim and name it groups.
In the Add claim form, select ID Token and Always in the dropdown. In the Value type section, select Groups.
You can add an optional Filter to limit the groups to sync.
In the Scopes section, add in the API access scope you previously created.
Custom claims
To send custom Okta attributes—for example, employee number or department—to Retool, you can configure custom claims in Okta.
- Add attributes to the Retool profile from Profile editor > Add attributes, and from Profile editor > Mappings, map them to the correct fields.
- Add claims to the authorization server. You may want to limit the scope of these claims.
- To confirm your custom attributes were correctly added, you can preview a sample token from Security > API > Default > Preview in Okta.
- When you next log in to Retool using SSO, you can view attributes in
current_user.metadata.userInfoResponse.
3. Add additional settings
When possible, use the Settings UI to configure SSO for a more streamlined setup. Existing environment variables pre-populate in the Settings UI, which you can override or preserve. Some settings are only available as environment variables.
- SSO settings
- Environment variables
On Retool Cloud and self-hosted Retool versions 3.16 and later, enter settings on Settings > Single Sign-on (SSO). Add the groups scope to the Scopes fields.
Specify the roles key—for example, idToken.groups—in the Roles key field.
Specify any additional remapping in the Role mapping field. For example, Retool devops->admin maps members of the "Retool devops" group to Retool admins.
On self-hosted Retool versions earlier than 3.16, use environment variables to configure additional settings.
Add the groups scope to the CUSTOM_OAUTH2_SSO_SCOPES environment variable.
CUSTOM_OAUTH2_SSO_SCOPES=openid email profile offline_access groups
Specify that the groups can be read in the idToken.
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY=idToken.groups
Specify any additional remapping. The following example maps members of the "Retool devops" group to Retool admins.
CUSTOM_OAUTH2_SSO_ROLE_MAPPING=Retool devops -> admin
Roles set using this environment variable are case sensitive. This means:
- Roles set within your IdP that you pass within the variable need to match exactly. For example, if you have a
Retool Adminrole in your IdP, you need to passRetool Admin. - Roles within Retool are always lowercase. For example, if you have a
Retool Adminrole within your IdP, and you want to map it to Retool'sadminrole, you need to set it usingRetool Admin → admin.
You can also now use USER_OAUTH2_ACCESS_TOKEN and USER_OAUTH2_ID_TOKEN as authentication in resources.
3. Test the connection
Once you've configured your settings, click Save Changes. To test the integration and its settings, click the Test Connection button.
This triggers a simulation of the SSO flow that ensures that the proper groups are mapped, the right user metadata is sent from your identity provider, and the integration works seamlessly. Clicking the Test Connection button does not change the current user's permission groups, and you won't be locked out if SSO is misconfigured.
After Retool tests the connection, a new tab opens and displays the Connection Status, Issues Detected, and Connection Details. If there are any issues, this page displays warnings and recommendations to resolve them. You can see the full response from the SSO provider in the Connection Details section.
Once you are satisfied with your configuration, log out of Retool and log back in using SSO to test the flow yourself.
If you use a self-hosted deployment and updated your environment variables, restart your Retool instance.