What Is JIT Provisioning?
JIT provisioning automatically creates a Retool user account the moment someone signs into your instance through SSO for the first time. Instead of manually inviting users in Retool, you let your IdP manage who’s allowed to connect.
This means you can:
- Skip sending user invites to Retool. This is a great option if you don’t want to use the deafult Retool branded invite emails or go through the process of customizing your own invites.
- Rely solely on your IdP for user management from start to finish.
JIT user provisioning is optional, but recommended and available on the Enterprise plan.
How It Works
When JIT provisioning is enabled:
- Only users assigned to your IdP’s application can log in or create an account.
- Once a user authenticates, Retool automatically provisions their account and applies any mapped roles or group memberships.
- Users not assigned to the Retool app in your IdP cannot create an account - even if they have the login URL. (Video 1)
- Once users are granted access in your IdP, then they can create an account. (Video 2)
To enable this setting, navigate to Settings → Single Sign-On (SSO) and toggle on the Enable JIT user provisioning switch.