SAML groups are not being synced to roles

We are running Retool version 3.4.2 using the Docker image on-premise. I am trying to set up SAML group sync (Sync SAML group memberships | Retool Docs) with environment variables. I have set the following environment variables and restarted the service

export LDAP_ROLE_MAPPING=retool-dev_admins -> admin, retool-dev_editors -> editor, retool-dev_viewers -> viewer

and in the container logs, I am able to log in with SSO, and it does see the groups in the SAML assertion.

[SAML] - Received SAML Login Response, parsing...
{"level":"info","message":"[getOrgFromHost] check for on prem org","timestamp":"2024-06-11T19:13:29.620Z"}
[SAML] - Validating response...
[SAML] - Validated response, and received the following attributes {  
  firstName: '...',  
  lastName: '...',  
  email: '...',  
  groups: [ 'retool-dev_admins', 'retool-dev_viewers' ]

However, I don't have the admin role when I sign in with SSO, and I don't see anything else in the logs like

[LDAP] - Translating LDAP groups to Retool group names

Is there maybe an environment variable I'm missing or misconfigured?


Hi eyclear, Welcome to the forum!

Do the group names in your SAML assertion and Retool match? If your permission group names vary between Retool and your IdP, you can use role mapping to adjust them accordingly.
For more on this, refer to the following guides:

1 Like