SSO failing with Azure Entra

Does my on-prem Retool need to be exposed to the web for Azure/Entra SSO to work correctly?

By exposed i mean accessible with a login from anywhere.

Bumping this post. Im getting the below error when trying to sign in with SSO. My Retool is open to see port 443 but you can't hit a login screen for my Retool from the web, its internal on prem only. Does it need to be exposed for SSO with Azure/Entra to work? Im not pointing Retool out to a public IP.

Below is my Azure/Entra setup and i have the xml pasted into my Retool.

Hi Ross, generally it is required that Retool be exposed to the web, as the SSO redirect happens over the web.

It's possible that Azure specifically has internal work-arounds for this if you have an on-prem Azure deployment that you are also using for hosting Retool? Although you'd probably need to contact Azure's support in this case.

One thing to note, allowing access to retool through a Public IP does not mean you need to make your apps publicly available, and you can still set up VPN and/or Firewall rules for retool access.

I have an AD Connect running on one of my on prem VM', I don't run any cloud or hybrid vm's, my Retool is completely on prem on VMware. So do you mean expose it out but only allow for example Azure domains and IP's to see it access it to allow for SSO?

I'm also having a problem with workflows connecting and im starting to wonder if it's a similar issue? See post here: Help getting workflows running - #3 by rcanpolat

Retool can egress through 443 and 7233 although if it is related I don't think I can get a solid list of DNS names and/or IP addresses of Retool's own AWS temporal cloud machines so I would have to expose it out completely to the web or go on prem temporal?

I think that should be a valid option. But yes, in this case you'll definitely need to allow some sort of public internet access for SSO to work, as Azure will need to send the ID information to Retool in the redirect, which by definition is going to need to come through the network.

As far as the Workflows question goes, Joe will be a bigger help there than I will be. But I will say that "Retool-managed Temporal" does mean a cloud-hosted Temporal deploy, which will once again require public internet access. If you want this to be fully on-prem with no public IP at all, then you'll want to also deploy your own Temporal cluster. That's not something I personally have experience with so can't really help much, but hopefully that's clarifying.

Excellent, you have been most helpful.

Glad to be of help!