SSO Role Mapping

Elliott · October 23, 2023, 5:58pm

Looking at the documentation here: Configure SSO with OIDC authentication | Retool Docs

I've configured this environment variable:
"CUSTOM_OAUTH2_SSO_ROLE_MAPPING" : "retool viewers -> viewer, retool editors -> editor, retool admins -> admin"

However, I'm not seeing these groups mapped. Instead they're being created as is:

Are the mappings case-sensitive (the documentation suggests not), do they need to be quoted (since they contain spaces), am I missing something else?

Thanks,
Elliott

victoria · November 14, 2023, 12:25am

Hey Elliott!

Hmm, great question. Could you try changing it to something like this?

CUSTOM_OAUTH2_SSO_ROLE_MAPPING="retool viewers -> viewer", "retool editors -> editor", "retool admins -> admin"

If your roles didn't have spaces in the names, no quotations at all should work:

CUSTOM_OAUTH2_SSO_ROLE_MAPPING=retool_viewers -> viewer, retool_editors -> editor, retool_admins -> admin

Elliott · November 15, 2023, 12:00am

Hi Victoria,

Thanks for reminding me to follow up here. I emailed with one of your support staff and solved this.

For anyone who happens upon this the root issue is that the role names are case sensitive. This was confusing because the docs listed the Retool groups as lower case, while you'll see them as "start case" in the Retool UI.

The documentation has now been updated and specifies both that the roles are case sensitive and that the internal roles are lower case.

Thanks again,
Elliott

victoria · November 15, 2023, 12:12am

Amazing! Very glad to hear you were able to get this resolved and thank you for sharing the solution here