Use JumpCloud as your organization's SSO and enable single sign-on in Torq for your workspace.
Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.
Create an SSO Configuration in JumpCloud
Navigate to JumpCloud: Go to Settings > SSO.
Configure the SSO:
For the IdP Entity ID, enter
JumpCloud.For ACS URLs, enter the login redirect URL applicable to your regional deployment. Use
https://app.torq.io/__/auth/handlerfor the U.S. andhttps://app.eu.torq.io/__/auth/handlerfor the EU.For the signature algorithm, enter
RSA-SHA256.For the default RelayState, enter the login redirect URL applicable to your regional deployment. Use
https://app.torq.io/__/auth/handlerfor the U.S. andhttps://app.eu.torq.io/__/auth/handlerfor the EU.Enter the login URL applicable to your regional deployment. Use
https://app.torq.io/auth/SSOSignInfor the U.S. andhttps://app.eu.torq.io/auth/SSOSignInfor the EU.Select Declare Redirect Endpoint.
Enter
https://sso.jumpcloud.com/saml2/<NAME OF YOUR APP>as the IdP URL.Define the following three user attributes:
Enter
emailfor both the service provider and JumpCloud attribute names.Enter
first_namefor the service provider andfirstnamefor JumpCloud.Enter
last_namefor the service provider andlastnamefor JumpCloud.
Select include group attribute and enter
groups.
Finalize: Click Save and copy the public certificate to save it for later.
Set up SSO in Torq
Sign in to Torq as an Owner to perform the following steps.
Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose SAML 2.0 as the protocol and select JumpCloud as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from JunpCloud, then click Next.
Field | Value |
Audience Restriction |
|
Login Redirect URL | US: |
Sign-On URL |
|
Issuer URL |
|
Public Certificate | Copied from JumpCloud |
When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.
Define SSO Claims Mapping
The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.
Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
The wizard automatically offers the first mapping,
email, marked as recommended.This field is auto-filled with the email address of the current user (the Owner performing the setup).
You can optionally edit this initial mapping before saving.
After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
Claim Name: The field from your IdP (for example,
emailorgroups).Claim Value: The expected value of the claim (case-sensitive).
Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
Mappings are evaluated top-down.
Place the claim with the highest privilege role at the top.
Lower-privilege mappings should follow in descending order.
A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.
Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.
