You can configure SSO with Okta as the IdP and SAML 2.0 as the authentication and authorization protocol by using the Torq application from the Okta app catalog.

This guide includes several configurations that have to be made to the Torq catalog app. For the EU region, you must create an Okta SAML app.

If you encounter a problem following this guide, you can follow these instructions to configure SSO with Okta and SAML 2.0 by creating a new application in Okta.

Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.

Prerequisites

To set up SSO with Okta, you need the following permissions:

Torq: Workspace owner
Okta: Administrator

Create the Torq App in Okta

Log in to Okta: Go to your Okta admin portal and navigate to Applications > Browse App Catalog.
Find Torq: Search for Torq in the catalog and select it.
Add the Integration: On the Torq app page, click Add Integration.
Adjust Visibility (Optional): Select the Do not display application icon to users checkbox, then click Done.
Edit Sign-On Settings: Open the Sign On tab and click Edit.
Configure Group Filter: From the Groups drop-down menu, choose a filter and provide a value:
Recommended: Matches regex with the value .* to pass all user group values.
Alternative: Starts with with the value Torq to include only groups starting with Torq.
Save Your Changes: Click Save to apply the configuration.
Retrieve SAML Setup Information: Click View SAML setup instructions and copy the following fields (you’ll need them when configuring SSO in Torq):

Sign-On URL
Issuer URL
Public Certificate

Screenshot of viewing the SAML setup instructions in Okta for Torq app.

Screenshot of the SSO fields required for setting up SSO in Torq.

9. Assign Users and Groups: Assign the Torq application to the relevant users and groups in Okta.

Screenshot of assigning Okta groups to Torq app.

Set up SSO in Torq

Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose SAML 2.0 as the protocol and select Okta as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from Okta, then click Next.

Field	Value
Audience Restriction	`torq.io`
Login Redirect URL	US: `https://app.torq.io/__/auth/handler` EU: `https://eu.app.torq.io/__/auth/handler`
Sign-On URL	Copied from Okta
Issuer URL	Copied from Okta
Public Certificate	Copied from Okta

When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.

Define SSO Claims Mapping

The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.

Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
- The wizard automatically offers the first mapping, email, marked as recommended.
- This field is auto-filled with the email address of the current user (the Owner performing the setup).
- You can optionally edit this initial mapping before saving.
- After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
- Claim Name: The field from your IdP (for example, email or groups).
- Claim Value: The expected value of the claim (case-sensitive).
- Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
- Mappings are evaluated top-down.
- Place the claim with the highest privilege role at the top.
- Lower-privilege mappings should follow in descending order.
- A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.

Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.

Sign In to Torq Using SSO

You can sign in to Torq in two ways:

From the Torq login page (SP-initiated): Go to app.torq.io, click Use Single Sign-On, and enter your email address.

From the Okta Apps Portal (simulated IdP-initiated): Use a Bookmark App integration in Okta to display the Torq application to users.

IdP-initiated SSO isn’t supported for SAML 2.0, but can be simulated with the Okta Bookmark App.

Sign In to Torq from Okta

Follow these steps to configure the Okta Bookmark App and enable one-click Torq access for Okta users.

Open Applications in Okta: In your Okta portal, go to Applications > Browse App Catalog.
Search for and Select the Bookmark App: Type Bookmark App in the search bar and select it from the results.
Add Integration: Click Add Integration.

Configure the App: Provide the following values:

Application label: Torq

URL:

https://app.torq.io/auth/SSOSignIn?domain=mycompany.com

Example:

https://app.torq.io/auth/SSOSignIn?domain=torq.io

Assign to Users: Go to the Assignments tab and assign the Bookmark App to the relevant users or groups.
Customize the App Icon:
- Download the Torq logo attached to this article.
- Click the edit icon on the logo tile.
- Browse for the new logo file and select Update Logo.

Once configured, Okta users will see a Torq app icon on their Okta dashboard.
Clicking the icon signs them in to Torq via SSO, simulating an IdP-initiated flow.

Set Up Torq SSO: Okta OpenID Connect

Set Up Torq SSO: OneLogin SAML 2.0

Set Up Torq SSO: Okta SAML 2.0

Configure SSO for Torq: Boost Security and Efficiency

Set Up Torq SSO: JumpCloud SAML 2.0