You can configure SSO with Okta as the IdP and SAML 2.0 as the authentication and authorization protocol by using the Torq application from the Okta app catalog.
This guide includes several configurations that have to be made to the Torq catalog app.
If you encounter a problem following this guide, you can follow these instructions to configure SSO with Okta and SAML 2.0 by creating a new application in Okta.
Required permissions
To set up SSO with Okta, you need the following permissions:
Torq: Workspace owner
Okta: Administrator
1. Create the Torq App in Okta
1. Log in to your Okta portal and go to Applications > Browse App Catalog.
2. Search for and select Torq.
3. On the Torq page click the Add Integration button.
4. Select the Do not display application icon to users check box and click Done.
5. Go to the Sign On tab and click Edit.
6. Select a filter from the groups drop-down menu and provide a value:
We recommend you use the Matches regex filter with the .* value to pass on any user group value.
Another option is to use the Starts with filter with the value Torq to pass on only user group values that start with Torq.
7. Click Save.
8. Click View SAML setup instructions.
9. Copy and save the values for the following fields. You'll need them when configuring SSO in Torq.
Sign-On URL
Issuer URL
Public Certificate
10. Assign the Torq application to the relevant users and groups in Okta.
2. Set up SSO in Torq
Sign in to Torq as an Owner to perform the following steps.
1. Go to Settings > SSO Login.
2. In the IdP Connection section click Add.
3. Select the SAML 2.0 protocol.
When using a Safari browser v16.1 or newer, the Login redirect URL must be US: https://app.torq.io/__/auth/handler or EU: https://http://app.eu.torq.io/_/auth/handler. If this isn’t the case, you should contact Torq support and ask them to update this URL for your workspace before you continue.
Contact Torq support if you need to change the Login redirect URL.
4. Enter the values for the following fields that you copied and saved from Okta.
Sign-On URL
Issuer URL
Public Certificate
5. Click Save.
3. Define SSO Claims Mapping
The claims mapping defines the role that logged-in enterprise users are assigned in the Torq workspace.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.
1. Click Add to create a new claim mapping rule.
2. Provide the following elements for each claim mapping rule:
Name: The claim (field) provided by the Identity Provider. Specific frequently used claims include email for a particular user or groups.
Value: The expected value for the claim to assign a specific role to the user. Claim values are case-sensitive.
Role: The Torq role to assign.
3. Create as many claim mapping rules as you need.
4. Sign in to Torq Using SSO
There are 2 ways to sign in to Torq:
Go to app.torq.io (or app.eu.torq.io if you're in the EU), select Use Single Sign-On, and enter your email (SP-initiated flow).
From the Okta Apps portal, by using the Bookmark app after you follow the instructions below (IdP-initiated SSO isn't supported with SAML 2.0 but you can simulate it with the Okta Bookmark app).
Sign in to Torq from Okta
Add an Okta Bookmark App integration to display the Torq application to Okta users. You can customize the Bookmark App integration to display the Torq logo.
1. In the Okta portal go to Applications > Browse App Catalog.
2. Search for and select the BookMark App.
3. Click Add Integration.
4. Provide the following configuration values:
Application label: Torq
URL: https://app.torq.io/auth/SSOSignIn?domain=mycompany.com For example: https://app.torq.io/auth/SSOSignIn?domain=torq.io, or for users in the EU https://app.eu.torq.io/auth/SSOSignIn?domain=torq.io
5. Go to Assignments to assign the Bookmark app integration to the relevant users.
6. Download the Torq logo attached to this article.
7. Click the edit icon on the logo tile, browse for the new logo file, and then select Update Logo.
Okta users now have an application icon on their desktop that simulates the Okta IdP-initiated flow to sign in to Torq.