To configure SSO using Okta as the IdP and OpenID Connect (OIDC) as the authentication protocol, you need to perform several steps in Torq and several in Okta.
Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.
Supported Features
IdP-initiated SSO
Import users
Import groups
Create a New SSO Provider in Torq
Sign in to Torq as an Owner to perform the following steps.
Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose OpenID Connect as the protocol and select Okta as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from Okta, then click Next to define claims mappings (see below).
Field | Value |
Login Redirect URL | US: |
Client ID | Copied from Okta |
Client Secret | Copied from Okta |
Issuer URL | Copied from Okta |
Requested Scopes | Permissions your application requests from the identity provider |
Code flow | A secure, two-step process where an authorization code is exchanged for tokens on the server side |
Implicit flow | Tokens are returned directly in the browser |
Send login hint to SSO provider | Optionally sends the user’s email or username as a login hint to the SSO provider |
When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.
Create a New OpenID Application in Okta
Perform the following steps in Okta to configure an OIDC-based connection for Torq.
1. Log in to Okta as an Administrator: Sign in to your Okta admin portal using an account with permissions to create new app integrations.
2. Create a New App Integration: Navigate to the Applications section and click Create App Integration.
3. Select Integration Type: In the Create a new app integration dialog:
Choose OIDC – OpenID Connect as the sign-in method.
Under Application type, select Web application, then click Next.
4. Confirm Platform and Sign-On Method:
Platform: Web
Sign-on method: OpenID Connect
5. Configure Application Settings: On the New Web App Integration page, enter the following details, then click Save:
App integration name:
TorqLogo (optional): If your organization uses the Okta Applications launcher, you can upload the Torq logo for easier recognition.
Grant type: Select Implicit (hybrid).
Sign-in redirect URIs: Paste the Login Redirect URL copied from the SSO Configuration form in Torq.
6. Set Access Control: In the Assignments section, define which users or groups have access to the Torq app.
Configure the Okta Application Settings
Perform these steps in Okta.
In the General tab:
Client Credentials:
Copy the Client ID.
Client Secret: Generate a new client secret or copy an existing one.
General Settings > LOGIN section:
Login initiated by: Select Either Okta or App.
Application visibility: Check the Display application icon to users box.
Initiate login URI: Enter one of the following URLs, replacing
yourDomain.xyzwith your actual domain.
In the Sign On tab:
Go to the OpenID Connect ID Token section and click Edit.
Next to the Issuer field, expand the drop-down menu and select Okta URL.
For the Groups claim filter, specify groups, select Matches regex from the dropdown, and provide .* as the regex value to match any group.
Click Save.
Assign the Application to Relevant Users/Groups
Perform this step in Okta.
In the Assignments section, select the users and/or groups to whom to assign the application.
Define SSO Claims Mapping
The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.
Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
The wizard automatically offers the first mapping,
email, marked as recommended.This field is auto-filled with the email address of the current user (the Owner performing the setup).
You can optionally edit this initial mapping before saving.
After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
Claim Name: The field from your IdP (for example,
emailorgroups).Claim Value: The expected value of the claim (case-sensitive).
Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
Mappings are evaluated top-down.
Place the claim with the highest privilege role at the top.
Lower-privilege mappings should follow in descending order.
A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.
Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.
