To configure SSO using Okta as the IdP and OpenID Connect (OIDC) as the authentication protocol, you need to perform several steps in Torq and several in Okta.
Supported Features
IdP-initiated SSO
Import users
Import groups
1. Create a New SSO Provider in Torq
Perform these steps in Torq.
Go to Settings > SSO Login.
In the IdP Connection section, click the Add button.
Copy the Login redirect URL. You will need this when creating a new OpenID connection application in Okta.
When using version 16.1 or newer of the Safari browser, you have to make sure the Login redirect URL is US: https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/_/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your workspace before you continue. If you already set up SSO for your workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your workspace.
Contact Torq support if you need to change the Login redirect URL.
2. Create a New OpenID Application in Okta
Perform these steps in Okta.
Log in to Okta as an administrator.
Go to the Applications section and click Create App Integration.
In the Create a new app integration dialog, select OIDC - Open ID Connect.
After the dialogue expands, in the Application type section, select Web application and click Next.
Configure the settings for the New Web App Integration page and click Save.
App integration name: Should be set to Torq.
Logo: (Optional) If organizational users use the Okta Applications "launcher", we recommend downloading the Torq logo.
Grant type: Select Implicit (hybrid).
Sign-in redirect URIs: Add the Login redirect URL copied in a previous step.
In the Assignments section, select the level of access control.
3. Configure the Okta Application Settings
Perform these steps in Okta.
In the General tab:
Get the Issuer URL.
4. Assign the Application to Relevant Users/Groups
Perform this step in Okta.
In the Assignments section, select the users and/or groups to whom to assign the application.
5. Complete the SSO Set Up in Torq
For this step, you'll need to enter some information from Okta (General Settings and Client Credentials sections) in the corresponding SSO fields in Torq.
Go to Settings > SSO Login.
In the OpenID Connect section, click Edit settings and enter the values you saved from Okta to the corresponding fields.
Client ID
Client Secret
Issuer URL
Advanced (expand this section and make sure groups is in the Requested scopes field).
Click Save.
6. Define SSO Claims Mapping for Okta
The claims mapping defines logged-in enterprise users' roles in the Torq workspace.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first, and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.
Each claim mapping rule consists of the following elements:
Claim Name: The claim (field), as provided by the Identity Provider. Specific frequently used claims could include email for a particular user or groups, as defined earlier.
Claim Value: The expected value for the claim to assign a certain role to the user. Claim values are case-sensitive.
Role: The expected Torq role to assign.