Skip to main content
All CollectionsSet Up TorqSet Up Single Sign-On (SSO)
Set Up Torq SSO: Okta OpenID Connect
Set Up Torq SSO: Okta OpenID Connect

Follow this guide to set up Single Sign-On (SSO) with Okta using the OpenID Connect protocol.

Updated over 4 months ago

To configure SSO using Okta as the IdP and OpenID Connect (OIDC) as the authentication protocol, you need to perform several steps in Torq and several in Okta.

Supported Features

  • IdP-initiated SSO

  • Import users

  • Import groups

1. Create a New SSO Provider in Torq

Perform these steps in Torq.

  1. Go to Settings > SSO Login.

  2. In the IdP Connection section, click the Add button.

  3. Copy the Login redirect URL. You will need this when creating a new OpenID connection application in Okta.

  • When using version 16.1 or newer of the Safari browser, you have to make sure the Login redirect URL is US: https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/_/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your workspace before you continue. If you already set up SSO for your workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your workspace.

  • Contact Torq support if you need to change the Login redirect URL.

Screenshot of configuring an OpenID Connect provider.

2. Create a New OpenID Application in Okta

Perform these steps in Okta.

  1. Log in to Okta as an administrator.

  2. Go to the Applications section and click Create App Integration.

    Screenshot of creating an app integration in Okta
  3. In the Create a new app integration dialog, select OIDC - Open ID Connect.

  4. After the dialogue expands, in the Application type section, select Web application and click Next.

    1. Platform: Web

    2. Sign-on method: OpenID Connect

      Screenshot of configuring a new app integration in Okta.
  5. Configure the settings for the New Web App Integration page and click Save.

    1. App integration name: Should be set to Torq.

    2. Logo: (Optional) If organizational users use the Okta Applications "launcher", we recommend downloading the Torq logo.

    3. Grant type: Select Implicit (hybrid).

    4. Sign-in redirect URIs: Add the Login redirect URL copied in a previous step.

    5. In the Assignments section, select the level of access control.

Screenshot of configuring a new web app integration in Okta.

3. Configure the Okta Application Settings

Perform these steps in Okta.

  1. In the General tab:

    1. Client Credentials: Copy the Client ID.

    2. Client Secret: Generate a new client secret or copy an existing one.

      Screenshot of generating credentials and secret for the Torq app in Okta.
  2. Get the Issuer URL.

    1. Under the Sign On tab, go to the OpenID Connect ID Token section and click Edit.

    2. Next to the Issuer field, expand the drop-down menu and select Okta URL.

    3. Click Save.

      Screenshot of getting the issuer ID for the app in Okta.

4. Assign the Application to Relevant Users/Groups

Perform this step in Okta.

  1. In the Assignments section, select the users and/or groups to whom to assign the application.

Screenshot of group assignment for the app in Okta.

5. Complete the SSO Set Up in Torq

For this step, you'll need to enter some information from Okta (General Settings and Client Credentials sections) in the corresponding SSO fields in Torq.

  1. Go to Settings > SSO Login.

  2. In the OpenID Connect section, click Edit settings and enter the values you saved from Okta to the corresponding fields.

    1. Client ID

    2. Client Secret

    3. Issuer URL

    4. Advanced (expand this section and make sure groups is in the Requested scopes field).

  3. Click Save.

Screenshot of configuring an IdP connection in Torq.

6. Define SSO Claims Mapping for Okta

The claims mapping defines logged-in enterprise users' roles in the Torq workspace.

The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first, and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.

Each claim mapping rule consists of the following elements:

  • Claim Name: The claim (field), as provided by the Identity Provider. Specific frequently used claims could include email for a particular user or groups, as defined earlier.

  • Claim Value: The expected value for the claim to assign a certain role to the user. Claim values are case-sensitive.

  • Role: The expected Torq role to assign.

Screenshot of setting up claims mapping for SSO.
Did this answer your question?