Skip to main content
Set Up Torq SSO: Microsoft Entra ID

Follow this guide to set up Single Sign-On (SSO) with Entra ID (formerly Azure AD).

Updated over a month ago

Leveraging Entra ID to authenticate users and map Azure roles to Torq roles enhances security and streamlines user management, all without the need for Auth0. This guide provides a step-by-step approach to setting up SSO with Entra ID, ensuring a secure and efficient login process for Torq users.

Setting Up App Registration in Entra

To begin, register a new app in your Azure portal to connect your Torq workspace with Entra ID:

  1. Access Azure Portal: Log into your Azure portal and navigate to App Registrations, selecting New Registration to initiate a new app setup.

  2. Configure App Details: Fill in the application registration form with the necessary details.

    1. Name: Torq.io

    2. Supported account types: Accounts in this organizational directory only.

    3. Redirect URL (optional):

  3. Register and Note IDs: After clicking Register, note the Application (client) ID and Directory (tenant) ID for later use in Torq.

  4. Adjust Authentication Settings: In the Authentication section, enable ID tokens by selecting them under the Implicit grant and hybrid flows.

  5. Create Client Secret: Under Certificates & secrets, generate a new client secret, and click Add.

    1. Name: torq

    2. Description: A brief description of the secret.

    3. Expires: 24 months or a custom date that is more than 24 months. After the secret expires, you won't be able to log in to Torq using the secret.

    4. Secret value: Copy the secret value and save it in a secure location. You'll need this later to finish creating the integration in Torq.

The Redirect URI above is the Login redirect URL provided by Torq. See section 2.

When using version 16.1 or newer of the Safari browser, you have to make sure the Login redirect URL in Torq is https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/__/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your Torq workspace before you continue. If you already set up SSO for your Torq workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your Torq workspace.

Contact Torq support if you need to change the Login redirect URL.

Defining App Roles and Permissions

  1. Create App Roles: Navigate to App roles and click Create app role. Add a new role for each Torq role you wish to mirror, ensuring you create mappings for roles like TorqViewer, TorqOperator, TorqContributor, and TorqOwner.

    1. The name you enter in the Value field will be the value for the Claim Value field in Torq when you set up role mapping.

  2. Assign Permissions: Ensure the User.Read permission is listed under API permissions and grant admin consent to finalize the setup.

  3. Read more about privileged roles in Entra ID here.

To allow your Entra integration to reset users' passwords, assign the User.ReadWrite.All application permission and at least a User Administrator Microsoft Entra role.

A recommended claim to add is last_name (source attribute: User.Surname) and first_name (source attribute: User.GivenName) to ensure user names are sent to Torq.

Configuring SSO in Torq

Now, go to the Torq application to configure Single Sign-On with Azure AD:

  1. Navigate to SSO Settings: Go to Settings > SSO Login in Torq.

  2. Add IdP Connection: Click Add in the IdP Connection section, choose the Open ID Connect protocol, and fill in the details using the IDs and secret you noted earlier.

  3. Scopes: Click Advanced and remove groups from the scope list.

  4. Configure Claims Mapping: In the Claims mapping section, map each Azure role to the corresponding Torq role, ensuring mappings are ordered by privilege level. A user is assigned a role according to the first match, disregarding any following assignments.

    1. Claim Name: roles

    2. Claim Value: TorqOwner

    3. Assign Role: Owner

Field

Value

Client ID

The application ID you copied earlier in Azure.

Client secret

The secret value you copied earlier in Azure.

Issuer URL

https://login.microsoftonline.com/tenant-id/v2.0, where tenant-id is the tenant ID you copied earlier in Azure.

Screenshot of setting up an IdP connection in Torq.

Assigning App Roles to Users in Azure

Finally, assign the configured Azure roles to your users:

  1. Locate Your App: Within Azure, search for Enterprise applications and select your Torq app.

  2. Add Users to Roles: Click Users and groups > Add user/group, select the users to assign to each Torq role, and confirm the assignments.

    1. Under Users, click None Selected.

    2. Search for and click all the users to add to a specific role and click Select, and then Assign.

Did this answer your question?