Leveraging Entra ID to authenticate users and map Azure roles to Torq roles enhances security and streamlines user management, all without the need for Auth0. This guide provides a step-by-step approach to setting up SSO with Entra ID, ensuring a secure and efficient login process for Torq users.
Setting Up App Registration in Entra
To begin, register a new app in your Azure portal to connect your Torq workspace with Entra ID:
Access Azure Portal: Log into your Azure portal and navigate to App Registrations, selecting New Registration to initiate a new app setup.
Configure App Details: Fill in the application registration form with the necessary details.
Name: Torq.io
Supported account types: Accounts in this organizational directory only.
Redirect URL (optional):
Platform: Web
Register and Note IDs: After clicking Register, note the Application (client) ID and Directory (tenant) ID for later use in Torq.
Adjust Authentication Settings: In the Authentication section, enable ID tokens by selecting them under the Implicit grant and hybrid flows.
Create Client Secret: Under Certificates & secrets, generate a new client secret, and click Add.
Name: torq
Description: A brief description of the secret.
Expires: 24 months or a custom date that is more than 24 months. After the secret expires, you won't be able to log in to Torq using the secret.
Secret value: Copy the secret value and save it in a secure location. You'll need this later to finish creating the integration in Torq.
The Redirect URI above is the Login redirect URL provided by Torq. See section 2.
When using version 16.1 or newer of the Safari browser, you have to make sure the Login redirect URL in Torq is https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/__/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your Torq workspace before you continue. If you already set up SSO for your Torq workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your Torq workspace.
Contact Torq support if you need to change the Login redirect URL.
Defining App Roles and Permissions
Create App Roles: Navigate to App roles and click Create app role. Add a new role for each Torq role you wish to mirror, ensuring you create mappings for roles like TorqViewer, TorqOperator, TorqContributor, and TorqOwner.
The name you enter in the Value field will be the value for the Claim Value field in Torq when you set up role mapping.
Assign Permissions: Ensure the User.Read permission is listed under API permissions and grant admin consent to finalize the setup.
Read more about privileged roles in Entra ID here.
To allow your Entra integration to reset users' passwords, assign the User.ReadWrite.All application permission and at least a User Administrator Microsoft Entra role.
A recommended claim to add is last_name
(source attribute: User.Surname) and first_name
(source attribute: User.GivenName) to ensure user names are sent to Torq.
Configuring SSO in Torq
Now, go to the Torq application to configure Single Sign-On with Azure AD:
Navigate to SSO Settings: Go to Settings > SSO Login in Torq.
Add IdP Connection: Click Add in the IdP Connection section, choose the Open ID Connect protocol, and fill in the details using the IDs and secret you noted earlier.
Scopes: Click Advanced and remove
groups
from the scope list.Configure Claims Mapping: In the Claims mapping section, map each Azure role to the corresponding Torq role, ensuring mappings are ordered by privilege level. A user is assigned a role according to the first match, disregarding any following assignments.
Claim Name: roles
Claim Value: TorqOwner
Assign Role: Owner
Field | Value |
Client ID | The application ID you copied earlier in Azure. |
Client secret | The secret value you copied earlier in Azure. |
Issuer URL | https://login.microsoftonline.com/tenant-id/v2.0, where tenant-id is the tenant ID you copied earlier in Azure. |
Assigning App Roles to Users in Azure
Finally, assign the configured Azure roles to your users:
Locate Your App: Within Azure, search for Enterprise applications and select your Torq app.
Add Users to Roles: Click Users and groups > Add user/group, select the users to assign to each Torq role, and confirm the assignments.