To configure SSO using OneLogin as the IdP and SAML 2.0 as the authentication and authorization protocol, you need to perform several steps in Torq and several in OneLogin.
1. Create a new SSO provider in Torq
Perform these steps in Torq.
Go to Settings > SSO Login.
In the IdP Connection section, click the Add button.
Select the SAML 2.0 protocol.
Copy the Login Redirect URL. You will need this when creating a new application in OneLogin.
When using version 16.1 or newer of the Safari browser you have to make sure the Login redirect URL in Torq is https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/__/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your Torq workspace before you continue. If you already set up SSO for your Torq workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your Torq workspace.
Contact Torq support if you need to change the Login redirect URL.
2. Create a new SAML 2.0 application
Perform these steps in OneLogin.
Go to Applications and click Add App.
In the list of applications search for SAML Custom and select the SAML Custom Connector (Advanced) application.
Enter a name for the application. We recommend naming the application Torq.
Set the application to not be Visible in portal. IdP-initiated flows with SAML 2.0 aren't currently supported.
3. Configure the OneLogin application settings
Perform these steps in OneLogin.
1. In the Configuration tab, apply the following SAML 2.0 protocol settings.
Field | Value |
Audience | torq.io |
Recipient | Login Redirect URL copied from the IdP Connection form in Torq in a previous step. |
ACS (Consumer) URL Validator | Login Redirect URL used above. |
ACS (Consumer) URL | Login Redirect URL used above. |
Login URL | |
SAML initiator | Service Provider. |
SAML NameID format | Email. |
SAML issuer type | Specific. |
SAML signature element | Assertion. |
Send NameID Format in SLO Request | Select this option. |
2. In the Parameters tab, add the required attribute mapping. For all parameters, select the option to Include in SAML assertion.
First Name is mapped to first_name and Last Name is mapped to last_name.
User Roles are mapped to groups. Select the Multi-value parameter option.
4. Complete SSO setup in Torq
Perform these steps in Torq. You'll need to enter some information from OneLogin in the corresponding SSO fields in Torq.
The information is available in the SSO tab of the new app.
In Torq: Go to Settings > SSO Login.
In the IdP Connection section, click Edit Settings and enter the values from OneLogin to the corresponding fields.
SAML 2.0 Endpoint (HTTP) to Sign-On URL
Issuer URL in OneLogin to Issuer URL in Torq
Certificate content to Public Certificate
5. Assign the application to users and groups
In the Users tab, define which organizational users and groups should have access to Torq.
6. Define SSO claims mapping
The claims mapping defines the role that logged-in enterprise users are assigned in the Torq workspace.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first, and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.
Each claim mapping rule consists of the following elements:
Field | Value |
Claim Name | The claim (field), as provided by the Identity Provider. Specific frequently used claims could include email for a particular user or groups, as defined earlier. |
Claim Value | The expected value for the claim in order to assign a specific role to the user. Claim values are case-sensitive. |
Role | The expected Torq role to assign. |
