To configure SSO using OneLogin as the IdP and SAML 2.0 as the authentication and authorization protocol, you need to perform several steps in Torq and several in OneLogin.
Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.
Set up SSO in Torq
Sign in to Torq as an Owner to perform the following steps.
Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose SAML 2.0 as the protocol and select OneLogin as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from OneLogin, then click Next.
Field | Value |
Audience Restriction |
|
Login Redirect URL | US: |
Sign-On URL | Copied from OneLogin |
Issuer URL | Copied from OneLogin |
Public Certificate | Copied from OneLogin |
When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.
Create New SAML 2.0 Application in OneLogin
Perform the following steps in OneLogin to create a new SAML 2.0 application for Torq.
Access Applications: In your OneLogin admin portal, go to Applications from the top navigation menu.
Add a New Application: Click Add App to create a new application.
Search for the Connector: In the search bar, type SAML Custom.
Select the Connector: From the list of results, select SAML Custom Connector (Advanced) to begin configuring your SAML 2.0 application.
Enter a Name for the Application: Provide a name for your new application.
Use Torq as the application name for consistency and easy identification.
Adjust Application Visibility: Set the application to not be visible in the user portal.
Note: IdP-initiated SAML 2.0 flows are not currently supported in Torq, so users should not launch the application directly from the OneLogin portal.Save Your Settings: Click Save to apply your configuration and continue to the SSO setup.
Configure the OneLogin Application Settings
Open the Configuration Tab: In your OneLogin application, go to the Configuration tab.
Apply SAML 2.0 Settings: Enter the following values:
Field | Value |
Audience |
|
Recipient | Login Redirect URL copied from the IdP Connection form in Torq. |
ACS (Consumer) URL Validator | Login Redirect URL used above. |
ACS (Consumer) URL | Login Redirect URL used above. |
Login URL |
|
SAML Initiator |
|
SAML NameID Format |
|
SAML Issuer Type |
|
SAML Signature Element |
|
Send NameID Format in SLO Request | ✅ Select this option |
Add Attribute Mappings in OneLogin
Open the Parameters Tab: In your OneLogin application, go to the Parameters tab.
Add Attribute Mappings: For each parameter, click Add parameter and configure it as shown below.
Be sure to select Include in SAML assertion for all parameters.
Parameter Name | Mapped To | Include in SAML Assertion | Additional Settings |
First Name |
| ✅ | — |
Last Name |
| ✅ | — |
User Roles |
| ✅ | Select Multi-value parameter option |
Complete SSO Setup in Torq
Perform these steps in Torq. You'll need to enter some information from OneLogin in the corresponding SSO fields in Torq.
The information is available in the SSO tab of the new app.
Assign the Application to Users and Groups
In the Users tab, define which organizational users and groups should have access to Torq.
Define SSO Claims Mapping
The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.
Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
The wizard automatically offers the first mapping,
email, marked as recommended.This field is auto-filled with the email address of the current user (the Owner performing the setup).
You can optionally edit this initial mapping before saving.
After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
Claim Name: The field from your IdP (for example,
emailorgroups).Claim Value: The expected value of the claim (case-sensitive).
Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
Mappings are evaluated top-down.
Place the claim with the highest privilege role at the top.
Lower-privilege mappings should follow in descending order.
A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.
Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.
