Skip to main content
Set Up Torq SSO: OneLogin SAML 2.0

Follow this guide to set up Single Sign-On (SSO) with OneLogin using the SAML 2.0 protocol.

Updated over 7 months ago

To configure SSO using OneLogin as the IdP and SAML 2.0 as the authentication and authorization protocol, you need to perform several steps in Torq and several in OneLogin.

1. Create a new SSO provider in Torq

Perform these steps in Torq.

  1. Go to Settings > SSO Login.

  2. In the IdP Connection section, click the Add button.

  3. Select the SAML 2.0 protocol.

  4. Copy the Login Redirect URL. You will need this when creating a new application in OneLogin.

  • When using version 16.1 or newer of the Safari browser you have to make sure the Login redirect URL in Torq is https://app.torq.io/__/auth/handler or EU: https://app.eu.torq.io/__/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your Torq workspace before you continue. If you already set up SSO for your Torq workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your Torq workspace.

  • Contact Torq support if you need to change the Login redirect URL.

Screenshot of adding an IdP connection with SAML protocol in Torq.

2. Create a new SAML 2.0 application

Perform these steps in OneLogin.

  1. Go to Applications and click Add App.

  2. In the list of applications search for SAML Custom and select the SAML Custom Connector (Advanced) application.

    onelogin-saml-app
  3. Enter a name for the application. We recommend naming the application Torq.

  4. Set the application to not be Visible in portal. IdP-initiated flows with SAML 2.0 aren't currently supported.

    Screenshot of setting the application to not be visible in the portal.

3. Configure the OneLogin application settings

Perform these steps in OneLogin.

1. In the Configuration tab, apply the following SAML 2.0 protocol settings.

Field

Value

Audience

torq.io

Recipient

Login Redirect URL copied from the IdP Connection form in Torq in a previous step.

ACS (Consumer) URL Validator

Login Redirect URL used above.

ACS (Consumer) URL

Login Redirect URL used above.

Login URL

SAML initiator

Service Provider.

SAML NameID format

Email.

SAML issuer type

Specific.

SAML signature element

Assertion.

Send NameID Format in SLO Request

Select this option.

Screenshot of configuring settings for the application in OneLogin.

2. In the Parameters tab, add the required attribute mapping. For all parameters, select the option to Include in SAML assertion.

  • First Name is mapped to first_name and Last Name is mapped to last_name.

    Screenshot showing how to do name mapping for the app.
  • User Roles are mapped to groups. Select the Multi-value parameter option.

Screenshot of creating the groups field for the app.
Screenshot of selecting the user roles to add to the group.
Summary of the attribute mapping

4. Complete SSO setup in Torq

Perform these steps in Torq. You'll need to enter some information from OneLogin in the corresponding SSO fields in Torq.

The information is available in the SSO tab of the new app.

OneLogin app SSO information
onelogin-saml-certificate
  1. In Torq: Go to Settings > SSO Login.

  2. In the IdP Connection section, click Edit Settings and enter the values from OneLogin to the corresponding fields.

    1. SAML 2.0 Endpoint (HTTP) to Sign-On URL

    2. Issuer URL in OneLogin to Issuer URL in Torq

    3. Certificate content to Public Certificate

5. Assign the application to users and groups

In the Users tab, define which organizational users and groups should have access to Torq.

Screenshot of adding users to groups in OneLogin.

6. Define SSO claims mapping

The claims mapping defines the role that logged-in enterprise users are assigned in the Torq workspace.

The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first, and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.

Each claim mapping rule consists of the following elements:

Field

Value

Claim Name

The claim (field), as provided by the Identity Provider. Specific frequently used claims could include email for a particular user or groups, as defined earlier.

Claim Value

The expected value for the claim in order to assign a specific role to the user. Claim values are case-sensitive.

Role

The expected Torq role to assign.

Add claims mapping in Torq
Did this answer your question?