To configure SSO using Okta as the IdP and SAML 2.0 as the authentication and authorization protocol, you need to perform several steps in Torq and several in Okta.
Before you continue, try configuring SSO using the Torq application from the Okta app catalog as that's the process we recommend.
1. Create a new SSO provider in Torq
Perform these steps in Torq.
1. Go to Settings > SSO Login.
2. In the IdP Connection section, click the Add button.
3. Select the SAML 2.0 protocol.
4. Copy the Login Redirect URL. You will need this when creating a new application in Okta.
When using version 16.1 or newer of the Safari browser, you have to make sure the Login redirect URL is https://app.torq.io/__/auth/handler EU: https://app.eu.torq.io/__/auth/handler. If this isn’t the case, you should contact your support representative and ask them to update this URL for your workspace before you continue. If you already set up SSO for your workspace, you have to update the Login redirect URL you provided to your IdP after the support representative updates the URL for your workspace.
Contact Torq support if you need to change the Login redirect URL.
2. Create a new SAML 2.0 application in Okta
1. Log in to Okta as an administrator.
2. Go to the Applications section and click Create App Integration.
3. Select the Sign-in method to be SAML 2.0.
4. The app name should be set to Torq.
5. Select the Do not display application icon to users option. IdP-initiated flows with SAML 2.0 aren't currently supported.
3. Configure the new application settings
Configure the SAML 2.0 protocol settings.
1. Single sign-on URL: Login Redirect URL copied from the IdP Connection form in Torq in a previous step.
2. Audience URI: torq.io (same value as the Audience Restriction field in the IdP Connection form in Torq).
3. Name ID format: EmailAddress.
4. Application username: Email.
5. Update application username on: Create and update.
6. Add the required attribute mapping:
user.firstName is mapped to first_name.
user.lastName is mapped to last_name.
7. In the Group Attribute Statements section, modify the filter to contain groups Matches regex .*. The filter value is case-sensitive, so groups must be lowercase.
4. Complete the SSO setup in Torq
For this step, you'll need to enter some information from Okta in the corresponding SSO fields in Torq.
1. Once the new app is created in Okta, go to the Sign On tab and click View Setup Instructions.
2. In Torq, go to Settings > SSO Login.
3. In the IdP Connection section, click Add and enterthe values from Okta to the corresponding fields.
Identity Provider Single Sign-On URL to Sign-On URL.
Identity Provider Issuer to Issuer URL.
Certificate to Public Certificate.
5. Assign the application to relevant users/groups
In the Assignments section, select the users and groups to assign the application.
6. Define SSO claims mapping
The claims mapping defines logged-in enterprise users' roles in the Torq workspace.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.
Each claim mapping rule consists of the following elements:
Name: The claim (field), provided by the Identity Provider. Specific frequently used claims include email for a particular user or groups, as defined earlier.
Value: The expected value for the claim to assign a specific role to the user. Claim values are case-sensitive.
Role: The Torq role to assign.
