This guide walks you through configuring an Azure integration with Auth0, setting up an application within Auth0 for Torq, and completing the SSO setup in Torq. Additionally, it covers creating a custom rule in Auth0 to enrich ID tokens with group claims from Entra ID, which is crucial for role-based access control within Torq.
Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.
Prerequisites
Ensure you have an Azure Connection configured in Auth0. If not, first set up an Azure integration with Auth0. After configuring, activate Extended Attributes under General settings, particularly the Get user groups option, to fetch group memberships from Entra ID.
Create a New Application in Auth0
In Auth0, navigate to Applications and Create Application.
Name it (e.g. Auth0 Torq), select Regular Web Applications, and Create.
Under Connections, choose the Azure connection (e.g. LeonidAzure).
In Settings, specify the Allowed Callback URLs as provided by Torq, such as
https://app.torq.io/__/auth/handleror its EU equivalent:https://app.eu.torq.io/__/auth/handler.Note the Domain, Client ID, and Client Secret from the Basic Information section for later use.
Create a Rule for Entra ID Group Claims
To ensure Torq receives Entra ID group memberships as part of the authentication process:
Navigate to Auth Pipeline > Rules in Auth0.
Create > Empty Rule and name it (e.g., Torq Token Group Enrichment).
Replace
<ApplicationClientID>in the script with your application's Client ID to conditionally apply this rule:function enrichTorqToken(user, context, callback) {
if (context.clientID !== '<ApplicationClientID>') return;
const namespace = "https://torq.io/";
context.idToken[namespace + 'groups'] = user.groups;
callback(null, user, context);
}This script adds the user's groups to the ID token, facilitating role-based access control in Torq based on Entra ID group memberships.
Set Up SSO in Torq
Configure SSO in Torq
Sign in to Torq as an Owner to perform the following steps.
Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose OpenID Connect as the protocol and select Auth0 as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from Auth0, then click Next to define claims mappings (see below).
Field | Value |
Login Redirect URL | US: |
Client ID | Copied from Auth0 |
Client Secret | Copied from Auth0 |
Issuer URL | Copied from Auth0 |
Requested Scopes | Permissions your application requests from the identity provider |
Code flow | A secure, two-step process where an authorization code is exchanged for tokens on the server side |
Implicit flow | Tokens are returned directly in the browser |
Send login hint to SSO provider | Optionally sends the user’s email or username as a login hint to the SSO provider |
When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.
Define SSO Claims Mapping
The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.
Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
The wizard automatically offers the first mapping,
email, marked as recommended.This field is auto-filled with the email address of the current user (the Owner performing the setup).
You can optionally edit this initial mapping before saving.
After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
Claim Name: The field from your IdP (for example,
emailorgroups).Claim Value: The expected value of the claim (case-sensitive).
Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
Mappings are evaluated top-down.
Place the claim with the highest privilege role at the top.
Lower-privilege mappings should follow in descending order.
A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.
Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.
