Skip to main content

Set Up Torq SSO: Auth0 with Entra ID

Follow this guide to set up SSO with Auth0, using Entra ID for secure and streamlined access control.

Updated this week

This guide walks you through configuring an Azure integration with Auth0, setting up an application within Auth0 for Torq, and completing the SSO setup in Torq. Additionally, it covers creating a custom rule in Auth0 to enrich ID tokens with group claims from Entra ID, which is crucial for role-based access control within Torq.

Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.

Prerequisites

Ensure you have an Azure Connection configured in Auth0. If not, first set up an Azure integration with Auth0. After configuring, activate Extended Attributes under General settings, particularly the Get user groups option, to fetch group memberships from Entra ID.

Create a New Application in Auth0

  1. In Auth0, navigate to Applications and Create Application.

  2. Name it (e.g. Auth0 Torq), select Regular Web Applications, and Create.

    Screenshot of creating an Azure app.
  3. Under Connections, choose the Azure connection (e.g. LeonidAzure).

    Screenshot of configuring connection in the Azure app.
  4. In Settings, specify the Allowed Callback URLs as provided by Torq, such as https://app.torq.io/__/auth/handler or its EU equivalent: https://app.eu.torq.io/__/auth/handler.

  5. Note the Domain, Client ID, and Client Secret from the Basic Information section for later use.

Create a Rule for Entra ID Group Claims

To ensure Torq receives Entra ID group memberships as part of the authentication process:

  1. Navigate to Auth Pipeline > Rules in Auth0.

  2. Create > Empty Rule and name it (e.g., Torq Token Group Enrichment).

  3. Replace <ApplicationClientID> in the script with your application's Client ID to conditionally apply this rule:

    function enrichTorqToken(user, context, callback) {
    if (context.clientID !== '<ApplicationClientID>') return;
    const namespace = "https://torq.io/";
    context.idToken[namespace + 'groups'] = user.groups;
    callback(null, user, context);
    }

    This script adds the user's groups to the ID token, facilitating role-based access control in Torq based on Entra ID group memberships.

Set Up SSO in Torq

  1. Go to Settings > SSO Login in Torq.

  2. Click Add in the IdP Connection section and select Open ID Connect.

  3. Fill in the Client ID, Client Secret, and Issuer URL with the information noted earlier from Auth0.

    Screenshot of setting up an IdP connection in Torq.
  4. To configure claim mappings for role assignment based on Entra ID groups, add new mappings in the Claims Mapping section. Prioritize mappings to assign the highest privileges first, as Torq assigns roles based on the first matching rule.

    autho-sso-claims-mapping
  • For users on Safari 16.1 or newer, verify the login redirect URL matches Torq's specifications. Contact Torq support if updates or changes are needed.

  • The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.

Did this answer your question?