Skip to main content
All CollectionsSet Up TorqSet Up Single Sign-On (SSO)
Set Up Torq SSO: Use Auth0 with Torq for Azure AD-Based Single Sign-On
Set Up Torq SSO: Use Auth0 with Torq for Azure AD-Based Single Sign-On

Follow this guide to set up Single Sign-On (SSO) with Auth0, using Azure AD for secure and streamlined access control.

Updated over 3 months ago

Creating a seamless and secure Single Sign-On (SSO) experience between Auth0 and Torq, especially for users authenticated via Azure Active Directory, enhances security and user experience. This guide walks you through configuring Azure AD integration with Auth0, setting up an application within Auth0 for Torq, and completing the SSO setup in Torq. Additionally, it covers creating a custom rule in Auth0 to enrich ID tokens with group claims from Azure AD, which is crucial for role-based access control within Torq.

Prerequisites

Ensure you have an Azure Connection configured in Auth0. If not, first set up an Azure integration with Auth0. After configuring, activate Extended Attributes under General settings, particularly the Get user groups option, to fetch group memberships from Azure AD.

Create a New Application in Auth0

  1. In Auth0, navigate to Applications and Create Application.

  2. Name it (e.g., Auth0 Torq), select Regular Web Applications, and Create.

    Screenshot of creating an Azure app.
  3. Under Connections, choose the Azure AD connection (e.g., LeonidAzure).

    Screenshot of configuring connection in the Azure app.
  4. In Settings, specify the Allowed Callback URLs as provided by Torq, such as https://app.torq.io/__/auth/handler or its EU equivalent: https://app.eu.torq.io/__/auth/handler.

  5. Note the Domain, Client ID, and Client Secret from the Basic Information section for later use.

Create a Rule for AD Group Claims

To ensure Torq receives Azure AD group memberships as part of the authentication process:

  1. Navigate to Auth Pipeline > Rules in Auth0.

  2. Create > Empty Rule and name it (e.g., Torq Token Group Enrichment).

  3. Replace <ApplicationClientID> in the script with your application's Client ID to conditionally apply this rule:

    function enrichTorqToken(user, context, callback) {
    if (context.clientID !== '<ApplicationClientID>') return;
    const namespace = "https://torq.io/";
    context.idToken[namespace + 'groups'] = user.groups;
    callback(null, user, context);
    }

    This script adds the user's groups to the ID token, facilitating role-based access control in Torq based on Azure AD group memberships.

Set Up SSO in Torq

  1. Go to Settings > SSO Login in Torq.

  2. Click Add in the IdP Connection section and select Open ID Connect.

  3. Fill in the Client ID, Client Secret, and Issuer URL with the information noted earlier from Auth0.

    Screenshot of setting up an IdP connection in Torq.
  4. To configure claim mappings for role assignment based on Azure AD groups, add new mappings in the Claims Mapping section. Prioritize mappings to assign the highest privileges first, as Torq assigns roles based on the first matching rule.

    autho-sso-claims-mapping
  • For users on Safari 16.1 or newer, verify the login redirect URL matches Torq's specifications. Contact Torq support if updates or changes are needed.

  • The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.

Did this answer your question?