Creating a seamless and secure Single Sign-On (SSO) experience between Auth0 and Torq, especially for users authenticated via Azure Active Directory, enhances security and user experience. This guide walks you through configuring Azure AD integration with Auth0, setting up an application within Auth0 for Torq, and completing the SSO setup in Torq. Additionally, it covers creating a custom rule in Auth0 to enrich ID tokens with group claims from Azure AD, which is crucial for role-based access control within Torq.
Prerequisites
Ensure you have an Azure Connection configured in Auth0. If not, first set up an Azure integration with Auth0. After configuring, activate Extended Attributes under General settings, particularly the Get user groups option, to fetch group memberships from Azure AD.
Create a New Application in Auth0
In Auth0, navigate to Applications and Create Application.
Name it (e.g., Auth0 Torq), select Regular Web Applications, and Create.
Under Connections, choose the Azure AD connection (e.g., LeonidAzure).
In Settings, specify the Allowed Callback URLs as provided by Torq, such as
https://app.torq.io/__/auth/handler
or its EU equivalent:https://app.eu.torq.io/__/auth/handler
.Note the Domain, Client ID, and Client Secret from the Basic Information section for later use.
Create a Rule for AD Group Claims
To ensure Torq receives Azure AD group memberships as part of the authentication process:
Navigate to Auth Pipeline > Rules in Auth0.
Create > Empty Rule and name it (e.g., Torq Token Group Enrichment).
Replace
<ApplicationClientID>
in the script with your application's Client ID to conditionally apply this rule:function enrichTorqToken(user, context, callback) {
if (context.clientID !== '<ApplicationClientID>') return;
const namespace = "https://torq.io/";
context.idToken[namespace + 'groups'] = user.groups;
callback(null, user, context);
}This script adds the user's groups to the ID token, facilitating role-based access control in Torq based on Azure AD group memberships.
Set Up SSO in Torq
Go to Settings > SSO Login in Torq.
Click Add in the IdP Connection section and select Open ID Connect.
Fill in the Client ID, Client Secret, and Issuer URL with the information noted earlier from Auth0.
To configure claim mappings for role assignment based on Azure AD groups, add new mappings in the Claims Mapping section. Prioritize mappings to assign the highest privileges first, as Torq assigns roles based on the first matching rule.
For users on Safari 16.1 or newer, verify the login redirect URL matches Torq's specifications. Contact Torq support if updates or changes are needed.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.