Ensure seamless and secure access to Torq by configuring Single Sign-On (SSO) using OneLogin as your Identity Provider (IdP) and OpenID Connect (OIDC) as the authentication protocol. This guide walks you through the necessary steps in both Torq and OneLogin to set up SSO, enhancing your platform's security and user experience.
1. Creating a New SSO Provider in Torq
First, establish the foundation for SSO in Torq by adding a new SSO provider:
Navigate to Settings > SSO Login in Torq.
Click the Add button in the IdP Connection section.
Carefully copy the Login Redirect URL; it's needed when setting up the OIDC application in OneLogin.
For Safari users (version 16.1+), ensure the Login Redirect URL matches the specified format for Torq or Torq EU. If discrepancies arise, please contact Torq support for URL updates in your workspace before proceeding.
2. Creating a New OpenID Connect Application in OneLogin
Transition to OneLogin to configure the OIDC application:
Under Applications, opt to Add App.
Search for "openid connect" and select the designated OIDC application.
Name the application (e.g., Torq) for easy identification.
Enhance the application's appearance with the Torq logo for users utilizing the OneLogin Applications launcher.
3. Configuring Your OneLogin Application
Proper configuration within OneLogin ensures smooth integration:
In the Configuration tab, apply these settings:
Login URL:
https://app.torq.io/auth/SSOSignIn?domain=<yourcompanydomain>.comRedirect URIs: Include the standard and EU-specific URIs for Torq, ensuring comprehensive coverage.
Field | Value |
Redirect URIs (in this order) |
Adjust settings in the Parameters tab to forward user roles effectively, especially if managing roles within OneLogin.
The Rules tab allows you to add a rule for sending group mappings, aligning with your organizational structure.
In the SSO tab, note down the Client ID, Client Secret, and Issuer URL for later use in Torq. Set the Application Type to Web and the Token Endpoint to Basic.
4. Assigning the Application to Users and Groups
Define which organizational users and groups should access Torq via the Users tab in OneLogin, ensuring only authorized individuals can utilize the SSO functionality.
5. Finalizing SSO Setup in Torq
Return to Torq to complete the setup by entering the previously noted Client ID, Client Secret, and Issuer URL in the IdP Connection section under Settings > SSO Login.
6. Defining SSO Claims Mapping in OneLogin
Lastly, configure the claims mapping in OneLogin to dictate the roles assigned to users within the Torq workspace, based on their claims. This ensures appropriate access levels and functionalities are granted to each user.
The mappings are interpreted in an ordered, top-down manner. The mapping assigning the highest privilege should be listed first, and the other mappings should be listed in descending privilege order. A user is assigned a role according to the first match, disregarding any following assignments.
Field | Value |
Claim Name | The claim (field), as provided by the Identity Provider. As defined earlier, frequently used claims could include email for a particular user or group. |
Claim Value | The expected value for the claim to assign a specific role to the user. Claim values are case-sensitive. |
Role | The expected Torq role to assign. |