Ensure seamless and secure access to Torq by configuring Single Sign-On (SSO) using OneLogin as your Identity Provider (IdP) and OpenID Connect (OIDC) as the authentication protocol. This guide walks you through the necessary steps in both Torq and OneLogin to set up SSO, enhancing your platform's security and user experience.
Important!
Before getting started, make sure you understand how to prevent user lockouts by reviewing this KB article.
Create a New SSO Provider in Torq
Sign in to Torq as an Owner to perform the following steps.
Access SSO Settings: Go to Settings > Security > Configure SSO.
Select Protocol and Identity Provider: In the IdP Selection section, choose OpenID Connect as the protocol and select OneLogin as your Identity Provider.
Click Next to continue.
Enter IdP Setup Details: In the IdP Setup section, fill in the following fields with the values obtained from OneLogin, then click Next to define claims mappings (see below).
Field | Value |
Login Redirect URL | US: |
Client ID | Copied from OneLogin |
Client Secret | Copied from OneLogin |
Issuer URL | Copied from OneLogin |
Requested Scopes | Permissions your application requests from the identity provider |
Code flow | A secure, two-step process where an authorization code is exchanged for tokens on the server side |
Implicit flow | Tokens are returned directly in the browser |
Send login hint to SSO provider | Optionally sends the user’s email or username as a login hint to the SSO provider |
When using Safari v16.1 or newer, the Login Redirect URL must be:
https://app.torq.io/__/auth/handler
If this value differs, contact Torq Support to update the URL for your workspace before continuing.
Create a New OpenID Connect Application in OneLogin
Perform the following steps in OneLogin to configure an OIDC application for Torq.
Add a New Application: In your OneLogin admin portal, go to Applications and click Add App.
Search for the Connector: In the search bar, type OpenID Connect.
Select the OIDC Connector: From the results list, choose the OpenID Connect (OIDC) application.
Name the Application: Enter a recognizable name such as Torq to make it easy to identify in your OneLogin environment.
Click Save: After naming the app, click Save to proceed to the configuration settings.
Enhance the application's appearance with the Torq logo for users utilizing the OneLogin Applications launcher.
Configure Your OneLogin Application
Proper configuration within OneLogin ensures smooth integration:
Open the Configuration Tab: After saving the new application, go to the Configuration tab to define the OIDC settings.
Enter the Application Details: Fill in the following fields with the corresponding values from Torq’s IdP Connection form:
Login URL:
https://app.torq.io/auth/SSOSignIn?domain=<yourcompanydomain>.comRedirect URIs: Include the standard and EU-specific URIs for Torq, ensuring comprehensive coverage.
Field | Value |
Redirect URIs (in this order) |
|
Add Role Mapping: Adjust settings in the Parameters tab to forward user roles effectively, especially if managing roles within OneLogin.
Define Rule Conditions:
Set conditions that match your organization’s structure — for example, specific roles, departments, or security groups.
Assign the appropriate group value to be included in the ID token sent to Torq.
Collect Required Credentials:
Note down the following values (you’ll need them when configuring SSO in Torq):
Client ID
Client Secret
Issuer URL
Verify Application Type and Token Endpoint Settings:
Application Type: Set to Web.
Token Endpoint Authentication Method: Select Basic.
Assigning the Application to Users and Groups
Open the Users Tab: In your OneLogin OIDC application, go to the Users tab.
Assign Users and Groups: Define which organizational users or groups should have access to Torq.
Assign only authorized individuals who need to sign in through SSO.
You can select individual users or entire groups to streamline access management.
Save and Confirm Assignments: Click Save (or Update, depending on your OneLogin version) to apply the changes.
Confirm that all assigned users now appear under the Users or Groups section.
Define SSO Claims Mapping
The Claims Mapping determines which Torq role is assigned to each user based on identity provider attributes.
Add Claim Mapping Rules: In the Claims Mapping section, click Add Claim to create a new rule.
The wizard automatically offers the first mapping,
email, marked as recommended.This field is auto-filled with the email address of the current user (the Owner performing the setup).
You can optionally edit this initial mapping before saving.
After editing, click Add to move the mapping into the saved section.
Provide Mapping Details: For each rule, define the following:
Claim Name: The field from your IdP (for example,
emailorgroups).Claim Value: The expected value of the claim (case-sensitive).
Assigned Role: The Torq role to assign (for example, Admin, Editor, Viewer).
Organize Claim Priority:
Mappings are evaluated top-down.
Place the claim with the highest privilege role at the top.
Lower-privilege mappings should follow in descending order.
A user’s role is determined by the first matching claim.
Save Configuration: After defining all required mappings, click Save to complete the setup.
Important!
The first email claim mapping is essential to prevent account lockouts in Torq. Do not delete it until SSO has been tested and verified with other users, as any misconfiguration in Torq or your IdP could result in loss of access.
