Skip to main content

Configure SSO for Torq: Boost Security and Efficiency

Learn about Torq's Single Sign-On (SSO) capabilities.

Updated this week

Single Sign-On (SSO) allows you to connect Torq to your company's Identity Provider (IdP) and assign Torq roles to users and groups based on your IdP settings.

After connecting Torq to the IdP, users authenticated through the IdP and belonging to specified groups can sign in to Torq.

Prerequisites

To manage SSO for a Torq workspace, the required scope is user.write. Learn more about Torq roles and scopes.

Supported protocols and Identity Providers (IdPs)

Torq’s SSO configuration supports:

  • OpenID Connect (OIDC): A modern, lightweight protocol for cloud-native and API-driven applications.

  • SAML 2.0: An enterprise-standard protocol widely used in traditional corporate environments.

Torq supports both protocols, with authorization code flow and implicit grant type, across a wide range of enterprise identity providers, including:

  • Microsoft Entra ID

  • Okta

  • OneLogin

  • JumpCloud

  • Custom Provider (any IdP supporting OpenID Connect or SAML 2.0)

A complete list of supported SSO guides is available here. You can configure SSO using the following account types:

  • Google account

  • Local user/password account

Avoid potential lockouts

If a user tries to sign in via SSO for the first time and the claim mappings received from the IdP don't match those set in Torq, the user is locked out of the platform until the claim mappings are fixed. No new SSO account is created, and any existing local account is gracefully removed. The user will only be able to access Torq Interact forms with access granted to Organization SSO. To prevent this:

  • Test SSO using a user email address other than the one used to set up SSO.

  • Or, if that's not possible, create a temporary claim mapping for the email address of the user who configured SSO and assign them the Owner role.

Important to know

Once SSO is configured and working, users from the configured SSO domains can access your Torq workspace without an invitation. To sign in, they go to https://app.torq.io (US) or https://app.eu.torq.io (EU), select Use Single Sign-On, and authenticate with the corporate SSO. If the returned attributes match your workspace's configured claim mappings, the user is granted access, assigned a role, and provisioned automatically if needed.

To ensure uninterrupted access, follow the best practices outlined below:

  • SSO domain: Torq assumes that the SSO domain (an organization's identifier) is identical to the email domain of the workspace owner configuring SSO. For example, the administrator identified by admin@mycompany.com can configure SSO for the domain mycompany.com. If you want to configure SSO for a different domain, contact Torq Support.

  • Local users invited by email before SSO setup can still sign in without SSO. To enforce SSO-only access, remove these local accounts and retain only the SSO configuration. If a user with a local account later signs in via SSO, their account is automatically converted to an SSO-managed account.

  • Workspaces access: A user has access to all workspaces they belong to, regardless of how they log in. If a user has SSO access to some workspaces and local (non-SSO) access to others, they can still access all of them using either login method.

  • Torq Interactions access: All members of the Torq groups within your SSO platform will have access to Torq Interactions set to SSO access - no claims mapping or role required.

  • Claim mappings updates: If you need to update any claims, add the new ones to Torq first before removing the old ones from your SSO provider. This prevents any access issues.

  • SSO configuration updates: If you are changing SSOs or migrating IDPs, contact Torq Support before going through with the migration within your Torq workspaces and organization. Any updates to the IdP configuration, aside from claims mappings, require the editor to have appropriate privileges in all workspaces where the IdP is configured.

SSO configuration wizard

The SSO Configuration Wizard makes setting up SSO in Torq easier and more reliable. It streamlines the process and minimizes common pitfalls such as account lockouts, incomplete claims mapping, and limited visibility into authentication errors.

  • Prevents Account Lockouts: Guided setup and validation steps ensure proper claims mapping and fallback options before activation.

  • Simplifies Onboarding: Step-by-step configuration makes it easier for both new and existing customers to enable SSO securely.

  • Increases Reliability and Transparency: Built-in visibility into authentication attempts helps quickly identify and resolve setup issues.

  • Enhances Security and Usability: Enforces best practices that align with Torq’s security standards while providing a user-friendly configuration experience.

How to use

Start the SSO setup by navigating to Settings > Security > SSO.

SSO-only mode

Enable SSO-only login and restrict new local user invitations to ensure security and regulatory compliance.

Once enabled, only users authenticated through the configured SSO can be invited to the workspace and permitted to log in. Inviting new local users via Settings > Users will be disabled.

If an Owner wants to prevent existing local users from accessing the workspace, all local user accounts must either be removed or transitioned to SSO authentication.

Manage SSO-only mode by going to Settings > Security > SSO and toggling the SSO-only mode.

Related Articles
Set Up Torq SSO: Okta SAML 2.0 from App Catalog
Set Up Torq SSO: Microsoft Entra ID
Set Up Torq SSO: OneLogin SAML 2.0
Set Up Torq SSO: Okta SAML 2.0
Set Up Torq SSO: OneLogin OpenID Connect
Did this answer your question?