Torq

Enterprise Single Sign-On (SSO) lets you connect Torq with your company's Identity Provider (IdP). This way, you can set Torq roles for users and groups based on your IdP settings.

After connecting Torq to the enterprise IdP, all IdP-authenticated users of specific groups can sign in to Torq.

Torq supports SAML 2.0 and OpenID Connect with code flow and implicit grant type. It's compatible with many enterprise IdPs, including:

You can configure SSO using the following account types:

- Google account
- Local user/password account

If you are changing SSOs or migrating IDPs, contact Torq Support before going through with the migration within your Torq workspaces and organization.

To ensure uninterrupted access to the platform and prevent potential lockouts during SSO configuration, please adhere to the following best practices:

- After configuring SSO, promptly test the login process using a secondary account within the same SSO domain. This real-time validation ensures that the IdP claims are correctly mapped, preventing access issues.
- You can also set up a temporary claims mapping based on email addresses.

Torq assumes that the SSO domain (an organization's identifier) is identical to the email domain of the workspace owner configuring SSO. For example, the administrator identified by <a href="mailto:admin@mycompany.com" rel="nofollow noopener noreferrer" target="_blank">admin@mycompany.com</a> can configure SSO for the domain mycompany.com. ​If you want to configure SSO for a different domain, contact Torq Support.

If users were invited by email before setting up SSO, they could still log in without it. To avoid this, remove these users and keep only the SSO setup. 

We recommend that you have 1 or 2 backup accounts not tied to SSO, just in case your SSO provider has issues.

If you need to update any claims, add the new ones to Torq first before removing the old ones from your SSO provider. This prevents any access issues.

Users authorized for specific workspaces via SSO cannot access (from an SSO login) the workspaces that they are authorized for via email login. However, email login allows users to view and access all relevant workspaces, including SSO-verified and email-only verified ones.  

- To ensure uninterrupted access to the platform and prevent potential lockouts during SSO configuration, please adhere to the following best practices:
 - After configuring SSO, promptly test the login process using a secondary account within the same SSO domain. This real-time validation ensures that the IdP claims are correctly mapped, preventing access issues.
 - You can also set up a temporary claims mapping based on email addresses.
- Torq assumes that the SSO domain (an organization's identifier) is identical to the email domain of the workspace owner configuring SSO. For example, the administrator identified by <a href="mailto:admin@mycompany.com" rel="nofollow noopener noreferrer" target="_blank">admin@mycompany.com</a> can configure SSO for the domain mycompany.com. ​If you want to configure SSO for a different domain, contact Torq Support.
- If users were invited by email before setting up SSO, they could still log in without it. To avoid this, remove these users and keep only the SSO setup. 
- We recommend that you have 1 or 2 backup accounts not tied to SSO, just in case your SSO provider has issues.
- If you need to update any claims, add the new ones to Torq first before removing the old ones from your SSO provider. This prevents any access issues.
- Users authorized for specific workspaces via SSO cannot access (from an SSO login) the workspaces that they are authorized for via email login. However, email login allows users to view and access all relevant workspaces, including SSO-verified and email-only verified ones.

Supported SSO Methods and Protocols

Important to Know