Single Sign-On (SSO) allows you to connect Torq to your company's Identity Provider (IdP) and assign Torq roles to users and groups based on your IdP settings.
After connecting Torq to the IdP, users authenticated through the IdP and belonging to specified groups can sign in to Torq.
To manage SSO for a Torq workspace, the required scope is user.write. Learn more about Torq roles and scopes.
Torq SSO Support Overview
Torq supports SAML 2.0 and OpenID Connect (OIDC) with both code flow and implicit grant type. It is compatible with a wide range of enterprise identity providers, including:
Microsoft Entra ID
Okta
OneLogin
JumpCloud
A complete list of supported SSO guides is available here.
You can configure SSO using the following account types:
Google account
Local user/password account
Important to Know
Once SSO is configured and working, users from the configured SSO domains can access your Torq workspace without an invitation. To sign in, they go to https://app.torq.io (US) or https://app.eu.torq.io (EU), select Use Single Sign-On, and authenticate with the corporate SSO. If the returned attributes match your workspace's configured claim mappings, the user is granted access, assigned a role, and provisioned automatically if needed.
To ensure uninterrupted access and avoid potential lockouts during setup, follow the best practices outlined below:
Prevent user lockouts: If a user tries to sign in via SSO for the first time and the claim mappings received from the IdP don't match those set in Torq, the user is locked out of the platform until the claim mappings are fixed. No new SSO account is created, and any existing local account is gracefully removed. The user will only be able to access Torq Interact forms with access granted to Organization SSO. To prevent this:
Test SSO using a user email address other than the one used to set up SSO.
Or, if that's not possible, create a temporary claim mapping for the email address of the user who configured SSO and assign them the Owner role.
SSO domain: Torq assumes that the SSO domain (an organization's identifier) is identical to the email domain of the workspace owner configuring SSO. For example, the administrator identified by admin@mycompany.com can configure SSO for the domain mycompany.com. If you want to configure SSO for a different domain, contact Torq Support.
Local users: If users were invited by email before setting up SSO, they could still log in without it. To avoid this, remove these users and keep only the SSO setup.
Workspaces access: Users authorized for specific workspaces via SSO cannot access (from an SSO login) the workspaces that they are authorized for via email login. However, email login allows users to view and access all relevant workspaces, including SSO-verified and email-only verified ones.
Torq Interactions access: All members of the Torq groups within your SSO platform will have access to Torq Interactions set to SSO access - no claims mapping or role required.
Claim mappings updates: If you need to update any claims, add the new ones to Torq first before removing the old ones from your SSO provider. This prevents any access issues.
SSO configuration updates: If you are changing SSOs or migrating IDPs, contact Torq Support before going through with the migration within your Torq workspaces and organization.
SSO-only Mode
Enable SSO-only login and restrict new local user invitations to ensure security and regulatory compliance.
Once enabled, only users authenticated through the configured SSO can be invited to the workspace and permitted to log in. Inviting new local users via Settings > Users will be disabled.
If an Owner wants to prevent existing local users from accessing the workspace, all local user accounts must either be removed or transitioned to SSO authentication.
To enable SSO-only mode, contact Torq Support.