Single sign-on (SSO)

Enterprise Single Sign-On (SSO) enables you to integrate with your enterprise Identity Provider (IdP) to Torq and apply Torq roles to your users and groups as defined in the IdP.

After connecting Torq to the enterprise IdP, all IdP-authenticated users, belonging to specific groups, will be able to sign in to Torq.

Torq supports OpenID Connect with both code flow and implicit grant type for performing single sign-on with enterprise IdPs including but not limited to:

• Microsoft Azure Active Directory
• Okta
• OneLogin

Supported SSO methods and protocols

Torq supports the following SSO protocols.

• Open ID connect
• SAML 2.0

You can configure SSO using the following account types.

• Google account
• Local user/password account

Important to know

• Torq assumes that the SSO domain (identifier of an organization) is identical to the email domain of the workspace owner that's configuring SSO. For example, the administrator identified by admin@mycompany.com can configure SSO for the domain mycompany.com. If you want to configure single sign-on for a different domain, please open a ticket for Torq Support.
• Users that receive an email invite before SSO is implemented will still be able to log in without SSO. To prevent this, go to the invited users list and remove/delete the users, just leaving the SSO settings. 
• It is recommended that you maintain 1-2 non-SSO accounts in case your SSO provider is unavailable.
• If you want to change any claims, first add the new claims to Torq before removing them from your SSO provider to avoid losing access.