Single Sign-On (SSO) allows your users to log into Torch using your organization’s Identity Provider (IdP) instead of their email and password. Torch supports Security Assertion Markup Language (SAML) 2.0 for a Service Provider (SP) initiated SSO login flow.
SAML SSO is an additional service that’s enabled for your organization through your Torch Representative. They will connect you to our Solutions Engineering team to complete the configuration process. Share these instructions with the technical point of contact from your organization who will be working with them to complete the setup.
Configure SAML SSO
Ensure you have SSO access enabled for your Torch account. Contact your Torch Representative or submit a support request if you need to add SSO, and we’ll make sure to connect you and your technical point of contact with a Torch Solutions Engineer to get started.
Log in to your IdP and set up a new SAML application. Reference our SAML configuration specifications, including the required entity ID, SAML bindings (location), and requested attributes.
Once you’ve added the authorized application to your system, download the Metadata XML file or copy the Metadata URL (preferred).
Send the Metadata XML file or Metadata URL to your Torch Solutions Engineer, along with a list of all email domains allowed to access Torch.
Note
All Torch participants must be assigned to your SAML application before they can log in to Torch. We do not support just-in-time provisioning.
After your Torch Solutions Engineer receives the metadata, they’ll complete the SSO configuration. You’ll get a heads up from Torch once this is done.
Your Torch Solutions Engineer will test the integration end-to-end with you, either asynchronously or via a scheduled video call.
To help ensure everything is set up correctly, add a test participant to your SAML application. Torch will then send a platform invitation to the participant.
Direct the participant to access your organization’s Torch-provided subdomain, then click the Log in using [Your Organization] SSO button and complete the login process. If the test is successful, your Torch Solutions Engineer will confirm all attributes are populating as expected.
Sign In with SSO
Torch uses a unique URL to configure SAML SSO for your organization. It will include the base domain torch.io and your assigned subdomain in the following format: http://yourorganizationname.torch.io. This will be the URL used in your IdP configuration.
Once participants are assigned to your SAML application and have been invited to a Torch coaching program, they can log in from:
-
The “Log in using [Your Organization] SSO” button at your assigned subdomain
-
A Torch access link on your IdP dashboard (for example, Okta)
Note
All Torch participants must be provisioned access in your SAML application, otherwise they will receive an error message and be unable to log in.
SAML Configuration Specifications
Torch supports SSO with SAML 2.0 integrations.
Integration URLs
Single Sign-On URL | https://auth.prod.torch.io/saml2/idpresponse |
Recipient URL | https://auth.prod.torch.io/saml2/idpresponse |
Destination URL | https://auth.prod.torch.io/saml2/idpresponse |
Audience Restriction/Entity ID | urn:amazon:cognito:sp:us-west-2_9VnxCpQZq |
Default Relay States
Name ID Format | Unspecified |
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA_SHA256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
SAML Single Logout | Disabled |
authnContextClassRef | PasswordProtectedTransport |
Honor Force Authentication | Yes |
SAML Issuer ID | http://www.okta.com/${org.externalKey} |
Attribute Statements
Name | Name Format | Value |
|---|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Unspecified | user.email |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | Unspecified | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/familyname | Unspecified | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture | Unspecified | user.picture |
Torch Tip
In Okta, the picture attribute is not included by default. You can add it to your Okta app in the Profile Editor. The value for this attribute is editable within the Okta app for each user and must be an image URL.