Skip to content

Generic SAML

If your SSO provider is not explicitly listed as a supported provider in Glean, you can still configure SSO for Glean by using the SAML parameters outlined in this guide.

Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications.

Prerequisites

Before you begin the setup process, ensure you have the following:

  • An active administrator account in your SSO provider.
  • Access to your Glean admin account with Admin or Setup Admin roles to configure SSO settings.
  • Basic understanding of SAML 2.0 and SSO concepts.

Error Prevention

Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication or else SSO will fail.

For example: company.com, company.co.jp, subsidiary.co, etc.

SSO Provider Configuration

1 - Create a new SAML App

Create a new SAML application within your SSO provider's management console.

Below are the configuration fields you will need. Depending on your SSO provider, you may not require all of the information listed.

Tip

You will need your tenant ID and/or tenant backend domain for this step. This will take the form of: tenant_name-be.glean.com

You can find your tenant ID by following the instructions here. If you still unsure, contact your Glean engineer or Glean support.

Field Value
Single Sign-On (SSO) URL https://tenant_name-be.glean.com/authorization-code/callback
Recipient / Destination URL https://tenant_name-be.glean.com/authorization-code/callback
ACS (Consumer) URL https://tenant_name-be.glean.com/authorization-code/callback
Audience URI (SP Entity ID) https://tenant_name-be.glean.com
Default RelayState N/A - Leave blank
Login URL https://tenant_name-be.glean.com/login
Logout URL https://tenant_name-be.glean.com/logout
SAML initiator Service Provider (Glean)
SAML signature element Assertion
Name ID format emailAddress
Sign requests? True
X.509 signature Standard Strength Certificate (2048-bit)
X.509 signature algorithm SHA-512

2 - Copy the IdP Metadata XML URL

Glean requires the IdP Metadata XML URL to configure SSO.

Direct XML file uploads to Glean are not supported; only metadata hosted at a publicly accessible URL can be utilized.

This approach ensures that any changes to your SAML settings are automatically recognized, preventing user downtime or the need for manual reconfiguration on Glean's end.

What if my SSO provider does not provide an accessible metadata URL?

If your SSO provider does not offer a publicly accessible URL for the IdP Metadata, you should host the file at a location within your organization that Glean can access.

Should this not be feasible, please reach out to your designated Glean engineer or contact Glean support for assistance.

What if my SSO provider does not provide a metadata XML file or URL at all?

In the event that your SSO provider does not supply an IdP Metadata file or URL, you will need to create one manually.

Below is a sample IdP metadata file from a functioning configuration for your reference. If you choose to use this sample, ensure that you replace the entityID, X509Certificate, and both Location fields with the appropriate details from your SAML IdP. The remaining fields should be left as they are.

<md:EntityDescriptor entityID="http://www.your-sso-provider.com/exkn1czW8bjf9XXYb5dl">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDqDCCApCgAwIBAgIGAY2L4lsNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0zOTU1NjQ4NzEcMBoGCSqGSIb3DQEJ ARYNaW5mb0Bva3RhLmNvbTAeFw0yNDAyMDkwMzIwMjNaFw0zNDAyMDkwMzIxMjNaMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0zOTU1NjQ4NzEc MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAK2SaHfockiiZnrXNvVd4LU1navrbY03jeq3z8hdacZaIweFJKKkK/pPAtjcpj7O6L6W47Ef CxiYxiiozz+WwHFAoWWzJgbXDmhu0y3ZJYB/EKckQG1Yko6PXrX0SJjz8pYwF5n/1B4SiaP3YuDT ZHrYHzOx8b3EhdrYL/DtLREntyu+RW2zFRoHGOLfNOlk/B5tdGIhux8O23PcXYQsh6Gb0xkuo2At V28VOu38iSZAAGXbXx5YXDP4M01Ft00JCdpT9d92rnJn8CKq90saKEmhKkNuXcrkkwV+2OxS9ZT9 tpSbiw46Zum8LqWXEzK9VDn0jto3QZRUmnbIWZtqd+kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA Rj6oPJOQMF5LBUWaj+EQVXJexp4QPsG6j7CZr0a5Umw18wbvJ0lf+dIC+OO74A9gl943TninWw2i sWY7UEVOmY+dYvgNJWPxNgSKIemkB8xJO/xIMxTosjl3fACMQNACcbXAw9w5vN8ncV2HHKj/Vy2a zsdys4S7gkwKDhUmfCIyREuZCO5t4X+e8tp3D9P3Ply6Phlw6Apom2qpuedvyDA3T8Z0lBHZy+L0 aRjjqpRk59/AWtvbKh0Qp4CvXL/Kd2xi+Lthx7C7h6uDbsIF2gYO9ozM/BsaCJXfvXGOY0FjcV6M j9xSK/+8FzPKfzeAhfY7ROz0P3B/3/47giWPfw==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Glean Configuration

1 - Configure SAML

  1. In the Glean UI, navigate to Workspace Settings > Setup > Authentication.

  2. Select Okta SAML from the list of SSO Providers.

    Info

    Even if you're not utilizing Okta, you can input any SAML metadata URL in this section to configure SAML SSO.

  3. Paste the SAML Metadata URL into the Okta metadata URL field.

    Error Prevention

    The SAML Metadata URL must be publicly accessible. If your organization lacks a suitable hosting location, please reach out to your Glean engineer or Glean support for assistance.

  4. Click Save to complete the configuration.

2 - Activate SSO

You must activate SSO in Workspace Settings before your users can sign in to Glean using SSO.

  1. Return to the Workspace Settings > Setup > Authentication screen.

  2. Under the Switch to logging into Glean via SSO section, click the button Switch to Okta SAML SSO.

  3. You will be prompted to confirm the switch.

  4. After SSO has been activated, you will see Okta SAML present in the list of Authentication apps with a Status of Connected.

Heads up!

If you don't see the Switch to Okta SAML SSO button, it means that your Glean tenant is still provisioning and you will not be able to make the switch just yet.

You can skip ahead to the Connect Datasources section of the Getting Started guide and return to this point later.

Success

You have successfully configured SSO for Glean using your SAML IdP.

Testing the Configuration

There are two key phases of SSO to test: The Glean to SSO provider redirect, and the SSO provider back to Glean redirect.

To test your SSO configuration, open a new Incognito or Private Browsing window and navigate to https://app.glean.com. Enter your work email and click Log In.

You should be redirected to your SSO platform successfully.

Tip

It is important to test using a Private Window to ensure that existing browser cache, storage, sessions, and cookies do not affect the result.