Skip to content

Okta (SAML)

This guide provides step-by-step instructions on how to configure Okta as the SSO provider for Glean using SAML.

Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications. Glean supports SSO through OIDC (preferred) or SAML 2.0, both of which enhance security while simplifying the login process.

Info

Customized instructions for your tenant are available in the Glean UI.

Workspace Settings > Setup > Authentication > Okta SAML

Prerequisites

Before you begin the setup process, ensure you have the following:

  • An active Okta administrator account.
  • Access to your Glean admin account with Admin or Setup Admin roles to configure SSO settings.
  • Basic understanding of SAML 2.0, SCIM 2.0, and SSO concepts.

Error Prevention

Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication or else SSO will fail.

For example: company.com, company.co.jp, subsidiary.co, etc.

Okta SAML Configuration

1 - Application Setup

Create a new Application in the Okta Admin Dashboard to complete the SAML integration with Glean.

  1. Navigate to Applications > Applications from your Okta admin dashboard.

  2. Click the Create App Integration button, then select SAML 2.0 and click Next.

2 - Configure General Settings

Set the following values under the General Settings section:

Field Value
App name Glean Search
App logo Download this Glean icon to set as the app logo.
App visibility Check Do not display application icon to users.

Info

Glean does not support IdP initiated SSO. To include a Glean tile in the Okta App Library for your users, you can create a Bookmark App and link it to https://app.glean.com

More information: Create a Bookmark App

3 - Configure SAML Settings

Tip

You will need your tenant ID and/or tenant backend domain for this step. This will be of the form: tenant_name-be.glean.com

If you are unsure of this, contact your Glean engineer or Glean support.

Set the following values under the Configure SAML section:

Field Value
Single sign-on URL https://tenant_name-be.glean.com/authorization-code/callback
Use this for Recipient URL and Destination URL Check
Audience URI (SP Entity ID) https://tenant_name-be.glean.com
Default RelayState Leave this empty.
Name ID format EmailAddress
Application username Email
Update application username on Create and update

Replace tenant_name with your actual tenant ID.

Next, under Attribute Statements (optional), add the following:

Name Name format Value
Name Unspecified String.join(" ", user.firstName, user.lastName)

Ensure your configuration is similar to that of the image below. When you have finished, scroll to the bottom and click Next.

4 - Okta Feedback

In the next section, under Are you a customer or partner? select I'm an Okta customer adding an internal app.

You can skip all other sections. Scroll to the bottom and select Finish.

5 - Copy the Metadata URL

On the next screen, under the Sign On tab, copy the Metadata URL. You will need to paste this into the Glean portal later.

6 - Assign Users & Groups

You must assign users and/or groups to the Glean Search app. Any user not assigned will not be able to SSO in to the Glean app.

  1. Select the Assignments tab and click the Assign button.
  2. To assign individual users, select Assign to People. To assign groups of users, select Assign to Groups.

Tip

You should place all users of Glean into a dedicated group, e.g. Glean Users

Glean SAML Configuration

1 - Configure Okta SAML

  1. In the Glean UI, navigate to Workspace Settings > Setup > Authentication
  2. Select Okta SAML from the list of SSO Providers.
  3. Paste the Okta Metadata URL into the Okta metadata URL field.
  4. Click Save to complete the configuration.

2 - Activate SSO

You must activate SSO in Workspace Settings before your users can sign in to Glean using SSO.

  1. Return to the Workspace Settings > Setup > Authentication screen.
  2. Under the Switch to logging into Glean via SSO section, click the button Switch to Okta SAML SSO.
  3. You will be prompted to confirm the switch.
  4. After SSO has been activated, you will see Okta SAML present in the list of Authentication apps with a Status of Connected.

Heads up!

If you don't see the Switch to Okta SAML SSO button, it means that your Glean tenant is still provisioning and you will not be able to make the switch just yet.

You can skip ahead to the Connect Datasources section of the Getting Started guide and return to this point later.

Success

You have successfully configured SSO for Glean with Okta using SAML.

(Optional) SCIM Provisioning

For Okta, Glean supports the deprovisioning of user accounts via SCIM 2.0. If you configure SCIM alongside SAML for Okta, when a user is removed from the Glean Search Okta app (or by extension from your directory), Okta pushes this information to Glean which results in the user being immediately logged out (rather than waiting for expiration of the session).

Configuring SCIM is optional but highly recommended.

1 - Configure Glean

  1. In the Glean UI, navigate to Workspace Settings > Setup > Apps.
  2. Select Add app followed by Okta SCIM. You can also click the shortcut link below.

Workspace Settings > Apps > Okta SCIM

  1. Copy the bearer token presented on-screen. You will need to paste this into Okta.
  2. In the instructions that open on the right in the sidebar, also note down the SCIM connector base URL which has been customized specifically for your tenant.
    • E.g. https://tenant_id-be.glean.com/instance/api/scim/v2
  3. Check the Enable SCIM-based user deprovisioning check option.
  4. Do not click Save yet as still need to configure the Okta side.

2 - Configure Okta

Enable SCIM Provisioning

  1. Navigate to Applications > Applications from your Okta admin dashboard, and select the Glean Search app you created earlier.
  2. Under the General tab, click Edit next to App Settings.
  3. Check Enable SCIM provisioning and click Save. The Provisioning tab will now be visible.

Set the URL and Token

  1. Click the Provisioning tab and click Edit next to SCIM connection.
  2. Fill in the fields as per the table below:
Field Value
SCIM connector base URL Copy from the Glean UI, e.g.
https://tenant_id-be.glean.com/instance/api/scim/v2
Unique identifier field for users email
Supported provisioning actions Push New Users
Push Profile Updates
Push Groups
Authentication Mode HTTP Header
Authorization Copy the Bearer Token from the Glean UI.

  1. Click Test Connector Configuration. If the test fails, double check that your SCIM connector base URL and Bearer Token are correct.

  2. Click Save to finish the SCIM configuration. The page will refresh as Okta processes the initial SCIM configuration.

Specify the data to be provisioned

  1. Return to the Provisioning tab, and click Edit next to Provisioning to App.

  2. Enable the following options and click Save:

    • Create Users
    • Update User Attributes
    • Deactivate Users

  1. Scroll down to the Glean Search Attribute Mappings section.

  2. Remove all attributes one-by-one, EXCEPT for the following:

    • Username
    • Given name
    • Family name
    • Email

Push Users & Groups

  1. In the Glean Search Okta app, click the Assignments tab.

  2. You should have already assigned users and/or groups here as part of the SAML configuration above. If not, assign them now.

  3. Any users or groups already assigned will need to have the initial push via SCIM completed manually. Click the Provision User button to complete the initial push for these users and/or groups.

Verify the SCIM Push

  1. Navigate to Reports > System Log in your Okta admin dashboard.

  2. Check the event history to verify that SCIM user provisioning is succeeding.

  3. If you don't see any user sync events, check that:

    • You have enabled the Create Users, Update User Attributes, and Deactivate Users options under the Provisioning tab for the Glean Search Okta app.
    • The test of the SCIM configuration entered under the Integration seciton of the Provisioning tab passed. If not, check the URL and Bearer Token entered.

3 - Complete the Glean Configuration

Return to the Okta SCIM settings in the Glean UI and click Save.

Glean will perform a check to see if at least one user has been provisioned successfully. If not, you will receive an error.

Success

You have successfully configured SCIM provisioning for Glean using Okta.

Testing the Configuration

There are two key phases of SSO to test: The Glean to Okta redirect, and the Okta back to Glean redirect.

Glean to Okta

To test your SSO configuration, open a new Incognito or Private Browsing window and navigate to https://app.glean.com. Enter your work email and click Log In.

You should be redirected to your SSO platform successfully.

Tip

It is important to test using a Private Window to ensure that existing browser cache, storage, sessions, and cookies do not affect the result.

Issue: The redirect to Okta fails

If the redirection to Okta fails, this indicates that the metadata provided to Glean is incorrect. Create a new Okta application and re-follow the steps above without changing any settings not mentioned.

If the issue persists, contact Glean support.

Okta to Glean

When you have been redirected to Okta, attempt to sign in. You should be redirected back to Glean and successfully signed in.

Okta Error: User not assigned

This error indicates that the user who is attempting to sign in to Glean has not been assigned to the Glean Search application in Okta.

To resolve: Follow the steps here to assign the user to the Glean app. Alternatively, check whether the user has been correctly assigned as a member to one fo the groups assigned to the Glean Search app in Okta.

Issue: The redirect back to Glean fails

If you can sign in, but redirection back to Glean fails, check whether both the Single Sign-On URL and Audience URI (SP Entity ID) specified in Okta for the Glean Search app are correct. These should be similar to the below:

  • Single Sign-On URL: https://tenant_name-be.glean.com/authorization-code/callback, where tenant_name is your tenant ID.
  • Audience URI (SP Entity ID): https://tenant_name-be.glean.com, where tenant_name is your tenant ID.

If you are unsure of your tenant ID, please contact your Glean engineer or Glean support.

Issue: The redirect back to Glean succeeds but login fails

If you are successfully redirected back to https://app.glean.com/login but are blocked from proceeding, it is likely that either:

  1. You have not specified the correct Name ID format, Application username, or Attribute Statements in the Okta configuration for the Glean Search SAML app. Return to the configuration and ensure that these values are set correctly.

  2. The email address of the user that is in the SAML assertion token does not match any of the domains that Glean has been pre-configured with for your company. Contact your Glean engineer or Glean support to provide them with a list of all authentication and email domains in use.

SCIM Provisioning

Test for SCIM provisioning occur during configuration, however most issues occur either due to:

  1. An incorrectly copied Bearer Token or SCIM URL from the Glean UI into Okta.

  2. Failure to enable the Create Users, Update User Attributes, and Deactivate Users options under the Provisioning tab for the Glean Search Okta app.

    • These options tell Okta what should be pushed to Glean. Not enabling them means that Okta will not push anything.

  3. Failure to assign users or groups to the Glean Search Okta app (and initiate a manual push if required).

Glean Error: Found empty SCIM users!

This error message occurs when you attempt to save the Okta SCIM configuration in the Glean UI before configuring Okta, or before a list of your users have successfully propagated to Glean.

Ensure the Okta configuration is correct and that your users are synchronizing to Glean correctly, then attempt to save the Glean configuration again.