OIDC & SAML in Glean

Single Sign-On (SSO) is a fundamental feature for enhancing enterprise security and user experience, enabling employees to access multiple applications with a single set of credentials. This streamlines the login process and enhances security by reducing potential attack vectors and simplifying credential management. The primary protocols for SSO integration are Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).

For enterprises integrating their systems with Glean, choosing the most effective SSO configuration is crucial. Although Glean supports both SAML and OIDC, it recommends OIDC for its modern architecture, fine-grained control over permissions, and efficient directory information synchronization, which is critical for its functionality. Most SSO and Identity Providers (IdPs), including Microsoft Entra ID, Okta, and Google Workspace, support both protocols.

More information:

• About People Data in Glean
• Glean Knowledge Graph

Understanding SAML

SAML is an XML-based standard for securely exchanging authentication and authorization data between IdPs and service providers. It is particularly suited for enterprise environments due to its robustness and comprehensive control over authentication and authorization processes.

Key features:

• Compatibility: SAML's long-standing presence means it is often the default or only supported protocol for older systems and applications.
• Established Trust Frameworks: SAML is prevalent in sectors with existing federations or trust frameworks, making it a straightforward choice for entities needing to participate in these ecosystems.

Understanding OIDC

OIDC, built on the OAuth 2.0 framework, adds an authentication layer, facilitating user identity verification using JSON Web Tokens (JWT) for secure user information transfer.

Key features:

• Modern and Lightweight: OIDC uses JSON and RESTful APIs, making it a streamlined and modern solution suited for new web-based applications.
• Fine-Grained Access Control: OIDC allows for nuanced control over permissions and data shared with the SaaS application.
• Interoperability: OIDC's simplicity promotes easier integration with a broad array of applications and services.

Differences Between SAML and OIDC

Protocol and Data Format

• SAML: Uses XML, which is secure and extensible but can be verbose, leading to larger payloads.
• OIDC: Employs JSON, providing a compact and web-friendly format, conducive to faster processing and improved performance.

Integration and Flexibility

• SAML: Widely supported by legacy and enterprise-specific applications due to its established presence.
• OIDC: Offers more straightforward and flexible integration options, particularly for modern web-based applications, thanks to RESTful APIs.

Ability to Fetch and Synchronize Information

• SAML: Updates information based on the SAML assertion token, which is only refreshed upon user login or re-authentication, potentially leading to delays in reflecting changes.
• OIDC: Allows for asynchronous data synchronization based on granted permissions, enabling continuous updates without requiring user re-authentication, ensuring data remains current and accurate.

Glean's Preference for OIDC

Given the importance of accurate and up-to-date people data for Glean's operations, the choice of SSO integration method is crucial. While both SAML and OIDC are valuable in the enterprise SSO landscape, OIDC's detailed permission controls make it Glean's preferred option for organizations to integrate with the platform.