Configure Single Sign-On (SSO)
In this section, you will learn how to configure Single Sign-On (SSO) to provide seamless and secure employee access to Glean.
By integrating your directory service with Glean, user information will be automatically synchronized, ensuring that your organization's document access controls are accurately reflected in search results within Glean.
Understanding Glean SSO
Glean leverages OpenID Connect (OIDC) for implementing SSO and synchronizing directory information. OIDC is a robust protocol that provides detailed control over user permissions. It is widely supported by leading Identity Providers (IdPs) such as Okta, Microsoft Entra ID (Azure AD), and Google, ensuring compatibility and ease of integration with your existing identity management infrastructure.
Select your Identity Provider (IdP)
On the next screen (under Setup > Authentication), select your IdP from the list.
Glean also supports the use of SAML in cases where your SSO provider or company company Standard Operating Procedure does not support using OIDC. To configure SAML, please choose Okta SAML from the SSO provider list, and paste a link to your IdP metadata XML file when prompted.
OIDC vs SAML
Glean strongly recommends the use of OIDC over SAML for integrating SSO. It is crucial that your employee directory is asynchronously reflected within Glean to ensure search functions correctly. SAML tokens do not provide the comprehensive identity data required for Glean's operation, and in addition, can only be updated upon employee re-authentication.
Should you choose to implement SAML, you will be responsible for maintaining your directory information. This can be done by manually uploading the data to Glean in CSV format or by utilizing Glean's Indexing API to push employee information.
Configure SSO
Detailed instructions for configuring SSO with each IdP are linked below:
Enable SSO
Once you have configured SSO, you will need to tell Glean to switch from using Magic Links to SSO for user and administrator sign-in.
Under the section Switch to logging into Glean with SSO, click the Switch to ... button.
Your page will refresh, and you will see your IdP listed as Connected and Active.
Heads up!
If you don't see the Switch to ... button, it means that your Glean tenant is still provisioning and you will not be able to make the switch just yet.
You can skip ahead to the Connect Datasources step and return to this point later.
Test SSO
There are two key phases of SSO to test: The Glean (SP) to IdP redirect, and the IdP back to Glean redirect.
Glean to IdP
To test your SSO configuration, open a new Incognito or Private Browsing window and navigate to https://app.glean.com. Enter your work email and click Log In.
You should be redirected to your SSO platform successfully.
Having issues?
If redirection to your SSO platform fails, and you are using OIDC, please contact Glean support.
If you are using SAML, this indicates that the metadata provided to Glean (such as the Login URL) is incorrect. Please check your metadata and if the issue persists, contact Glean support.
IdP to Glean
When you have been redirected to your SSO platform, attempt to sign in. You should be redirected back to Glean and successfully signed in.
Having issues?
If you can sign in, but redirection back to Glean fails, check whether BOTH of the Authentication URLs provided by Glean for you to enter into your IdP have been set correctly.
For OIDC these are:
https://[tenant_name]-be.glean.com/authorization-code/callback?isExtension=1
https://[tenant_name]-be.glean.com/authorization-code/callback