Generic SAML

If your SSO provider isn’t explicitly listed as supported in Glean, you can still configure SSO using the SAML parameters outlined in this guide. Single Sign-On (SSO) enables users to access multiple applications with one set of login credentials.

Prerequisites

Before beginning the setup process, ensure you have:

An active administrator account in your SSO provider
Access to your Glean admin account with Admin or Setup Admin roles
Basic understanding of SAML 2.0 and SSO concepts

Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication (e.g., company.com, company.co.jp, subsidiary.co) or SSO will fail.

SSO Provider Configuration

If your workspace is still in the central setup phase and has not yet been initialized, configuration URLs associated with your tenant ID will not exist. In this case, you must direct your SSO configuration to Glean’s central URL in order to complete verification and enable SSO-based login.

Follow the appropriate instructions below based on your setup stage.

Before workspace initialization:

Create a new SAML App

Create a new SAML application in your SSO provider’s management console.

Configure the following fields (some may not be required by your provider):

Field	Value
Single Sign-On (SSO) URL	`https://apps-be.glean.com/central_sso/authorization-code/callback`
Recipient / Destination URL	`https://apps-be.glean.com/central_sso/authorization-code/callback`
ACS (Consumer) URL	`https://apps-be.glean.com/central_sso/authorization-code/callback`
Audience URI (SP Entity ID)	`https://apps-be.glean.com`
Default RelayState	Leave blank
Login URL	`https://apps-be.glean.com/login`
Logout URL	`https://apps-be.glean.com/logout`
SAML initiator	Service Provider (Glean)
SAML signature element	Assertion
Name ID format	emailAddress
Sign requests?	True
X.509 signature	Standard Strength Certificate (2048-bit)
X.509 signature algorithm	SHA-512

Copy the IdP Metadata XML URL

Glean requires a publicly accessible IdP Metadata XML URL to configure SSO. Direct XML file uploads are not supported.

What if my SSO provider doesn't provide an accessible metadata URL?

What if my SSO provider doesn't provide a metadata XML file or URL?

If your provider doesn’t supply an IdP Metadata file or URL, you’ll need to create one manually. Here’s a sample template:

<md:EntityDescriptor entityID="http://www.your-sso-provider.com/exkn1czW8bjf9XXYb5dl">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDqDCCApCgAwIBAgIGAY2L4lsNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
                        <!-- Replace with your certificate -->
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
            Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
            Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Replace the entityID, X509Certificate, and Location fields with your SAML IdP details.

After workspace initialization:

Create a new SAML App

Create a new SAML application in your SSO provider’s management console.

You’ll need your tenant ID and/or tenant backend domain (format: tenant_name-be.glean.com). You can find your tenant ID by following the instructions here. Contact Glean support if unsure.

Configure the following fields (some may not be required by your provider):

Field	Value
Single Sign-On (SSO) URL	`https://tenant_name-be.glean.com/authorization-code/callback`
Recipient / Destination URL	`https://tenant_name-be.glean.com/authorization-code/callback`
ACS (Consumer) URL	`https://tenant_name-be.glean.com/authorization-code/callback`
Audience URI (SP Entity ID)	`https://tenant_name-be.glean.com`
Default RelayState	Leave blank
Login URL	`https://tenant_name-be.glean.com/login`
Logout URL	`https://tenant_name-be.glean.com/logout`
SAML initiator	Service Provider (Glean)
SAML signature element	Assertion
Name ID format	emailAddress
Sign requests?	True
X.509 signature	Standard Strength Certificate (2048-bit)
X.509 signature algorithm	SHA-512

Copy the IdP Metadata XML URL

Glean requires a publicly accessible IdP Metadata XML URL to configure SSO. Direct XML file uploads are not supported.

What if my SSO provider doesn't provide an accessible metadata URL?

What if my SSO provider doesn't provide a metadata XML file or URL?

If your provider doesn’t supply an IdP Metadata file or URL, you’ll need to create one manually. Here’s a sample template:

<md:EntityDescriptor entityID="http://www.your-sso-provider.com/exkn1czW8bjf9XXYb5dl">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDqDCCApCgAwIBAgIGAY2L4lsNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
                        <!-- Replace with your certificate -->
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
            Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
            Location="https://www.your-sso-provider.com/app/gleansearchsaml_1/exkn1czW8bjf9XXYb5dl/sso/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Replace the entityID, X509Certificate, and Location fields with your SAML IdP details.

Glean Configuration

Configure SAML

Navigate to Workspace Settings > Setup > Authentication
Select Okta SAML from the SSO Providers list

You can use this option for any SAML provider - not just Okta.

Paste your SAML Metadata URL into the Okta metadata URL field

The SAML Metadata URL must be publicly accessible. Contact Glean support if you need assistance with hosting.

Click Save

Activate SSO

Return to Authentication Settings
Click Switch to Okta SAML SSO

Confirm the switch
Verify the status shows as Connected

If you completed SSO setup prior to workspace initialization, you can now safely replace the central Glean URLs in your SSO provider with the tenant URLs listed in the instructions above under Step 1.

If you don’t see the switch button, your Glean tenant may still be provisioning. You can proceed with connecting datasources and return later.

Testing the Configuration

To verify your SSO setup:

Open a new Incognito or Private Browsing window
Navigate to https://app.glean.com
Enter your work email and click Log In
Verify successful redirection to your SSO provider

Always test using a Private Window to ensure browser cache and existing sessions don’t affect the results.

Test both SSO phases

Two key phases need testing:

Glean to SSO provider redirect
SSO provider back to Glean redirect

If either phase fails, verify your configuration settings and ensure all domains are approved by Glean.

General

Identity

Search

Assistant

Embedded Integrations

Knowledge

Management

Insights

Glean Customer Event Logs

Developer

Managing Agents

Prerequisites

SSO Provider Configuration

Before workspace initialization:

After workspace initialization:

Glean Configuration

Testing the Configuration

Test both SSO phases

General

Identity

Search

Assistant

Embedded Integrations

Knowledge

Management

Insights

Glean Customer Event Logs

Developer

Managing Agents

​Prerequisites

​SSO Provider Configuration

​Before workspace initialization:

​After workspace initialization:

​Glean Configuration

​Testing the Configuration

Test both SSO phases

Prerequisites

SSO Provider Configuration

Before workspace initialization:

After workspace initialization:

Glean Configuration

Testing the Configuration