This guide provides step-by-step instructions on how to configure Google Workspace as the SSO provider for Glean using the OpenID Connect (OIDC) protocol.

Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications.

Customized instructions for your Glean environment are available in the Glean UI.

Workspace Settings > Setup > Authentication > GSuite

Prerequisites

Before you begin the setup process, ensure you have the following:

  • An active Google Workspace administrator account.
  • Access to your Glean admin account with Admin or Setup Admin roles to configure SSO settings.
  • Basic understanding of SSO concepts.

Glean restricts SSO authentication to domains that have been pre-approved. Ensure that you have notified Glean of all domains that will be used for user authentication or else SSO will fail.

For example: company.com, company.co.jp, subsidiary.co, etc.

Google Configuration

You must have create an OAuth consent screen for your Glean before proceeding.

To configure the OAuth consent screen for Glean:

  1. In the Google Cloud Console, navigate to APIs and Services > OAuth consent screen.
  2. Select Internal as the user type, then click Create.
  1. Fill in the fields as per the table below, then click Save and Continue:
FieldValue
App nameGlean
User support emailEmail alias for your IT helpdesk, e.g. helpdesk@company.com
App logoDownload this Glean icon to set as the app logo.
App home pagehttps://app.glean.com
App privacy policy linkhttps://www.glean.com/privacy-policy
App Terms of Service linkhttps://www.glean.com/terms
Authorized domainglean.com
Developer Contact EmailEmail alias for your IT team, e.g. it@company.com

  1. On the next page, scroll to the bottom and select Save and Continue: No scopes are required to be added.

  2. On the summary page, proceed to the dashboard. Your OAuth screen for Glean should now be configured.

2 - Create an OAuth Client

You will need your tenant ID and/or tenant backend domain for this step. This will take the form of: tenant_name-be.glean.com

You can find your tenant ID by following the instructions here. If you still unsure, contact your Glean engineer or Glean support.

  1. In the Google Cloud Console, navigate to APIs and Services > Credentials, and select Create Credentials > OAuth Client ID.
  1. Fill in the fields as per the table below, and then click Create.
FieldValue
Application typeWeb application
NameGlean SSO
Authorized Javascript originshttps://app.glean.com
Authorised redirect URIsAdd both the following URIs:
https://tenant_name-be.glean.com/authorization-code/callback?isExtension=1
https://tenant_name-be.glean.com/authorization-code/callback

Replace tenant_name with your actual tenant ID.

  1. On the next screen, you will show a success modal that contains your Client ID and Client Secret. Copy these as you will need them in the next section.

    • If you accidentally close the modal, you can open it again by clicking the download icon next to the Glean SSO OAuth client.

Glean Configuration

1 - Configure Google SSO

  1. In the Glean UI, navigate to Workspace Settings > Setup > Authentication.
  2. Select GSuite from the list of SSO Providers.
  1. Paste the Client ID and Client Secret values copied from the Google console into their respective fields in the Glean UI.
  2. Click Save.

2 - Activate SSO

You must activate SSO in Workspace Settings before your users can sign in to Glean using SSO.

  1. Return to the Workspace Settings > Setup > Authentication screen.
  2. Under the Switch to logging into Glean via SSO section, click the Switch to Gsuite SSO button.

If you don’t see the Switch to GSuite SSO button, it means that your Glean tenant is still provisioning and you will not be able to make the switch just yet.

You can skip ahead to the Connect Datasources section of the Getting Started guide and return to this point later.

  1. You will be prompted to confirm the switch and then sign-in via SSO.
  2. After SSO has been activated, you will see GSuite present in the list of Authentication apps with a Status of Connected.

You have successfully configured SSO for Glean with Google Workspace.

Testing the Configuration

There are two key phases of SSO to test: The Glean to Google Workspace redirect, and the Google Workspace back to Glean redirect.

Glean to Google

To test your SSO configuration, open a new Incognito or Private Browsing window and navigate to https://app.glean.com. Enter your work email and click Log In.

You should be redirected to your SSO platform successfully.

Testing in a Private Window is crucial to prevent existing browser cache, storage, sessions, and cookies from affecting the result.

Google to Glean

When you have been redirected to Google SSO, attempt to sign in. You should be redirected back to Glean and successfully signed in.

Troubleshooting

If any of the above SSO flows fail, consult the table below. If you have issues that persist, or issues not mentioned below, please contact Glean support.

IssueDescriptionFix
The code cannot be verified [Error Code 13]The Client ID or Client Secret are incorrect.Double check that you have copied the Client ID and Client Secret values correctly into the Glean UI.
The code cannot be verified [Error Code 13]In addition to the above, this error code may indicate that Glean cannot validate the email domain being used for sign-in.Glean checks the email domain of every user that authenticates via SSO against a list of known company domains that are assigned to your tenant. If Glean is not aware of the email domain that your user is attempting to SSO with, it denies access to your Glean environment for security reasons. Notify your Glean engineer or Glean support of all email domains that your users will be authenticating from.
You do not have access to Glean. Please contact your IT administrator to get access. You do not have access to Glean. Please contact your IT administrator to get access. [Error Code 15]A user will receive this error if they are not included in the Google Group which manages access to Glean.Add the user to the Google Group. If you are unsure of which Google Group manages access, please reach out to Glean Support for assistance retrieving the Google Group email.

Was this page helpful?