Configuration
Google (OIDC)
Step-by-step guide for configuring Google Workspace as the SSO provider for Glean using OIDC authentication.
Customized instructions for your Glean environment are available in the Glean UI.Workspace Settings > Setup > Authentication > GSuite
Prerequisites
Before you begin the setup process, ensure you have the following:- An active Google Workspace administrator account.
- Access to your Glean admin account with Admin or Setup Admin roles to configure SSO settings.
- Basic understanding of SSO concepts.
Glean restricts SSO authentication to domains that have been pre-approved. Ensure that you have notified Glean of all domains that will be used for user authentication or else SSO will fail.For example:
company.com, company.co.jp, subsidiary.co, etc.Google Configuration
1 - Set OAuth Consent
You must have create an OAuth consent screen for your Glean before proceeding.What is the Google OAuth consent screen?
What is the Google OAuth consent screen?
When a user opts to sign in to Glean (or any other OAuth App) using Google SSO for the first time, they are greeted with a Google consent screen.This screen concisely informs the user about the app’s functions and the specific data it will access. By presenting this information upfront, users can confidently manage their privacy and data sharing preferences before proceeding with the authentication process.
How do I check if the OAuth consent screen has already been created?
How do I check if the OAuth consent screen has already been created?
If you are not sure if this has already been completed, you can check in the Google Cloud Console:
- Navigate to APIs and Services > Credentials.
- If you see a warning message “Remember to configure the OAuth consent screen with information about your application.”, you will need to configure the OAuth Consent Screen before proceeding.
- If you don’t see this warning, then you can skip this section and proceed to the next one.
- In the Google Cloud Console, navigate to APIs and Services > OAuth consent screen.
- Select Internal as the user type, then click Create.
- Fill in the fields as per the table below, then click Save and Continue:
| Field | Value |
|---|---|
| App name | Glean |
| User support email | Email alias for your IT helpdesk, e.g. helpdesk@company.com |
| App logo | Download this Glean icon to set as the app logo. |
| App home page | https://app.glean.com |
| App privacy policy link | https://www.glean.com/privacy-policy |
| App Terms of Service link | https://www.glean.com/terms |
| Authorized domain | glean.com |
| Developer Contact Email | Email alias for your IT team, e.g. it@company.com |
- On the next page, scroll to the bottom and select Save and Continue: No scopes are required to be added.
- On the summary page, proceed to the dashboard. Your OAuth screen for Glean should now be configured.
2 - Create an OAuth Client
You will need your tenant ID and/or tenant backend domain for this step. This will take the form of:
tenant_name-be.glean.comYou can find your tenant ID by following the instructions here. If you still unsure, contact your Glean engineer or Glean support.- In the Google Cloud Console, navigate to APIs and Services > Credentials, and select Create Credentials > OAuth Client ID.
- Fill in the fields as per the table below, and then click Create.
| Field | Value |
|---|---|
| Application type | Web application |
| Name | Glean SSO |
| Authorized Javascript origins | https://app.glean.com |
| Authorised redirect URIs | Add both the following URIs:https://tenant_name-be.glean.com/authorization-code/callback?isExtension=1https://tenant_name-be.glean.com/authorization-code/callback |
tenant_name with your actual tenant ID.
-
On the next screen, you will show a success modal that contains your Client ID and Client Secret. Copy these as you will need them in the next section.
- If you accidentally close the modal, you can open it again by clicking the download icon next to the Glean SSO OAuth client.
Glean Configuration
1 - Configure Google SSO
- In the Glean UI, navigate to Workspace Settings > Setup > Authentication.
- Select GSuite from the list of SSO Providers.
- Paste the Client ID and Client Secret values copied from the Google console into their respective fields in the Glean UI.
- Click Save.
2 - Activate SSO
You must activate SSO in Workspace Settings before your users can sign in to Glean using SSO.- Return to the Workspace Settings > Setup > Authentication screen.
- Under the Switch to logging into Glean via SSO section, click the Switch to Gsuite SSO button.
If you don’t see the Switch to GSuite SSO button, it means that your Glean tenant is still provisioning and you will not be able to make the switch just yet.You can skip ahead to the Connect Datasources section of the Getting Started guide and return to this point later.
- You will be prompted to confirm the switch and then sign-in via SSO.
- After SSO has been activated, you will see GSuite present in the list of Authentication apps with a Status of Connected.
You have successfully configured SSO for Glean with Google Workspace.
Testing the Configuration
There are two key phases of SSO to test: The Glean to Google Workspace redirect, and the Google Workspace back to Glean redirect.Glean to Google
To test your SSO configuration, open a new Incognito or Private Browsing window and navigate to https://app.glean.com. Enter your work email and click Log In. You should be redirected to your SSO platform successfully.Testing in a Private Window is crucial to prevent existing browser cache, storage, sessions, and cookies from affecting the result.
Google to Glean
When you have been redirected to Google SSO, attempt to sign in. You should be redirected back to Glean and successfully signed in.Troubleshooting
If any of the above SSO flows fail, consult the table below. If you have issues that persist, or issues not mentioned below, please contact Glean support.| Issue | Description | Fix |
|---|---|---|
| The code cannot be verified [Error Code 13] | The Client ID or Client Secret are incorrect. | Double check that you have copied the Client ID and Client Secret values correctly into the Glean UI. |
| The code cannot be verified [Error Code 13] | In addition to the above, this error code may indicate that Glean cannot validate the email domain being used for sign-in. | Glean checks the email domain of every user that authenticates via SSO against a list of known company domains that are assigned to your tenant. If Glean is not aware of the email domain that your user is attempting to SSO with, it denies access to your Glean environment for security reasons. Notify your Glean engineer or Glean support of all email domains that your users will be authenticating from. |
| You do not have access to Glean. Please contact your IT administrator to get access. You do not have access to Glean. Please contact your IT administrator to get access. [Error Code 15] | A user will receive this error if they are not included in the Google Group which manages access to Glean. | Add the user to the Google Group. If you are unsure of which Google Group manages access, please reach out to Glean Support for assistance retrieving the Google Group email. |