Google (OIDC)
This guide provides instructions for configuring Google Workspace as the SSO provider for Glean using the OpenID Connect (OIDC) protocol.
Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications. Glean supports SSO through OIDC (preferred) or SAML 2.0, both of which enhance security and simplify the login process for end users. To learn more about using SAML with Glean, see Generic SAML.
Complete SSO setup in both Google Cloud Console and the Glean Admin console.
Customized instructions for your Glean environment are available in the Admin Console:
Admin Console → Users & permissions → Single sign-on (SSO)Requirements and prerequisites
Have the following requirements:
- Have Google Workspace administrator access
- Have Admin or Setup Admin role access to Glean
- Obtain your tenant backend domain from app.glean.com/admin/about-glean from the Server instance (QE) field.
- Have a basic understanding of SSO concepts
Glean restricts SSO authentication to pre-approved domains. Notify Glean of all domains that will be used for user authentication or else SSO will fail.
For example: company.com, company.co.jp, and subsidiary.co
Setting up SSO before workspace initialization
If you're configuring SSO through Central Workspace Settings (CWS), a service that allows admins to configure SSO before a dedicated workspace is provisioned, you'll receive a magic link from Glean to access CWS at app.glean.com/admin.
Google Cloud Console steps
To set Google Workspace as your SSO provider in Google Cloud Console, complete the following steps.
Set OAuth consent screen
Create a Google OAuth consent screen for your Glean users.
- In Google Cloud Console, navigate to APIs and Services → OAuth consent screen.
- Select Internal as the user type.
- Click Create.
- Add the following details:
- App name:
Glean - User support email: Email alias for your IT helpdesk (for example,
helpdesk@company.com) - App logo: Download this Glean icon
- App home page:
https://app.glean.com - App privacy policy link:
https://www.glean.com/privacy-policy - App Terms of Service link:
https://www.glean.com/terms - Authorized domain:
glean.com - Developer Contact Email: Email alias for your IT team (for example,
it@company.com)
- App name:
- Click Save and Continue.
- On the Scopes page, click Save and Continue. No scopes are required.
- Review the summary and return to the dashboard.
See the Google Workspace documentation for more information on how to configure the OAuth consent screen: Configure OAuth consent screen.
Create an OAuth client
-
In Google Cloud Console, navigate to APIs and Services → Credentials.
-
Select Create Credentials → OAuth Client ID.
-
Add the following details:
- Application type: Web application
- Name:
Glean SSO - Authorized Javascript origins:
https://app.glean.com - Authorized redirect URIs: Add both redirect URIs:
https://<tenant_id-be.glean.com>/authorization-code/callback?isExtension=1https://<tenant_id-be.glean.com>/authorization-code/callback
Replace
<tenant_id-be.glean.com>with your full backend domain. -
Click Create.
-
Copy and note the Client ID and Client secret. You will input these into the Glean Admin console later.
The client secret value shows only once. If you don't copy it, you cannot access it again and you will need to create a new OAuth client.
See the Google Workspace documentation for more information on how to create an OAuth client: Create OAuth 2.0 client ID credentials.
CWS verification redirect URI
If you are configuring SSO through Central Workspace Settings (CWS), the service that allows admins to set up their deployment before a dedicated project is provisioned, you must add an additional redirect URI to test and verify your configuration: https://apps-be.glean.com/central_sso/authorization-code/callback
This redirect URI is required for the CWS verification step. Without it, SSO testing during CWS setup will fail. You may remove this URI after verification is complete.
Glean Admin console steps
To configure Glean to use Google Workspace as your SSO provider, complete the following steps in the Glean Admin console:
Configure Google SSO
- In the Glean UI, navigate to Admin Console → Users & permissions → Single sign-on (SSO).
- Select GSuite.
- Paste the following values copied from Google Cloud Console into their respective fields in the Glean UI:
- Client ID
- Client Secret
- Click Save.
Activate SSO
You must activate SSO in the Admin console before your users can sign in to Glean using SSO.
- Navigate to Admin Console → Users & permissions → Single sign-on (SSO).
- In the Switch to logging into Glean via SSO section, click the Switch to GSuite SSO button. Glean prompts you to confirm the switch.
After SSO activates, GSuite displays in the Glean Single sign-on (SSO) page with a Connected status.
If you don't see the Switch to GSuite SSO button, it means that your Glean tenant is still provisioning and you must wait to switch to using SSO.
You can skip ahead to the Add connectors section and return to this step later.
Test the configuration
Test your SSO configuration to ensure proper authentication flow between Glean and Google Workspace.
Test Glean to Google redirect
- Open a new Incognito or Private Browsing window and navigate to app.glean.com.
- Enter your work email and click Log In.
Glean redirects you to Google SSO to complete the authentication flow.
Test the configuration in an incognito or private browsing window to prevent existing cache, storage, sessions, and cookies from affecting the result.
Test Google to Glean redirect
When redirected to Google SSO, sign in. Google SSO redirects you back to Glean as an authenticated user.
CWS verification
This verification step requires the https://apps-be.glean.com/central_sso/authorization-code/callback redirect URI configured in your OAuth client. See CWS verification redirect URI for details. After verification is complete, you may remove this URI from your OAuth client.
- In the CWS Google SSO setup page, click Complete verification.
- When prompted, sign in to Google to return to Glean.
Once your workspace initializes, Glean prompts you to switch to SSO for authentication.
Troubleshooting
If any of the SSO flows fail, consult the following table If you have issues that persist or issues not mentioned below, contact Glean support.
| Issue | Description | Fix |
|---|---|---|
| The code cannot be verified [Error Code 13] | The Client ID or Client Secret are incorrect. | Verify that you have copied the Client ID and Client Secret values correctly into the Glean UI. |
| The code cannot be verified [Error Code 13] | Glean cannot validate the email domain being used for sign-in. | Glean checks the email domain of every user that authenticates via SSO against a list of known company domains assigned to your tenant. If Glean is not aware of the email domain that your user is attempting to SSO with, it denies access to your Glean environment for security reasons. Notify Glean support of all email domains that your users will be authenticating from. |
| You do not have access to Glean. Please contact your IT administrator to get access. [Error Code 15] | A user receives this error if they are not included in the Google Group that manages access to Glean. | Add the user to the Google Group. If you are unsure which Google Group manages access, contact Glean support for help the Google Group email. |
| CWS SSO verification fails or does not redirect back to Glean | The apps-be.glean.com verification redirect URI is missing from your OAuth client. | Add https://apps-be.glean.com/central_sso/authorization-code/callback as a redirect URI in your OAuth client. See CWS verification for details. |
