This guide provides step-by-step instructions for configuring Okta as your SSO provider for Glean using SAML 2.0. Single Sign-On (SSO) enables users to access multiple applications with one set of login credentials. Glean supports SSO through OIDC (preferred) or SAML 2.0, both enhancing security while simplifying the login process.

Customized instructions for your tenant are available in the Glean UI at Workspace Settings > Setup > Authentication > Okta SAML

Prerequisites

Before beginning the setup process, ensure you have:

  • An active Okta administrator account
  • Access to your Glean admin account with Admin or Setup Admin roles
  • Basic understanding of SAML 2.0, SCIM 2.0, and SSO concepts

Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication (e.g., company.com, company.co.jp, subsidiary.co) or SSO will fail.

Okta SAML Configuration

1

Application Setup

First, create a new Application in the Okta Admin Dashboard:

  1. Navigate to Applications > Applications
  2. Click Create App Integration
  3. Select SAML 2.0 and click Next
2

Configure General Settings

Set the following values:

App name
string
required

Glean Search

Download the Glean icon

App visibility
boolean

Check Do not display application icon to users

Glean doesn’t support IdP initiated SSO. To include a Glean tile in the Okta App Library, create a Bookmark App linking to https://app.glean.com

3

Configure SAML Settings

You’ll need your tenant ID and/or tenant backend domain (format: tenant_name-be.glean.com). Contact Glean support if unsure.

Configure the following SAML settings:

FieldValue
Single sign-on URLhttps://tenant_name-be.glean.com/authorization-code/callback
Use this for Recipient URL and Destination URL
Audience URI (SP Entity ID)https://tenant_name-be.glean.com
Default RelayStateLeave empty
Name ID formatEmailAddress
Application usernameEmail
Update application username onCreate and update

Under Attribute Statements, add:

NameName formatValue
NameUnspecifiedString.join(" ", user.firstName, user.lastName)
4

Complete Okta Setup

  1. Select I’m an Okta customer adding an internal app
  2. Skip remaining sections and click Finish
5

Copy the Metadata URL

Under the Sign On tab, copy the Metadata URL for use in Glean.

6

Assign Users & Groups

Users must be assigned to access Glean via SSO. We recommend creating a dedicated group (e.g., Glean Users).

  1. Select the Assignments tab
  2. Click Assign
  3. Choose Assign to People or Assign to Groups

Glean SAML Configuration

1

Configure Okta SAML

  1. Navigate to Workspace Settings > Setup > Authentication
  2. Select Okta SAML
  3. Paste the Okta Metadata URL
  4. Click Save
2

Activate SSO

  1. Return to Authentication Settings
  2. Click Switch to Okta SAML SSO
  3. Confirm the switch
  4. Verify Okta SAML shows as Connected

If the switch button isn’t visible, your Glean tenant may still be provisioning. You can proceed with connecting datasources and return later.

(Optional) SCIM Provisioning

Glean supports user deprovisioning via SCIM 2.0. When configured, users removed from Okta are immediately logged out of Glean rather than waiting for session expiration.

1

Configure Glean

  1. Go to Workspace Settings > Setup > Apps
  2. Add Okta SCIM
  3. Copy the bearer token
  4. Note the SCIM connector base URL (format: https://tenant_id-be.glean.com/instance/api/scim/v2)
  5. Click Enable SCIM-based useqr deprovisioning check

Do not click Save yet. Leave this page open and continue to the next step (Configure Okta SCIM).

If you did click Save, you may have received an error. Please ignore and continue to the next step.

2

Configure Okta SCIM

  1. In your Okta admin dashboard, select the Glean Search app
  2. Enable SCIM provisioning under App Settings
  3. Configure the Provisioning tab with:
    • SCIM connector base URL from Glean
    • Unique identifier: email
    • Enable all provisioning actions
    • Authentication: HTTP Header with Bearer Token
  4. Test the connection
3

Configure Provisioning

Enable the following options:

  • Create Users
  • Update User Attributes
  • Deactivate Users

Keep only these attribute mappings:

  • Username
  • Given name
  • Family name
  • Email
  • Manager
  • Department
4

Complete Configuration

  1. Push initial users via the Provision User button
  2. Verify SCIM events in Okta’s System Log
5

Configure Glean

  1. Return to the Okta SCIM page
  2. Click Save

Testing the Configuration

Test Glean to Okta

  1. Open a new Incognito/Private window
  2. Navigate to https://app.glean.com
  3. Enter your work email and click Log In
  4. Verify successful redirection to Okta

Test Okta to Glean

Attempt to sign in through Okta and verify successful redirection back to Glean.

Test SCIM Provisioning

Verify SCIM configuration by checking:

  1. Bearer Token and SCIM URL accuracy
  2. Enabled provisioning options
  3. User/group assignments
  4. System logs for successful sync events