Configure Okta as your SSO provider for Glean using SAML 2.0 authentication
This guide provides step-by-step instructions for configuring Okta as your SSO provider for Glean using SAML 2.0. Single Sign-On (SSO) enables users to access multiple applications with one set of login credentials. Glean supports SSO through OIDC (preferred) or SAML 2.0, both enhancing security while simplifying the login process.
Customized instructions for your tenant are available in the Glean UI at Workspace Settings > Setup > Authentication > Okta SAML
Before beginning the setup process, ensure you have:
Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication (e.g., company.com
, company.co.jp
, subsidiary.co
) or SSO will fail.
Application Setup
First, create a new Application in the Okta Admin Dashboard:
Configure General Settings
Set the following values:
Glean Search
Download the Glean icon
Check Do not display application icon to users
Glean doesn’t support IdP initiated SSO. To include a Glean tile in the Okta App Library, create a Bookmark App linking to https://app.glean.com
Configure SAML Settings
You’ll need your tenant ID and/or tenant backend domain (format: tenant_name-be.glean.com
). Contact Glean support if unsure.
Configure the following SAML settings:
Field | Value |
---|---|
Single sign-on URL | https://tenant_name-be.glean.com/authorization-code/callback |
Use this for Recipient URL and Destination URL | ✓ |
Audience URI (SP Entity ID) | https://tenant_name-be.glean.com |
Default RelayState | Leave empty |
Name ID format | EmailAddress |
Application username | Email |
Update application username on | Create and update |
Under Attribute Statements, add:
Name | Name format | Value |
---|---|---|
Name | Unspecified | String.join(" ", user.firstName, user.lastName) |
Complete Okta Setup
Copy the Metadata URL
Under the Sign On tab, copy the Metadata URL for use in Glean.
Assign Users & Groups
Users must be assigned to access Glean via SSO. We recommend creating a dedicated group (e.g., Glean Users
).
Configure Okta SAML
Activate SSO
If the switch button isn’t visible, your Glean tenant may still be provisioning. You can proceed with connecting datasources and return later.
Glean supports user deprovisioning via SCIM 2.0. When configured, users removed from Okta are immediately logged out of Glean rather than waiting for session expiration.
Configure Glean
https://tenant_id-be.glean.com/instance/api/scim/v2
)Do not click Save yet. Leave this page open and continue to the next step (Configure Okta SCIM).
If you did click Save, you may have received an error. Please ignore and continue to the next step.
Configure Okta SCIM
email
Configure Provisioning
Enable the following options:
Keep only these attribute mappings:
Complete Configuration
Configure Glean
Troubleshooting: Redirect to Okta fails
If redirection fails:
Attempt to sign in through Okta and verify successful redirection back to Glean.
Common Issues
Verify SCIM configuration by checking:
Error: Empty SCIM users
If you see “Found empty SCIM users!”:
Configure Okta as your SSO provider for Glean using SAML 2.0 authentication
This guide provides step-by-step instructions for configuring Okta as your SSO provider for Glean using SAML 2.0. Single Sign-On (SSO) enables users to access multiple applications with one set of login credentials. Glean supports SSO through OIDC (preferred) or SAML 2.0, both enhancing security while simplifying the login process.
Customized instructions for your tenant are available in the Glean UI at Workspace Settings > Setup > Authentication > Okta SAML
Before beginning the setup process, ensure you have:
Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication (e.g., company.com
, company.co.jp
, subsidiary.co
) or SSO will fail.
Application Setup
First, create a new Application in the Okta Admin Dashboard:
Configure General Settings
Set the following values:
Glean Search
Download the Glean icon
Check Do not display application icon to users
Glean doesn’t support IdP initiated SSO. To include a Glean tile in the Okta App Library, create a Bookmark App linking to https://app.glean.com
Configure SAML Settings
You’ll need your tenant ID and/or tenant backend domain (format: tenant_name-be.glean.com
). Contact Glean support if unsure.
Configure the following SAML settings:
Field | Value |
---|---|
Single sign-on URL | https://tenant_name-be.glean.com/authorization-code/callback |
Use this for Recipient URL and Destination URL | ✓ |
Audience URI (SP Entity ID) | https://tenant_name-be.glean.com |
Default RelayState | Leave empty |
Name ID format | EmailAddress |
Application username | Email |
Update application username on | Create and update |
Under Attribute Statements, add:
Name | Name format | Value |
---|---|---|
Name | Unspecified | String.join(" ", user.firstName, user.lastName) |
Complete Okta Setup
Copy the Metadata URL
Under the Sign On tab, copy the Metadata URL for use in Glean.
Assign Users & Groups
Users must be assigned to access Glean via SSO. We recommend creating a dedicated group (e.g., Glean Users
).
Configure Okta SAML
Activate SSO
If the switch button isn’t visible, your Glean tenant may still be provisioning. You can proceed with connecting datasources and return later.
Glean supports user deprovisioning via SCIM 2.0. When configured, users removed from Okta are immediately logged out of Glean rather than waiting for session expiration.
Configure Glean
https://tenant_id-be.glean.com/instance/api/scim/v2
)Do not click Save yet. Leave this page open and continue to the next step (Configure Okta SCIM).
If you did click Save, you may have received an error. Please ignore and continue to the next step.
Configure Okta SCIM
email
Configure Provisioning
Enable the following options:
Keep only these attribute mappings:
Complete Configuration
Configure Glean
Troubleshooting: Redirect to Okta fails
If redirection fails:
Attempt to sign in through Okta and verify successful redirection back to Glean.
Common Issues
Verify SCIM configuration by checking:
Error: Empty SCIM users
If you see “Found empty SCIM users!”: