Okta (SAML)
This guide provides instructions for configuring Okta as the SSO provider for Glean using SAML 2.0.
Single Sign-On (SSO) is a user authentication service that permits a user to use one set of login credentials to access multiple applications. Glean supports SSO with Okta using OIDC (preferred) or SAML 2.0, both of which enhance security and simplify the login process for end users. To learn more about using OIDC with Okta, see Okta (OIDC).
Complete SSO setup in both Okta and the Glean Admin console.
Customized instructions for your Glean environment are available in the Admin console:
Admin Console → Users & permissions → Single sign-on (SSO)Requirements and prerequisites
Meet the following requirements:
- An active Okta administrator account
- Admin or Setup Admin role access to Glean
- Your tenant backend domain, found in the Server instance (QE) field at app.glean.com/admin/about-glean
- A basic understanding of SAML 2.0, SCIM 2.0, and SSO concepts
Glean restricts SSO authentication to pre-approved domains. Notify Glean of all domains that will be used for user authentication or else SSO will fail.
For example: company.com, company.co.jp, and subsidiary.co
Setting up SSO before workspace initialization
If you're configuring SSO through Central Workspace Settings (CWS), a service that allows admins to configure SSO before a dedicated workspace is provisioned, you'll receive a magic link from Glean to access CWS at app.glean.com/admin.
Okta admin dashboard steps
To set Okta as your SSO provider, complete the following steps in the Okta admin dashboard:
- Create the Glean SAML application
- Configure SAML settings
- Copy the metadata URL
- Assign users and groups
Create the Glean SAML application
Create a SAML 2.0 application in Okta for Glean.
- In the Okta admin dashboard, navigate to Applications → Applications.
- Click Create App Integration.
- Select SAML 2.0 and click Next.
- Add the following details:
- App name (required):
Glean Search - App logo: Download this Glean icon
- App visibility: Check Do not display application icon to users
- App name (required):
- Click Next.
Glean doesn't support IdP-initiated SSO. To include a Glean tile in the Okta App Library, create a Bookmark App linking to https://app.glean.com.
For more information on how to create a SAML app integration in Okta, see Create SAML app integrations.
Configure SAML settings
Configure the following SAML settings:
| Field | Value |
|---|---|
| Single sign-on URL | https://<tenant_id-be.glean.com>/authorization-code/callback |
| Use this for Recipient URL and Destination URL | ✓ |
| Audience URI (SP Entity ID) | https://<tenant_id-be.glean.com> |
| Default RelayState | Leave empty |
| Name ID format | EmailAddress |
| Application username | Email |
| Update application username on | Create and update |
Replace <tenant_id-be.glean.com> with your full backend domain.
Under Attribute Statements, add:
| Name | Name format | Value |
|---|---|---|
Name | Unspecified | String.join(" ", user.firstName, user.lastName) |
After completing the SAML settings page, finish the Okta setup:
- Select I'm an Okta customer adding an internal app.
- Skip the remaining sections and click Finish.
SAML settings for CWS
If you are configuring SSO through Central Workspace Settings (CWS) before your dedicated workspace has been provisioned, use the following values instead. During CWS setup, you will access Glean using a magic link provided by Glean. After your workspace is initialized, update these URLs to use your tenant-specific values from the previous section.
| Field | Value |
|---|---|
| Single sign-on URL | https://apps-be.glean.com/central_sso/authorization-code/callback |
| Use this for Recipient URL and Destination URL | ✓ |
| Audience URI (SP Entity ID) | https://apps-be.glean.com |
All other fields remain the same as in the previous section.
Copy the metadata URL
Under the Sign On tab of the Glean Search app, copy the Metadata URL. You will paste this into the Glean Admin console later.
Assign users and groups
Assign users to the Glean Search app to grant them access via SSO. Glean recommends creating a dedicated group such as Glean Users.
- Select the Assignments tab.
- Click Assign.
- Choose Assign to People or Assign to Groups.
Glean Admin console steps
To configure Glean to use Okta as your SSO provider, complete the following steps in the Glean Admin console:
Configure Okta SAML
- In the Glean UI, navigate to Admin Console → Users & permissions → Single sign-on (SSO).
- Select Okta SAML.
- Paste the Okta metadata URL.
- Click Save.
Activate SSO
You must activate SSO in the Admin console before your users can sign in to Glean using SSO.
- Navigate to Admin Console → Users & permissions → Single sign-on (SSO).
- Click Switch to Okta SAML SSO. Glean prompts you to confirm the switch.
After SSO activates, Okta SAML displays in the Glean Single sign-on (SSO) page with a Connected status.
If you don't see the Switch to Okta SAML SSO button, it means that your Glean tenant is still provisioning and you must wait to switch to using SSO.
You can skip ahead to the Add connectors section and return to this step later.
(Optional) SCIM provisioning
Glean supports user deprovisioning via SCIM 2.0. When configured, deactivated users are blocked from authenticating to Glean.
To set up SCIM provisioning, complete the following steps:
- Configure Glean for SCIM
- Configure Okta SCIM
- Configure provisioning
- Push initial users
- Save the Glean SCIM configuration
Configure Glean for SCIM
- Go to Admin Console → Platform → Connectors.
- Add Okta SCIM.
- Copy the bearer token.
- Note the SCIM connector base URL, which has the format
https://<tenant_id-be.glean.com>/instance/api/scim/v2. - Click Enable SCIM-based user deprovisioning check.
Don't click Save yet. Leave this page open and continue to the next step.
If you did click Save, you may have received an error. Ignore it and continue.
Configure Okta SCIM
- In your Okta admin dashboard, select the Glean Search app.
- Enable SCIM provisioning under App Settings.
- Configure the Provisioning tab with:
- SCIM connector base URL: From Glean
- Unique identifier field for users:
email - Supported provisioning actions: Enable all
- Authentication mode: HTTP Header with Bearer Token
- Test the connection.
Configure provisioning
Enable the following provisioning options:
- Create Users
- Update User Attributes
- Deactivate Users
Keep only the following attribute mappings:
- Username
- Given name
- Family name
- Manager
- Department
Push initial users
- Push initial users using the Provision User button.
- Verify SCIM events in Okta's System Log.
Save the Glean SCIM configuration
- Return to the Okta SCIM page in the Glean Admin console.
- Click Save.
Test the configuration
Test your SSO configuration to ensure proper authentication flow between Glean and Okta.
Test Glean to Okta redirect
- Open a new Incognito or Private Browsing window and navigate to app.glean.com.
- Enter your work email and click Log In.
Glean redirects you to Okta to complete the authentication flow.
Test the configuration in an incognito or private browsing window to prevent existing cache, storage, sessions, and cookies from affecting the result.
Test Okta to Glean redirect
When redirected to Okta, sign in. Okta redirects you back to Glean as an authenticated user.
Test SCIM provisioning
If you configured SCIM, verify the following:
- Bearer Token and SCIM URL are correct.
- Provisioning options are enabled.
- Users and groups are assigned to the Glean Search app.
- System logs show successful sync events.
CWS verification
This verification step requires the https://apps-be.glean.com/central_sso/authorization-code/callback Single sign-on URL configured in your Okta application. See SAML settings for CWS for details. After verification is complete, you may remove this URL from your app registration.
- In the CWS Okta SAML setup page, click Complete verification.
- When prompted, sign in to Okta to return to Glean.
Once your workspace initializes, Glean prompts you to switch to SSO for authentication.
Troubleshooting
If any of the SSO flows fail, consult the following table. If you have issues that persist or issues not mentioned below, contact Glean support.
| Issue | Description | Fix |
|---|---|---|
| Redirect to Okta fails | The SAML application is misconfigured. | Create a new Okta application and carefully follow the configuration steps. Contact Glean support if issues persist. |
| User not assigned | The user isn't assigned to the Glean Search app. | Add the user to the Glean Search app from the Assignments tab. |
| Login fails after Okta redirect | Mismatch in Single sign-on URL, Audience URI, Name ID format, Application username, or Attribute Statements. | Verify the SAML settings against Configure SAML settings. |
| Domain not approved | One or more authentication domains haven't been pre-approved by Glean. | Notify Glean support of all email domains that your users will be authenticating from. |
| Found empty SCIM users! | Okta isn't pushing users to Glean. | Verify the Okta SCIM configuration, confirm user synchronization, and retry saving the Glean SCIM configuration. |
| CWS SSO verification fails or does not redirect back to Glean | The apps-be.glean.com Single sign-on URL is missing from your Okta application. | Add https://apps-be.glean.com/central_sso/authorization-code/callback as the Single sign-on URL in your Okta application. See SAML settings for CWS for details. |