Skip to main content
Okta SAML Configuration This guide provides step-by-step instructions for configuring Okta as your SSO provider for Glean using SAML 2.0. Single Sign-On (SSO) enables users to access multiple applications with one set of login credentials. Glean supports SSO through OIDC (preferred) or SAML 2.0, both enhancing security while simplifying the login process.
Customized instructions for your tenant are available in the Glean UI at Workspace Settings > Setup > Authentication > Okta SAML

Prerequisites

Before beginning the setup process, ensure you have:
  • An active Okta administrator account
  • Access to your Glean admin account with Admin or Setup Admin roles
  • Basic understanding of SAML 2.0, SCIM 2.0, and SSO concepts
Glean limits SSO authentication to pre-approved domains. Ensure that you have notified Glean of all domains that will be used for user authentication (e.g., company.com, company.co.jp, subsidiary.co) or SSO will fail.

Okta SAML Configuration

1

Application Setup

First, create a new Application in the Okta Admin Dashboard:
  1. Navigate to Applications > Applications
  2. Click Create App Integration
  3. Select SAML 2.0 and click Next
Create App Integration
Select SAML 2.0
2

Configure General Settings

Set the following values:
App name
string
required
Glean Search
Download the Glean icon
App visibility
boolean
Check Do not display application icon to users
General Settings
Glean doesn’t support IdP initiated SSO. To include a Glean tile in the Okta App Library, create a Bookmark App linking to https://app.glean.com
3

Configure SAML Settings

You’ll need your tenant ID and/or tenant backend domain (format: tenant_name-be.glean.com). Contact Glean support if unsure.
Configure the following SAML settings:
FieldValue
Single sign-on URLhttps://tenant_name-be.glean.com/authorization-code/callback
Use this for Recipient URL and Destination URL
Audience URI (SP Entity ID)https://tenant_name-be.glean.com
Default RelayStateLeave empty
Name ID formatEmailAddress
Application usernameEmail
Update application username onCreate and update
Under Attribute Statements, add:
NameName formatValue
NameUnspecifiedString.join(" ", user.firstName, user.lastName)
SAML Settings
4

Complete Okta Setup

  1. Select I’m an Okta customer adding an internal app
  2. Skip remaining sections and click Finish
Okta Feedback
5

Copy the Metadata URL

Under the Sign On tab, copy the Metadata URL for use in Glean.
Metadata URL
6

Assign Users & Groups

Users must be assigned to access Glean via SSO. We recommend creating a dedicated group (e.g., Glean Users).
  1. Select the Assignments tab
  2. Click Assign
  3. Choose Assign to People or Assign to Groups
Assign Users

Glean SAML Configuration

1

Configure Okta SAML

  1. Navigate to Workspace Settings > Setup > Authentication
  2. Select Okta SAML
  3. Paste the Okta Metadata URL
  4. Click Save
Glean SAML Config
Metadata URL Input
2

Activate SSO

  1. Return to Authentication Settings
  2. Click Switch to Okta SAML SSO
  3. Confirm the switch
  4. Verify Okta SAML shows as Connected
If the switch button isn’t visible, your Glean tenant may still be provisioning. You can proceed with connecting datasources and return later.
Activate SSO
SSO Activated

(Optional) SCIM Provisioning

Glean supports user deprovisioning via SCIM 2.0. When configured, users removed from Okta are immediately logged out of Glean rather than waiting for session expiration.
1

Configure Glean

  1. Go to Workspace Settings > Setup > Apps
  2. Add Okta SCIM
  3. Copy the bearer token
  4. Note the SCIM connector base URL (format: https://tenant_id-be.glean.com/instance/api/scim/v2)
  5. Click Enable SCIM-based useqr deprovisioning check
Do not click Save yet. Leave this page open and continue to the next step (Configure Okta SCIM).If you did click Save, you may have received an error. Please ignore and continue to the next step.
SCIM Configuration
2

Configure Okta SCIM

  1. In your Okta admin dashboard, select the Glean Search app
  2. Enable SCIM provisioning under App Settings
  3. Configure the Provisioning tab with:
    • SCIM connector base URL from Glean
    • Unique identifier: email
    • Enable all provisioning actions
    • Authentication: HTTP Header with Bearer Token
  4. Test the connection
Enable SCIM
SCIM Settings
3

Configure Provisioning

Enable the following options:
  • Create Users
  • Update User Attributes
  • Deactivate Users
Provisioning Options
Keep only these attribute mappings:
  • Username
  • Given name
  • Family name
  • Email
  • Manager
  • Department
Attribute Mappings
4

Complete Configuration

  1. Push initial users via the Provision User button
  2. Verify SCIM events in Okta’s System Log
Push Users
System Log
5

Configure Glean

  1. Return to the Okta SCIM page
  2. Click Save

Testing the Configuration

Test Glean to Okta

  1. Open a new Incognito/Private window
  2. Navigate to https://app.glean.com
  3. Enter your work email and click Log In
  4. Verify successful redirection to Okta
If redirection fails:
  1. Create a new Okta application
  2. Carefully follow the configuration steps
  3. Contact Glean support if issues persist

Test Okta to Glean

Attempt to sign in through Okta and verify successful redirection back to Glean.
  • User not assigned: Ensure user is assigned to the Glean Search app
  • Redirect fails: Verify Single Sign-On URL and Audience URI
  • Login fails: Check Name ID format, Application username, and Attribute Statements
  • Domain issues: Ensure all authentication domains are approved by Glean

Test SCIM Provisioning

Verify SCIM configuration by checking:
  1. Bearer Token and SCIM URL accuracy
  2. Enabled provisioning options
  3. User/group assignments
  4. System logs for successful sync events
If you see “Found empty SCIM users!”:
  1. Verify Okta configuration
  2. Confirm user synchronization
  3. Retry saving the Glean configuration
I