Note: Customer domain must be provided to Glean before setup

Register a new app

  1. Sign into the Azure portal. Select Azure Active Directory, then App registrations > New registration.

  2. Register an app with the following:

    1. Name: Glean SSO
    2. Supported account types: Accounts in this organizational directory only. Paste link below for the Redirect URI under Web:
https://[customer-domain]-be.glean.com/authorization-code/callback?isExtension=1

  1. Click Register.

  2. Click Authentication under Manage.

  3. Under Web, click Add URI to add this additional link:

https://[customer-domain]-be.glean.com/authorization-code/callback

Configure permissions

  1. On the left side of the navigation on the overview page, click on the API permissions page under Manage.

  2. Click Add a Permission and select Microsoft Graph

  3. Choose Application Permissions and add the following:

    1. openid email offline_access profile
    2. User.Read.All [Optional for SSO only]

  4. If the tenant has Admin Consent requests turned on, then when users attempt to SSO with the set-up app, the user will receive a dialogue to submit an Admin consent request.

Grant admin consent

  1. Ensure you are signed in to Azure as a Global, Application or Cloud Application Administrator.

  2. Use the search box to navigate to Enterprise applications. Select the Glean SSO app created from the list of applications.

  3. Click on Permissions under Security. Review the permissions shown, and then click Grant admin consent.

Generate a SCIM shared secret token (length > 30) locally

  1. Example command to generate token openssl rand -base64 30

  2. Store the SCIM shared secret token in Glean

    1. Visit https://app.glean.com/admin/setup/apps?advanced
    2. Toggle the setting to [Secret]
    3. In the Key name field, add: SHARED_SCIM_SECRET
    4. In the Key value field, add: <token> created in step 1.a
    5. [Save] and verify that a pop-up message “Written” appears

Create Client ID and Secrets

Glean also supports SCIM-based user de-provisioning, which provides a fast path for invalidating sessions for any deactivated/de-provisioned users. More details on setting up Azure SCIM can be found here. Since Azure does not support SCIM with Oauth, we use a separate app for the SCIM integration.

Note: Apps are different. Ensure the scope can be set to “sync all users and groups” to handle de-provisioning for all deactivated users.

Follow the example in https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#getting-started

In SCIM connection settings

  1. Create an Enterprise Application

    1. choose the option to integrate any other application you don’t find in the gallery

  2. Go to the Provisioning tab

    1. Set Automatic
    2. For Tenant URL use
      1. https://[[customer]]-be.glean.com/instance/api/scim/v2
    3. For Secret Token use
      1. The Glean admin can help with setup provide the SHARED_SCIM_SECRET
    4. Click ‘Save’

  3. In the Provisioning tab, in the To App settings, click Edit

    1. Click on Start Provisioning

Upload keys

  1. Scroll to the top of the left sidebar and click Overview.

  2. Copy the following content from the center Essentials panel and paste it into Glean

    1. Application (client) ID
    2. Directory (tenant) ID

  3. Click Save in Glean

Was this page helpful?