Skip to main content
Beta: This page contains beta features and may change.
The Glean Ironclad connector indexes and searches core Ironclad CLM data directly within Glean, unifying workflows, executed contracts, and entities into a single, permission-aware experience for teams across legal, sales, finance, and compliance. The connector indexes the following data and enforces Ironclad’s permission model:
  • Indexed objects: Indexes Workflows, Records, and Entities from Ironclad, including core contract metadata (dates, counterparties, governing law, termination terms, status) and full document contents.
  • Permission enforcement: Enforces Ironclad’s own permissions model via OAuth, ensuring users only see contracts and workflows they can already access in Ironclad.
  • Rich search scenarios: Supports advanced contract Q&A and search scenarios, such as:
    • “Do we have an NDA with Company X?”
    • “Show all active agreements with termination for convenience and notice periods.”
  • Unified knowledge: Indexes Ironclad CLM data into Glean so that teams can search and ask questions across contracts, workflows, and related business entities alongside the rest of their enterprise knowledge (docs, tickets, CRM, etc.).

Use cases

Typical high-value use cases include:
  • Targeted search: Find specific contracts or workflows by name, counterparty, or metadata (e.g., “Master Services Agreement Acme 2023”).
  • Contextual Q&A: Answer questions such as:
    • “What are the key terms in the contract [Contract Name]?”
    • “What is [Company] permitted or prohibited from doing under our contract?”
  • Workflow integration: Because results are permission-aware and deep link back to Ironclad, users can both understand contract context in Glean and quickly jump into Ironclad to review or take action.

Supported objects and metadata

Workflows

A contract plus the approvals/signature process.
  • Owned by
  • Created on
  • Document
    • Content
    • Title
  • Counterparty Name
  • Counterparty Signer Name
  • Counterparty Signer Email
  • Stage
    • Review
    • Sign
    • Completed
    • Imported
  • Participants
  • Launch type
  • Participants
  • Additional information/notes
  • Additional documents

Records

Completed/imported contracts (digital file + metadata)
  • Record type
  • Agreement date
  • Expiration date
  • Counterparty Name
  • Counterparty Signer Name
  • Counterparty Signer Email
  • Effective date
  • Status
    • Active
    • Inactive
  • Governing law
  • Termination for convenience
  • Termination Notice period
  • Prediction date
  • Document
    • Content
    • Title

Entities

Business entities you work with (customers, partners, vendors)
  • Name
  • Relationship
  • Status = Active
  • Business type
  • Country

Crawling strategy and update frequency

The Ironclad connector uses Glean’s standard crawl framework for the content crawls (workflows, records, entities). Currently, Ironclad only supports full crawls, which run once per day.
The crawl frequency may change in future updates.

Limitations

Incremental crawl is not supported.

Permissions and scopes

The Ironclad connector utilizes a robust, two-layer OAuth strategy to ensure that Glean search results and AI answers accurately reflect the user’s current permissions within Ironclad.
  1. Admin OAuth configuration (Ironclad OAuth app + client credentials).
  2. Per‑user OAuth authorization (each user grants Glean access to their Ironclad data).
Important: Permissions are persisted efficiently and enforced on every result. Users must complete the per-user OAuth authorization to view any Ironclad content (workflows, records, or entities) within Glean.

Admin OAuth: connector‑level access

As an admin, you create a first-party OAuth client in Ironclad. You then configure the Ironclad connector in Glean by providing the following credentials:
  • Client ID
  • Client Secret
Additionally, specify the Ironclad Environment where your data is hosted (e.g., na1, eu1, or demo). This Environment is predetermined by your Ironclad setup and directs Glean to the correct API domain. Glean uses this access to:
  • Discover schemas (record types, entity schemas, workflow fields, etc.).
  • Crawl content and metadata across:
    • Records
    • Workflows
    • Entities
  • Read user and schema information via SCIM for permission mapping and identity resolution.

Required scopes

When registering the OAuth app in Ironclad, you must grant read‑only scopes that let Glean read the objects it indexes while avoiding overly broad privileges. The required scopes are:
  • public.records.readRecords: read contract records and their metadata.
  • public.records.readSchemas: read schemas for records so Glean understands available fields and types.
  • public.records.readAttachments: read the actual contract documents attached to records.
  • public.workflows.readWorkflows: read workflows (in‑flight and completed), including metadata.
  • public.workflows.readDocuments: read documents attached to workflows.
  • public.entities.readEntities: read entities (customers, vendors, etc.).
  • public.entities.readRelationshipTypes: understand entity relationship types for better search/filtering.
  • scim.users.readUsers: read user information to map identities and enforce permissions.
  • scim.schemas.readSchemas: read SCIM schemas to interpret user data correctly.
All of these are read‑only and scoped to the Ironclad tenant where you register the OAuth app, minimizing risk while enabling accurate indexing and permission mapping.

Per‑user OAuth: user‑level access

On top of admin configuration, each Ironclad user authorizes Glean via OAuth:
  • Glean prompts relevant users (based on your rollout plan) to connect their Ironclad account.
  • Once connected, search results and AI answers in Glean mirror that user’s Ironclad access, ensuring proper permission fidelity.
This model guarantees:
  • Users see only the workflows, records, and entities they could already see in Ironclad.
  • If access changes in Ironclad (e.g., a user loses access to a record), Glean’s enforcement ensures they no longer see that content in Glean after the relevant refresh.

Configuration and setup instructions

This section walks through the end‑to‑end setup for Glean admins and Ironclad admins.

Prerequisites

  • A Glean admin account with access to the Admin console.
  • An Ironclad admin account with permission to:
    • Register OAuth clients.
    • Confirm instance details and regional domain.

Step 1: Add the Ironclad connector in Glean

  1. In Glean, go to Admin console > Datasources.
  2. Search for “Ironclad” and select the Ironclad connector.

Step 2: Determine your Ironclad server domain

  1. Identify the regional domain prefix for your Ironclad instance, usually one of:
    • na1na1.ironcladapp.com
    • eu1eu1.ironcladapp.com
    • demodemo.ironcladapp.com
  2. In the Glean Ironclad connector configuration, enter only the prefix (for example, na1) into the Server domain field. Glean constructs the appropriate API base URL from this value.
If you’re unsure which domain your instance uses, contact your Ironclad account representative.

Step 3: Create an OAuth app in Ironclad

  1. Sign in to Ironclad as an admin.
  2. Navigate to the OAuth client registration area:
    1. Click your profile icon in the top-right corner.
    2. Select Company Settings.
    3. On the left sidebar, select the API tab (requires the Ironclad API add-on).
    4. Click Create new app.
    5. When the pop-up appears, enter a name for the OAuth application and click Create app. This generates a new client application and provides client ID and secret. Save this secret, as you will not be able to access it again.
    6. After closing the modal, complete the required application details, including the Title, Description, and setting the appropriate Grant Types and Requested Resource Scopes (as specified in the prerequisites).
    7. Click Save Changes.
    Note: Ironclad requires the API add-on for your instance to make the API tab visible. For more informatio, see Register an OAuth Client.
  3. When prompted for a redirect URI, copy the URI shown in Glean’s setup instructions. It will have the form: https://<your‑instance>-be.glean.com/instance/ironclad/oauth/verify_code (exact value provided in Glean UI).
  4. Add the following OAuth scopes to the app:
    • public.records.readRecords
    • public.records.readSchemas
    • public.records.readAttachments
    • public.workflows.readWorkflows
    • public.workflows.readDocuments
    • public.entities.readEntities
    • public.entities.readRelationshipTypes
    • scim.users.readUsers
    • scim.schemas.readSchemas
  5. Complete creation of the OAuth client. Save the client credentials (Client ID and Client Secret)—they may only be shown once.
These client credentials are used by Glean’s connector to make authenticated, read‑only API calls to Ironclad.

Step 4: Configure the connector in Glean

Back in the Glean Admin console, in the Ironclad connector configuration:
  1. Enter:
    • Server domain (e.g., na1, eu1, demo).
    • Client ID from the Ironclad OAuth app.
    • Client Secret from the Ironclad OAuth app.
  2. Save the configuration.
Glean can now call Ironclad’s APIs with service‑level read access, within the scopes you granted.

Step 5: Initiate the admin OAuth authorization flow

In the Ironclad connector settings in Glean:
  1. Click Authorize to initiate an OAuth 2.0 authorization flow between Glean and Ironclad.
  2. You’ll be redirected to Ironclad to log in (if not already) and consent on behalf of the organization.
  3. Ensure the user authorizing the connection is an Ironclad admin so that the granted scopes cover the tenant as configured.
Once complete, Glean verifies the credentials and the connector is ready to begin crawling.

Step 6: Enable per‑user OAuth for end users

To ensure permissions mirror Ironclad accurately: Communicate to relevant users (e.g., legal/sales/finance teams) that they should:
  1. Visit Glean.
  2. Complete the Ironclad OAuth connection when prompted, or via their account’s “Connected apps” settings.
  • Only users who complete this step will see Ironclad content; users without Ironclad accounts or OAuth connections will not see any Ironclad results.
  • Once authorized, content will only become visible after the next full crawl. This process typically takes up to 24 hours to complete.