Glean Administrators have several options to ensure secure and efficient user access. Glean supports multiple authentication protocols, including OpenID Connect (OIDC), OAuth, and SAML/SCIM, which can be integrated with various SSO providers such as Okta, GSuite, Azure, and Ping.
User provisioning for OIDC/OAuth SSO
Azure
- Navigate to Azure
- Click on Enterprise Applications
- Search for your Glean SSO Application
- Under ‘Manage’ section, select ‘Properties’
- Switch the field Assignment Required to Yes
- Under ‘Manage’ section, select ‘Users and groups’
- Add users that you would like to have access to Glean
Okta
- Navigate to Okta Admin home page
- Open Navigation menu and select ‘Applications’ > ‘Applications’
- Select the Active Glean SSO App
- Select Assignments tab
- Assign the application to users you would like to have access to Glean
- Create a google group and add users to the group who should have access to Glean
- Navigate to Glean Advanced Setup tab by following the url https://app.glean.com/admin/setup/apps?advanced
- Select ‘Config’
- For ‘Key name’, enter queryapi.gsuiteGroupWhitelist
- For ‘Key value’, enter the google group email address (example: users@glean.com)
- Click ‘Submit’ button
- You should see a ‘Success’ message at the top of the page
- Exit out of the Advanced Setup tab
Troubleshooting Authentication/Login Issues
Error: Invalid Input
Glean restricts which email domains are allowed to login to a Glean customer deployment. This list of allowed email domains is created during deployment setup and can be modified by Glean Support. If the user's primary email domain is different from the primary company email domain, then reach out to Glean Support to confirm if the user's email domain is in the allow list.
Note: For Azure, a user’s identity information has two email fields, user principal name and email. During the Glean login flow, the email field is used. This email domain should be included in the allow list for successful login.
Error: Unable to login with Service Account
There are two required fields that Glean obtains from the authentication provider during login, email and name. If you face issues trying to login to glean with a service account, please review the accounts identity information in your authentication provider and ensure the email and name fields have a value.
For more information on troubleshooting specific error codes based on your SSO provider please review the following articles: