Glean SSO Setup Guide
Introduction
This document details how to integrate your SAML 2.0 SSO identity provider with Glean. This guide will provide information relevant to all SAML identity providers with additional instructions for some of the more popular identity providers.
1. Provide Glean with your identity provider information
To begin a SAML integration will require the following information about your SSO identity provider:
- Which identity provider do you use (for example Shibboleth, Okta or Azure AD)?
- Your identity provider metadata document. We prefer to receive this as a URL (we can also accept an XML file sent via email).
- Which email domains will your users have?
- Does your identity provider require “AuthnRequests” to be signed?
- Are you aware of any expiry date on your SAML signing or encryption certificates?
- Is there a username and password we can use to test the integration with?
- Contact details for your IT team in case we need further details to set up SSO
You can send these details to us at support@glean.co or fill in the form at the bottom of this page: https://glean.co/product/single-sign-on#sso-form
Important - Providing Glean with a user account allows us to test that SSO has been set up correctly, and more easily troubleshoot any issues that arise.
And as we’re based in the UK, we can get things set up and make sure it's working during our office hours.
2. Add Glean’s service provider information
Once we have received your identity provider information our team will be able to provide you with a URL containing our service provider metadata document. You may also require the following information:
- Entity ID:
https://sso.glean.co/auth/realms/glean
- Required NameId policy:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Required attributes:
- “mail” (the user’s email address)
- “displayName” (the user’s full or preferred name)
- ACS/Redirect URL:
- This is unique to your organisation and will be listed in the metadata document we share under <d:AssertionConsumerService/>.
- The URL will be similar to:
https://sso.glean.co/auth/realms/glean/broker/saml.PROVIDER.EXAMPLE/endpoint
You should then import the service provider metadata document provided by Glean and release the user attributes "mail" and "displayName" to Glean. See the Testing section of this document for information on how to sign in to Glean.
3. Examples
This section describes examples of setting up Glean as an SAML service provider with Azure Active Directory, Okta, Google Workspace and Shibboleth Identity Provider 4.
Azure Active Directory example
The following steps are required to set up Glean as a service provider with Azure Active Directory (also known as Microsoft Entra ID).
- Log in to Azure Portal as a user with permissions to create enterprise applications for your Azure AD.
- Navigate to the Enterprise applications service of the Azure Active Directory that will be used for the integration and select New application.
- Select Create your own application on the Browse Azure AD Gallery page
- Provide a name of the application - we suggest Glean. Set "What are you looking to do with your application?" to "Integrate any other application you don’t find in the gallery (Non-gallery)". Click Create.
- Select the Single sign-on option in the Manage menu and choose SAML.
- Scroll down to the SAML Certificates section of the SAML-based Sign-on page and provide Glean with the URL under App Federation Metadata Url.
- Glean will respond with a URL containing the SAML service provider metadata document for your organisation. Select Edit on the Basic SAML Configuration section of the page and enter the following information and select Save:
- Identifier (Entity ID):
https://sso.glean.co/auth/realms/glean
- Reply URL (Assertion Consumer Service URL)
- This will be listed in the metadata document we share under <d:assertionconsumerservice>. The URL will be similar to:
https://sso.glean.co/auth/realms/glean/broker/saml.entra.EXAMPLE/endpoint
- Select Edit on the Attributes & Claims section of the page. Select Add new claim to add claims with the names "mail" and "displayName" mapped to your user’s attributes. Inform Glean if you require these attributes to have different names.
- The setup is now complete. See the Testing section of this document for information on how to sign in to Glean.
Okta example
- Log into the Okta Admin Console.
- Go to Applications > Applications.
- Click ‘Create App Integration’.
- Select ‘SAML 2.0’ as the Sign-in method and click ‘Next’.
- Provide a name of the application - we suggest Glean.
- Click ‘Next’.
- Enter the SAML Settings
- Single sign-on URL (will be provided by Glean) similar to:
https://sso.glean.co/auth/realms/glean/broker/saml.okta.EXAMPLE/endpoint
- Audience URI :
https://sso.glean.co/auth/realms/glean
- Name ID format: EmailAddress
- Application username: Email
- Add attributes for displayName and email.
- Please provide Glean with the metadata URL for us to complete the configuration.
- The setup is now complete. See the Testing section of this document for information on how to sign in to Glean.
Google Workspace example
The following steps are required to set up Glean as a service provider with Google Workspace.
- Log in to Google Workspace Admin Console as a user with administrator access. https://admin.google.com/
- Navigate to Apps, Web and mobile apps, Add app, Add custom SAML app
- Add an appropriate name, description and icon for Glean
- Download the IdP metadata document and email the XML file to Glean
- Enter Glean’s service provider details:
- ACS URL - this is unique to your organisation and will be listed in the metadata document we share under <d:AssertionConsumerService/>. You can use a placeholder value and edit this later. The URL will be similar to:
https://sso.glean.co/auth/realms/glean/broker/saml.google.EXAMPLE/endpoint
- Entity ID:
https://sso.glean.co/auth/realms/glean
- Name ID format - EMAIL
- Name ID - Basic information > Primary email
- Map your user fields to Glean’s required service provider attributes:
- "Basic Information > Primary email" to "mail"
- "Basic Information > First name" to "displayName"
- Expand the "User Access" section of the app to enable the application
- Select "ON for everyone" and "SAVE"
- The setup is now complete. See the Testing section of this document for information on how to sign in to Glean.
Shibboleth Identity Provider 4 example
The following steps are required to set up Glean as a service provider with Shibboleth Identity Provider 4. The steps for other versions are likely to be similar. Note that “SHIBBOLETH_BASE” refers to the directory in which Shibboleth has been installed. This is commonly “/opt/shibboleth-idp” on Unix based systems.
Share your identity provider metadata document with Glean. We prefer to receive this as a URL (for example https://idp.example.org/idp/shibboleth), however we can also accept an XML file sent via email.
Check email address has been added as a NameId format in the SAML2NameIDGenerators section of the SHIBBOLETH_BASE/conf/saml-nameid.xml file.
<!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> </util:list>
- Add a <MetadataProvider> block with the provided service provider metadata endpoint inside of the top level <MetadataProvider> block in the SHIBBOLETH_BASE/conf/metadata-providers.xml file.
<MetadataProvider id="Glean" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/sp-metadata-glean.xml" metadataURL="https://sso.glean.co/auth/realms/glean/broker/saml.shibboleth.EXAMPLE/endpoint/descriptor" failFastInitialization="false"/>
- Add an <AttributeFilterPolicy> releasing the "displayName" and "mail" attributes to Glean inside a <AttributeFilterPolicyGroup> block in the SHIBBOLETH_BASE/conf/attribute-filter.xml file.
<AttributeFilterPolicy id="glean-afp"> <PolicyRequirementRule xsi:type="Requester" value="https://sso.glean.co/auth/realms/glean" /> <AttributeRule attributeID="mail" permitAny="true" /> <AttributeRule attributeID="displayName" permitAny="true" /></AttributeFilterPolicy>
- The setup is now complete. See the Testing section of this document for information on how to sign in to Glean.
4. Testing
To test SSO has been successfully set up you should try to sign in to Glean. If you do not have an existing account, please request that your organisation’s Glean administrator sends you an invitation from the Glean Admin dashboard.
User with an existing Glean account
- Go to https://app.glean.co/
- Select “Sign in with SSO”
- Enter the email address of your test user and select “Continue”
- You should be redirected to your identity provider’s login page.
- Complete sign-on with your provider.
- You should be returned to the Glean application and signed-in.
User without a Glean account
- Ask your organisation’s Glean administrator to send you an invitation from the Glean Admin dashboard.
- Select the “Start using Glean” or “Join now” button in the invitation email you will then receive.
- Select "Sign up with SSO"
- Complete sign-on with your provider.
- You should be returned to the Glean application. Agree to the Glean Service Agreement and select "Create Account"
- You should be signed into the Glean and see an introduction video.