Skip to main content

Authentication

Super Administrators have several options to ensure secure and efficient user access. Super supports multiple authentication protocols, including OpenID Connect (OIDC), OAuth, and SAML/SCIM, which can be integrated with various SSO providers such as Okta, GSuite, Azure, and Ping.

 

User provisioning for OIDC/OAuth SSO

Azure

  1. Navigate to Azure
  2. Click on Enterprise Applications
  3. Search for your Super SSO Application
  4. Under ‘Manage’ section, select ‘Properties’
  5. Switch the field Assignment Required to Yes
  6. Under ‘Manage’ section, select ‘Users and groups’
  7. Add users that you would like to have access to Super

Okta

  1. Navigate to Okta Admin home page
  2. Open Navigation menu and select ‘Applications’ > ‘Applications’
  3. Select the Active Super SSO App
  4. Select Assignments tab
  5. Assign the application to users you would like to have access to Super

Google

  1. Create a google group and add users to the group who should have access to Super
  2. Navigate to Super Advanced Setup tab by following the url https://app.glean.com/admin/setup/apps?advanced
  3. Select ‘Config’
  4. For ‘Key name’, enter queryapi.gsuiteGroupWhitelist
  5. For ‘Key value’, enter the google group email address (example: users@glean.com)
  6. Click ‘Submit’ button
  7. You should see a ‘Success’ message at the top of the page
  8. Exit out of the Advanced Setup tab

 

Troubleshooting Authentication/Login Issues

Error: Invalid Input 

Super restricts which email domains are allowed to login to a Super customer deployment. This list of allowed email domains is created during deployment setup and can be modified by Super Support. If the user's primary email domain is different from the primary company email domain, then reach out to Super Support to confirm if the user's email domain is in the allow list.

 

Note: For Azure, a user’s identity information has two email fields, user principal name and email. During the Super login flow, the email field is used. This email domain should be included in the allow list for successful login.

invalid_input_error

 

Error: Unable to login with Service Account

There are two required fields that Super obtains from the authentication provider during login, email and name. If you face issues trying to login to Super with a service account, please review the accounts identity information in your authentication provider and ensure the email and name fields have a value.

 

For more information on troubleshooting specific error codes based on your SSO provider please review the following articles:

Google SSO Login Issues

Azure SSO Login Issues