REQUIRED USER ROLE Administrator | PERMISSION OVERVIEW View permissions by role |
With SSO activated, users can log into Gladly without needing a separate username and password. If SSO is already implemented in your company, they can use the same credentials they already use to access other services and applications under the umbrella of your Identity Provider.
Before you start
Before you activate SSO, we recommend that you first review the following:
SSO is not required to use Gladly, but we strongly encourage using it if you already use SSO internally to access other apps and services.
If using SSO, all users are required to use SSO to access Gladly. You can't have some users on SSO and some that are not.
Different SSO solutions cannot be mixed. For example, you can't use Google SSO and Okta simultaneously.
Once SSO is activated and properly configured, adding users to Gladly triggers a Gladly user invitation to those users.
Only upload new users to Gladly once SSO is activated.
Activate SSO for Gladly
Activate SSO for Gladly
Complete the Single-Sign-On Setup first through your SSO provider before proceeding with the steps below.
Click
on the top left corner of the screen.
Click Settings.
Under the Security and Compliance category, click Single Sign-On.
Configure the following options from the Single Sign-On page:
Use SSO – Inactive by default, click the toggle, so it's green to activate SSO.
Once SSO is activated, a few more options appear that you'll need to configure:
Force users to reauthenticate – Inactive by default, it allows users who log out of Gladly but still have an active SSO session (e.g., Okta, Azure, etc.) to automatically reauthenticate if they access Gladly again. If activated (toggle is green), users must re-authenticate if they log out (excluding closing the Gladly tab or going away) of Gladly.
Next, set up your identity provider details.
[A] Fetch metadata from URL (Upon Save) – Found in your SSO provider's settings, paste the Metadata URL in this field, then click Save. Clicking Save fetches the metadata XML and pastes it in the [B] Metadata field.
[B] Paste Metadata – This contains the metadata XML fetched from [A] upon clicking Save. For SSO providers like Google Workspace that don't support metadata URL lookup, you can paste the plain XML file in this field downloaded from the provider.
Generate new metadata
Gladly automatically fetches metadata using the Fetch metadata from URL link upon clicking Save. If the metadata has changed due to an update (e.g., new SAML certificate), clicking Save automatically fetches the updated metadata.
Reference metadata and ACS URL
Some identity providers like Google Workspace require you to provide the Gladly ACS URL and Entity ID/Meta URL to configure SSO. This information can be found in the bottom section of the Single Sign-On settings page.
Allow JIT (Just-in-Time) User Provisioning
Allow JIT (Just-in-Time) User Provisioning
Automatically create Gladly user accounts once they are provisioned through your SSO provider. You must first activate SSO for Gladly before you can enable JIT user provisioning.
Okta and PingOne Support
JIT provisioning is currently only available through Okta and PingOne (Ping Identity).
Once SSO is activated and successfully configured, toggle the Create new user on first login so it’s green to expose the Identity Provider Attribute Mappings settings towards the bottom of the page.
Next, you’ll have the option to configure a default Gladly user role(s) and Inbox(es) based on their SAML attributes.
Click Default Roles [A] to view a list of all Gladly roles. By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly with the role(s) chosen here. Select the role(s) you want to assign by default.
Assign role based on SAML Attribute – To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click + Add Role Mapping, then complete the following fields:
SAML Attribute – Enter the SAML Attribute name that. For example,
email
.SAML Attribute groups
Creating a group attribute in your idP allows you to provision a specific group of users in bulk with specific roles. For example, setting up a
groupID
attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.SAML Attribute Value – Based on the SAML Attribute, enter the value. For example, if the attribute is
email
, the value is the email address, e.g.,[email protected]
.Roles – Select the role(s) users mapped to the SAML Attribute will be assigned.
Click Default Inboxes [B] to view a list of all Inboxes. By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly and assigned to the Inbox(es) chosen here. Select the Inbox(es) you want to assign by default.
Assign role based on SAML Attribute – To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click + Add Role Mapping, then complete the following fields:
SAML Attribute – Enter the SAML Attribute name that. For example,
email
.SAML Attribute groups
Creating a group attribute in your idP allows you to provision a specific group of users with specific roles. For example, setting up a
groupID
attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.SAML Attribute Value – Based on the SAML Attribute, enter the value. For example, if the attribute is
email
, the value is the email address, e.g.,[email protected]
.Inboxes – Select the Inbox(es) users mapped to the SAML Attribute will be assigned to.
Click Save.
Deactivate SSO
Deactivate SSO to stop requiring SSO access for Gladly.
SSO settings preserved
Gladly preserves your current configuration values upon deactivating SSO. You can reactivate SSO anytime without needing to re-enter your previous configuration values.
Click
on the top left corner of the screen.
Click Settings.
Under the Security and Compliance category, click Single Sign-On.
Toggle the Use SSO option so it’s gray
Click Save.