Activate and Manage Single Sign-On

Updated
  • Updated on Sep 29, 2025
  • Published on Jan 30, 2025
  • 4 minute(s) read
Prev Next
REQUIRED USER ROLE 
Administrator
PERMISSION OVERVIEW
View permissions by role

With SSO activated, users can log into Gladly without needing a separate username and password. If SSO is already implemented in your company, they can use the same credentials they already use to access other services and applications under the umbrella of your Identity Provider.

Before you start

Before you activate SSO, we recommend that you first review the following:

  • SSO is not required to use Gladly, but we strongly encourage using it if you already use SSO internally to access other apps and services.

    • If using SSO, all users are required to use SSO to access Gladly. You can't have some users on SSO and some that are not.

    • Different SSO solutions cannot be mixed. For example, you can't use Google SSO and Okta simultaneously.

  • Once SSO is activated and properly configured, adding users to Gladly triggers a Gladly user invitation to those users.  

    • Only upload new users to Gladly once SSO is activated.

Activate SSO for Gladly

Activate SSO for Gladly

Complete the Single-Sign-On Setup first through your SSO provider before proceeding with the steps below.

  1. Click on the top left corner of the screen.

  2. Click Settings.

  3. Under the Security and Compliance category, click Single Sign-On.

  4. Configure the following options from the Single Sign-On page:

    • Use SSO – Inactive by default, click the toggle, so it's green to activate SSO.

  5. Once SSO is activated, a few more options appear that you'll need to configure:

    • Force users to reauthenticate – Inactive by default, it allows users who log out of Gladly but still have an active SSO session (e.g., Okta, Azure, etc.) to automatically reauthenticate if they access Gladly again. If activated (toggle is green), users must re-authenticate if they log out (excluding closing the Gladly tab or going away) of Gladly.

  6. Next, set up your identity provider details.

Options for setting identity provider details with metadata fetching and pasting options.

  • [A] Fetch metadata from URL (Upon Save) – Found in your SSO provider's settings, paste the Metadata URL in this field, then click Save. Clicking Save fetches the metadata XML and pastes it in the [B] Metadata field.

  • [B] Paste Metadata – This contains the metadata XML fetched from [A] upon clicking Save. For SSO providers like Google Workspace that don't support metadata URL lookup, you can paste the plain XML file in this field downloaded from the provider.

Generate new metadata

Gladly automatically fetches metadata using the Fetch metadata from URL link upon clicking Save. If the metadata has changed due to an update (e.g., new SAML certificate), clicking Save automatically fetches the updated metadata.

Reference metadata and ACS URL

Some identity providers like Google Workspace require you to provide the Gladly ACS URL and Entity ID/Meta URL to configure SSO. This information can be found in the bottom section of the Single Sign-On settings page.

URLs for Gladly Metadata and ACS authentication are provided for user convenience.

Allow JIT (Just-in-Time) User Provisioning

Allow JIT (Just-in-Time) User Provisioning

Automatically create Gladly user accounts once they are provisioned through your SSO provider. You must first activate SSO for Gladly before you can enable JIT user provisioning.

Okta and PingOne Support

JIT provisioning is currently only available through Okta and PingOne (Ping Identity).

  1. Once SSO is activated and successfully configured, toggle the Create new user on first login so it’s green to expose the Identity Provider Attribute Mappings settings towards the bottom of the page.

  2. Next, you’ll have the option to configure a default Gladly user role(s) and Inbox(es) based on their SAML attributes.
    Identity Provider Attribute Mappings for default roles and inboxes configuration.

  3. Click Default Roles [A] to view a list of all Gladly roles. By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly with the role(s) chosen here. Select the role(s) you want to assign by default.

    • Assign role based on SAML Attribute – To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click + Add Role Mapping, then complete the following fields:

      • SAML Attribute – Enter the SAML Attribute name that. For example, email.

        SAML Attribute groups

        Creating a group attribute in your idP allows you to provision a specific group of users in bulk with specific roles. For example, setting up a groupID attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.

      • SAML Attribute Value – Based on the SAML Attribute, enter the value. For example, if the attribute is email, the value is the email address, e.g., [email protected].

      • Roles – Select the role(s) users mapped to the SAML Attribute will be assigned.

  4. Click Default Inboxes [B] to view a list of all Inboxes. By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly and assigned to the Inbox(es) chosen here. Select the Inbox(es) you want to assign by default.

    • Assign role based on SAML Attribute – To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click + Add Role Mapping, then complete the following fields:

      • SAML Attribute – Enter the SAML Attribute name that. For example, email.

        SAML Attribute groups

        Creating a group attribute in your idP allows you to provision a specific group of users with specific roles. For example, setting up a groupID attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.

      • SAML Attribute Value – Based on the SAML Attribute, enter the value. For example, if the attribute is email, the value is the email address, e.g., [email protected].

      • Inboxes – Select the Inbox(es) users mapped to the SAML Attribute will be assigned to.

  5. Click Save.

Deactivate SSO

Deactivate SSO to stop requiring SSO access for Gladly.

SSO settings preserved

Gladly preserves your current configuration values upon deactivating SSO. You can reactivate SSO anytime without needing to re-enter your previous configuration values.

  1. Click on the top left corner of the screen.

  2. Click Settings.

  3. Under the Security and Compliance category, click Single Sign-On.

  4. Toggle the Use SSO option so it’s gray

  5. Click Save.

Related docs