SSO Configure

Learn how to set up SAML single sign-on (SSO) in the Glance Portal, including identity provider configuration, key rotation, and vendor-specific settings.

Provision users with Glance single sign-on through the configuration screen. The best way to obtain values for most fields in this screen is to upload a Metadata XML file, which most identity provider operators can provide.

Portal SSO General Configuration

FieldDescription
SSO MethodSets the SSO protocol. Options include Off, SAML 2.0, or Encrypted SAML 2.0. Most SAML customers use standard SAML 2.0 (without encryption).
DescriptionProvides a custom text description of your SAML setup.
Operational StatusSets the deployment state. When first provisioning an account, set this to Provisioning to log SAML authentication attempts in the Access Log. Once stable, change this to Production.

Identity Provider Configuration

Portal SSO Identity Provider Configuration

FieldDescription
Metadata File UploadUploads an XML document furnished by the identity provider. Metadata Discovery Endpoints automatically populate most of the required fields on this provisioning page.
X.509 Public KeyValidates Assertions (tokens sent to Glance) using the public key furnished by your identity provider. The identity provider cryptographically signs Assertions with a matching private key to prevent forgery.
Additional X.509 Public KeyStores an additional public key certificate if your identity provider has supplied one (useful during key rotation).
Identity Provider Endpoint URLDetermines the URL where Glance presents authentication requests. A Metadata Discovery Endpoint document contains this value.
Identity Provider Endpoint TypeDefines how Glance presents authentication requests to your identity provider (using either an HTTPS redirect or an HTTPS POST operation).
Entity IDSets the federation entity ID (or relying party trust identifier) for the Glance service provider. In most cases, this should be set to glance.net/sp/1.
User Identity Attribute NameSpecifies the name of the attribute uniquely identifying the user within the Assertion token. The attribute value must uniquely match the user's Glance Address, Partner User ID, or Email Address.
Encryption CertificateDisplays when Encrypted SAML 2.0 is selected. This is the key certificate Glance uses to decrypt Assertion documents. A Glance staff member will upload the key certificate file and update the portal, providing you with the corresponding public key to share with your identity provider operator.

Note: Encrypted SAML provides an extra measure of security beyond HTTPS. However, most SAML users rely on HTTPS alone rather than using encryption.

Optional Configuration

Portal SSO Optional Configuration

FieldDescription
Unique Account IDRequires a specific value for certain identity providers. For Salesforce accounts, use the Organization ID. For Entra accounts, use the Tenant Unique Name. If set, you can use its value in the idptoken parameter in Service Target URLs. Leave blank if not required.
Redirect for IdP-initiated sessionsRedirects users who initiate single sign-on directly from the identity provider's UI to an appropriate page on the Glance service (e.g., /agentjoin/agentjoin.aspx presents the Cobrowse join page). This must be a relative URL, not an absolute URL starting with https://.
Authentication ContextDefines specific authentication contexts required (or disallowed) by your identity provider when Glance sends single sign-on requests.
ACS Parameter StyleConfigures how your identity provider responds to single sign-on requests using a Glance URL called an Assertion Consumer Service (ACS). Parameters are usually appended to the ACS, but some providers pass them in a separate Relay State element.
Name ID PolicySets the NameID Policy required by your identity provider when Glance sends an SSO request. In most cases, this should specify Email, though some providers require Unspecified.

Changing Public Keys

Glance supports multiple public keys. Each one is used in turn to attempt to validate each SAML Assertion.

From time to time, identity provider operators may replace (rotate) the cryptographic key they use to sign SAML assertions. These steps allow for seamless key-pair changes without the need to actively synchronize downtime between your identity provider and Glance:

  1. The identity provider operator generates a new public/private key pair.
  2. Glance puts the new public key into the provisioning screen as an Additional X.509 Public Key.
  3. The identity provider operator starts using the new key pair.