In order to create and/or modify an embed user, we need to use the create_sso_embed_url endpoint, either via the API Explorer, or by using API calls (SDK or standalone), we can change the user attributes that are set by the system as well, like the email, which normally embed users do not have.

To do changes to a specific embed user, we need to use the external_user_id field, this id is the one that identifies SSO embed users in a unique way.

The body of the request should be similar to this (for the API Explorer😞

{
  "target_url": "https://instance.cloud.looker.com/looks/1",
  "session_length": 1,
  "force_logout_login": true,
  "external_user_id": "sso-1",
  "first_name": "Embed",
  "last_name": "User",
  "user_timezone": "",
  "permissions": ["access_data", "download_without_limit", "schedule_external_look_emails", "schedule_look_emails", "see_drill_overlay", "see_lookml_dashboards", "see_looks", "see_user_dashboards"],
  "models": ["looker_model"],
  "group_ids": [],
  "external_group_id": "",
  "user_attributes": {"email": "foobar@gmail.com", "other_attribute": "AAAA"},
  "secret_id": ""
}

The permissions field would vary depending on the use case, on this example we are also defining an email for the embed user with the  user_attributes field (which is a System setting), we can add any other attribute that needs change on that part as well.

The standalone API calls needed for this are:
 

# We need to login first:

$ curl -X POST -d "client_id=XXXX&client_secret=YYYY" \
https://instance.cloud.looker.com/api/4.0/login

# This returns a similar response to this:

{"access_token":"ZZZZ","token_type":"Bearer","expires_in":3599,"refresh_token":null}

# This gives us the authorization token that we can use to make subsequent calls (according to the permissions of the user), and the request for the embed user is like this:

$ curl -X POST -H "Authorization: Bearer ZZZZ" \
--data-raw '                                            
{
  "target_url": "https://instance.cloud.looker.com/looks/1",
  "session_length": 1,
  "force_logout_login": true,
  "external_user_id": "sso-1",
  "first_name": "Embed",
  "last_name": "User",
  "permissions": ["access_data", "download_without_limit", 
                  "schedule_external_look_emails", 
                  "schedule_look_emails", "see_drill_overlay", 
                  "see_lookml_dashboards", "see_looks", 
                  "see_user_dashboards"],
  "models": ["looker_model"],
  "user_attributes": {"email": "foobar@gmail.com", "other_attribute": "AAAA"} 
}' https://instance.cloud.looker.com/api/4.0/embed/sso_url

The response we get for both cases (API Explorer and standalone API), is similar to this:

{"url":"https://instance.cloud.looker.com/login/embed/%2Fembed%2Flooks%2F1?permissions=%5B%22access_data%22%2C%22download_without_limit%22%2C%22schedule_external_look_emails%22%2C%22schedule_look_emails%22%2C%22see_drill_overlay%22%2C%22see_lookml_dashboards%22%2C%22see_looks%22%2C%22see_user_dashboards%22%5D\u0026models=%5B%22looker_model%22%5D\u0026signature=q9PTv6DMFNauwOQaqTbsVOJ5DFA%3D\u0026nonce=%2212f4c970db3743855a42dba71f94e0af%22\u0026time=1668632750\u0026session_length=1\u0026external_user_id=%22sso-1%22\u0026access_filters=%7B%7D\u0026first_name=%22Embed%22\u0026last_name=%22User%22\u0026user_attributes=%7B%22email%22%3A%22foobar%40gmail.com%22%2C%22other_attribute%22%3A%22XXXX%22%7D\u0026force_logout_login=true"}

We need to make a GET request using the URL that is returned so the embed user gets created/updated, using an incognito window/tab works for this (you would usually receive a 401 page, but the change should be seen on the Users page).