Our org uses SAML to allow our users to sign in via SSO. We recently siloed a group that has very limited access allowances to embeds on an internal site, which is great, but it brings up some admin questions for us and I’m curious if anyone has addressed this.

For SAML integrations, is it possible to exclude certain users from being able to sign in directly to Looker and create an account?

In our example, while the users are accessing via embeds, they still have LDAP accounts and if they were a new user (non-disabled) they could log directly in and create an account. Our concern is, we would like to provide base-level permissions to new users that join, but if any user can sign in and get those credentials, we could give certain users too much access.

Based on our LDAP setup, I’d exclude group mirroring as an option. It seems like the best option would be to either exclude groups if that’s possible, or use the API and LDAP to regularly disable accounts based on requirements.