These are the steps which we have found with customers to be successful in setting up SSO for your Looker instance using Azure AD.
In your Looker App on the Azure side, we’ll need the Metadata information.
If instead you see an error that looks like “Application ID xxx not found” then update the Audience field to match what is on the Azure Application side. If you see that one of the Metadata fields can’t be found, then be sure it is being set in Azure, and that the name of the Metadata field matches what is in the XML.
Please let us know if there is anything in the above that needs updating!
Thanks Peggy! Looks like the Schema resources you included (steps 9, 10, 11) have been removed - do you have an alternative reference you could share?
@bens1 Hi Ben, for this you would enter the links in these steps as is into the fields within the Admin> SAML page like so:
This appears to be a good resource for setting up Mirror Groups in Azure: https://wiki.resolution.de/doc/saml-sso/latest/all/knowledgebase-articles/technical/jit-and-azure-ad....
As with any SAML provider, you can check to make sure you have the correct value by hitting the Test SAML Authentication button at the bottom of the SAML settings and examining the groups attribute in the raw response, as suggested in Looker’s doc on enabling Mirror SAML groups: https://docs.looker.com/admin-options/security/saml-auth#enabling_mirror_saml_groups. For Azure, it should look something like this by default:
```
<Attribute Name='http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'>
<AttributeValue>
f3ddf8a9-377b-4ee6-9af2-f9bfa0bdfe21
</AttributeValue>
</Attribute>
```
In this example, you would select “Groups as values of single attributes,” enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups for the Groups Attribute, and enter f3ddf8a9-377b-4ee6-9af2-f9bfa0bdfe21 for the SAML Group ID (there may be other SAML Group IDs to enter if the user is a member of multiple groups).
You can also find instructions for referencing your SAML groups by their AccountName values here: