Last tested: May 19, 2020
When "Mirror SAML Groups" is toggled on in your instance's SAML settings, it will create a new group in Looker based off of the IdP-side group you input.
A question was asked, "if the IdP side group has the same name as an existing Looker group, will saving those settings merge the two groups together in Looker?"
No, SAML-mapped groups are treated as a separate thing and if the group name you save when "Mirror SAML Groups" is toggled on matches the name of an existing Looker group you will see the below error when trying to save your SAML settings.
group named <name of group> already exists. 'saml_group'.
This content is subject to limited support.
If you assign a user to a role that was created outside of the SAML group/roles (with mirror SAML groups turned on), which permissions will the user have?
For example: if you change the permissions in the SAML group to be viewer only, but the non-SAML group is user, and someone is in both groups (because you cannot remove users from SAML groups), will that user have the SAML permissions, or the non-SAML group permissions?
I think permissions are additive but something to test would be that each time the user re authenticates (cos it doesn’t happen every time) is that your manual groups don’t get wiped, I had a feeling but not sure I ever tested this in the past that the user groups would get recalculated on auth with the result only being the groups from saml.
Yeah, it looks like SAML is the ruling factor there, based on what I’ve seen so far.