This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Does revoking a user on the idP side affect the user in Looker?

on ‎06-04-2021 05:30 PM

sam8
Staff
0 0 352
Knowledge Drop

Last tested: June 2021

No. Looker doesn't automatically keep track of whether the user has been revoked on the SAML/LDAP/OIDC/Google side. There is a request to Force all users to log out or Automatically recognize new SAML groups if mapping gets updated that you can add your vote through our feedback system.

So the user will just stay logged in??

Yes. Any users logged in will stay logged in for the remainder of their session (up to 30 days). Of course, once they log out of Looker or otherwise end their Looker session they won't be able to log back in. They will not be deleted or disabled by the Looker system.

Can I force the user to log out?

You can disable the user via the UI, which logs them out.

A robust workaround would be an API script that:

  1. Watches the IdP for when a user is revoked.

  2. Finds the Looker user corresponding to the IdP user, and their current session ID(s).

  3. Kill sessions for that user.

  4. Disables that user.

This content is subject to limited support.                

Topic Labels
0 Likes
Version history
Last update:
‎06-04-2021 05:30 PM
Updated by: