Knowledge Drop

How do I reference SAML groups by their AccountName values when setting up SAML authentication using Azure Active Directory?

  • 15 June 2021
  • 0 replies
  • 88 views

Last tested: Sep 17, 2020
 

The Problem

By default, when setting up SAML auth with Azure AD, the SAML groups are brought into Looker by their GUID values. This makes each group name into a long, ugly hash, instead of a human-readable name.

A Solution

One user mentioned that they were able to get Looker to use other formats for their SAML groups in ActiveDirectory - here's the process they used:

  1. In Azure AD go to Azure Active Directory > Enterprise Applications > New Application (at the top) > Non-gallery application (at the top)
  2. Type the name in (i.e. Looker – Production), and click Add
  3. Go to Properties in the new Enterprise Application, enable users for sign-in, disable user assignment required, disable visible to users
  4. Go to Single Sign-On section, select SAML
  5. Edit the basic SAML configuration, set Identifier to whatever (i.e.https://somenonexistentdomain.biz), set the Reply URL to https://<your_looker_server>:9999/samlcallback, and click Save
  6. Edit the User Attributes & Claims, change the “name” claim to user.mail, enable the “Groups returned in claim” option, select the type of group you are using for Looker groups (or select All), set the Source Attribute to your preferred format (I used NetBIOSDomain\sAMAccountName), close the group settings, and then close the User Attributes and Claims settings
  7. Copy the App Federation Metadata Url, paste it into the Looker SAML settings screen, and click “Load”
  8. Copy the AppID from the end of the Federation Metadata Url, and paste it into the SP Entity field in the Looker SAML settings (make sure to precede it with “spn:”)
  9. Paste the normal URLs into the Email, FName, LName, an Groups Attribute fields
  10. Map the groups to the roles using the same format for the groups that you chose when setting up the group claims in Azure

 

This content is subject to limited support.                

 

 


0 replies

Be the first to reply!

Reply