This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Set Looker Roles from IdP Groups

on ‎06-14-2021 05:59 PM

LookerExperts
Staff
0 0 200
Knowledge Drop

Last tested: Jul 24, 2020
 

You can set Looker roles based on the groups in your IdP. If you already have users split up into working groups in the IdP, this is a great option as it means you don't have to set new users up in Looker directly. It can also be helpful for ensuring all users in the same team in your organization has the same abilities in Looker without having to use the Looker UI. If the IdP is already used for such things with other applications, it saves a lot of admin oversight.

The specifics of how Looker does this can be a bit confusing, though. First off, if you have group to role pairings turned on, then you won't be able to make lasting changes to a user's role from inside of Looker when using the default advanced settings options - each time they re-authenticate, their role will be re-mapped based on what is found in the IdP. Second, this process uses shadow groups in order to map groups to roles.

When this option is enabled, the admin can specify each external group to be shadowed in the authentication section of the admin panel. Unlike regular groups, roles for shadow groups can only be set in the authentication section and are not editable in the “Users” or “Roles” sections. 

Shadow groups are created automatically in Looker and have names that look like 'shadowing saml config group xx'. You can map these to readable names as of 7.6. They may appear to the end user to be duplicate groups that cannot be deleted or modified in Looker. These groups are created to ensure other, existing Looker groups aren't modified in the mapping process. Their purpose is to fit the groups in the IdP into the Looker permissioning framework.

When group to role mapping is enabled with default advanced settings, you won't be able to add users to Looker groups in a lasting way - that is, every time they re-authenticate, they'll be kicked out of that group. Instead, you can add the shadow group the users are in to the Looker group, which will persist upon re-authentication.

As of Looker 6.14 these groups will be dropped once they have been empty for 31 days. More on that behavior here.

This content is subject to limited support.                

Topic Labels
0 Likes
Version history
Last update:
‎06-14-2021 05:59 PM
Updated by: