SSO Embed URL Parameters

Knowledge Drop

Last Tested: Jun 17, 2019

All SSO embed parameters can be found here!

  • nonce is a value that identifies this request (16 character hexadecimal string). It shouldn’t be re-used (it’s a single sign-on) and should come from by a secure random number generator.
  • time is a timestamp to identify when the session begins.
  • session_length is how long a user should be authenticated (in seconds). Pick something reasonable (no more than 30 days)
  • external_user_id is Looker instance user ID of the user being authenticated - customers should be using a unique identifier for their users. This is how Looker maps SSO uri’s to actual Looker users. This is not the user id in Looker and can be a string.
  • permissionsshould be a grouping of Looker permissions, comma separated list of single quoted elements
  • models is a group of models your user will have access to. Make sure they’re spelled correctly and in quotes.
  • group_ids: This is a list of the actual id of groups in Looker. You may leave this empty if you want to use the default for the instance, which is All Users with Access to Shared Spaces.
  • external_group_id: A unique identifier for the group the user belongs to in the application that is embedding Looker, if desired. Users who have permission to save content, and share an external group ID, will be able to save and edit content in a shared Looker Space called “Group”.
  • user_attributes: The list of user attributes the user should have, if any. Contains a list of user attribute names followed by the user attribute value. In JSON, ex: { "vendor_id" : 17, "company" : "acme"}
  • access_filters: this parameter is required, but it can contain an empty hash. As of Looker 3.10 that is our suggestion; user attributes are a superior way to achieve the same result.
  • first_name will be the first name of your authenticated Looker user, as displayed in Looker - if left blank, will retain the value from the last request, or be “Embed” if no first name has ever been set.
  • last_name will be the last name of your authenticated Looker user, as displayed in Looker - If left blank, will retain the value from the last request, or be “Embed” if no last name has ever been set.
  • user_timezone works if user-specific time zones are enabled, then you can set or update the user timezone here
  • force_logout_login: Either true or false. This only applies if a normal Looker user is logged into Looker already. In general, it is recommended to keep this set to true to avoid confusion arising from using an existing session instead of applying the parameters specified in the URL.
  • signature will be generated by your code. It is used by Looker to verify that the secret used to sign the request is valid and that the parameters that are present in the request are identical to those that were signed when the signature was generated.

    This content is subject to limited support.                

Version history
Last update:
‎04-05-2021 03:15 PM
Updated by: