Knowledge Drop

What happens to SAML shadow groups when disabling SAML?

Userlevel 3

Last tested: Jul 23, 2019

Nothing immediately, but as of Looker 6.14, a shadow group will go away 31 days after the last login of a user in that group.

After Looker 6.14:

Each group is intended to persist as long as some user is a member of the group. The change made is intended to deal with two loopholes:
1) the code was previously only checking for orphan groups to be deleted when some user logs in for that authentication system. So, if you turn off LDAP and start using SAML it would never clean up the LDAP groups.
2) because it is common for some users to stop logging into looker - and the group membership is reset for a given user only when they login, there could be groups that would seem to always have a user because that user hadn't logged for so long. We've set a 31 day limit such that any user who had not logged for a long time would automatically lose membership in such a group and thus there is a better chance that the group will eventually get cleaned up.

So Looker's behaviour is :

  1. Delete all the externally managed groups when the auth config is deleted
  2. don't count users who haven't logged in via the auth method in 31 days in terms of the groups still having membership (when iDP is disabled)


Before 6.14:

Before 6.14, shadow groups will stick around as long as there are users in that group. That is, if you change auth methods (disable SAML) and there are still users in those groups, those groups will persist as long as there are users in them


This content is subject to limited support.                



0 replies

Be the first to reply!