Last tested: May 5, 2020
 

'NameID' it is the IdP's way of indicating a unique id to use for the given user who is logging in. IdPs are free to use whatever value they choose. If you base this on some value that never changes (like and employee id or the like) then all is well. If you base it on something that does change (like an email domain) then you are flirting with us not recognising that this person logging in is the same person as logged in previously (and for which we have tie metadata in the application). If at login time we don't have a user with the given NameID value then we start over and do whatever we do with new users and would not handle a "merge by email" as one would normally expect.

If you run into an issue where NameIDs change you need to go through a process of, using the API, deleting SAML credentials, creating email credentials to match the SAML email attribute, killing existing sessions and forcing users to re-login with "merge by email" enabled.

You can use the create email credential endpoint to create the new credentials and the delete SAML auth credential endpoint to remove the old credential.

NOTE: When conducting this process to have SAML accounts tethered to an already existing user, make sure that the migration options are limited to only email Looker/Password. Having any other options such as LDAP listed can cause Looker to create a new account even if an existing SAML user doesn't exist and the email of the IdP matches an existing user account.