Setting up Azure AD SSO with Looker

  • 28 July 2018
  • 3 replies
  • 1667 views

Userlevel 1

These are the steps which we have found with customers to be successful in setting up SSO for your Looker instance using Azure AD.


In your Looker App on the Azure side, we’ll need the Metadata information.



  1. Click the copy button to the right of the box for Federation Metadata Document, to copy this information. You’ll need it on the Looker admin panel

  2. Open a new browser tab.

  3. Log into your looker instance.

  4. Once you are logged in to the instance, click on the Admin button located in the upper right corner.

  5. After the Admin panel loads, scroll down the left column to SAML which you will find under the Authentication heading.

  6. Click the SAML option, and then be sure to click the option to enable SAML authentication.

  7. Paste the Federation Metadata information that you copied previously on Microsoft Azure, in to the box for IDP Metadata. Once you have pasted the information, click the button that says, “Load” right underneath the box.

  8. Be sure that the IDP Audience field has the value from the Azure application. The most likely value here is going to be the Looker URL, like yourcompany.looker.com. On older Azure portal instances, this would look something like: spn:nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn, where all of the n’s are hexidecimal numbers (1-9,a-f).

  9. Make sure to have the following information in the Email Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  10. Add the following information to the Fname Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  11. Add the following information to the Lname Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

  12. Once you’ve added the information to those fields (or verified that they’re already there) scroll further down the page and click the “Test SAML Authentication” button.

  13. If the page that loads says “Server Response Successfully Validated”, you have successfully set up the instance for SAML integration. Click the Update Settings button on the Admin page of the Looker instance you are configuring.


If instead you see an error that looks like “Application ID xxx not found” then update the Audience field to match what is on the Azure Application side. If you see that one of the Metadata fields can’t be found, then be sure it is being set in Azure, and that the name of the Metadata field matches what is in the XML.


Please let us know if there is anything in the above that needs updating!


3 replies

Userlevel 5
Badge

Thanks Peggy! Looks like the Schema resources you included (steps 9, 10, 11) have been removed - do you have an alternative reference you could share?

@bens Hi Ben, for this you would enter the links in these steps as is into the fields within the Admin> SAML page like so:

Userlevel 2

This appears to be a good resource for setting up Mirror Groups in Azure: https://wiki.resolution.de/doc/saml-sso/latest/all/knowledgebase-articles/technical/jit-and-azure-ad-sending-groups-via-saml-attributes

 

As with any SAML provider, you can check to make sure you have the correct value by hitting the Test SAML Authentication button at the bottom of the SAML settings and examining the groups attribute in the raw response, as suggested in Looker’s doc on enabling Mirror SAML groups: https://docs.looker.com/admin-options/security/saml-auth#enabling_mirror_saml_groups.  For Azure, it should look something like this by default:

```
      <Attribute Name='http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'>
        <AttributeValue>
          f3ddf8a9-377b-4ee6-9af2-f9bfa0bdfe21
        </AttributeValue>
      </Attribute>
```  

In this example, you would select “Groups as values of single attributes,” enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups for the Groups Attribute, and enter f3ddf8a9-377b-4ee6-9af2-f9bfa0bdfe21 for the SAML Group ID (there may be other SAML Group IDs to enter if the user is a member of multiple groups).

 

You can also find instructions for referencing your SAML groups by their AccountName values here:

 

Reply