These are the steps which we have found with customers to be successful in setting up SSO for your Looker instance using Azure AD.
In your Looker App on the Azure side, we’ll need the Metadata information.
- Click the copy button to the right of the box for Federation Metadata Document, to copy this information. You’ll need it on the Looker admin panel
- Open a new browser tab.
- Log into your looker instance.
- Once you are logged in to the instance, click on the Admin button located in the upper right corner.
- After the Admin panel loads, scroll down the left column to SAML which you will find under the Authentication heading.
- Click the SAML option, and then be sure to click the option to enable SAML authentication.
- Paste the Federation Metadata information that you copied previously on Microsoft Azure, in to the box for IDP Metadata. Once you have pasted the information, click the button that says, “Load” right underneath the box.
- Be sure that the IDP Audience field has the value from the Azure application. The most likely value here is going to be the Looker URL, like yourcompany.looker.com. On older Azure portal instances, this would look something like: spn:nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn, where all of the n’s are hexidecimal numbers (1-9,a-f).
- Make sure to have the following information in the Email Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Add the following information to the Fname Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Add the following information to the Lname Attr field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Once you’ve added the information to those fields (or verified that they’re already there) scroll further down the page and click the “Test SAML Authentication” button.
- If the page that loads says “Server Response Successfully Validated”, you have successfully set up the instance for SAML integration. Click the Update Settings button on the Admin page of the Looker instance you are configuring.
If instead you see an error that looks like “Application ID xxx not found” then update the Audience field to match what is on the Azure Application side. If you see that one of the Metadata fields can’t be found, then be sure it is being set in Azure, and that the name of the Metadata field matches what is in the XML.
Please let us know if there is anything in the above that needs updating!