Looker can authenticate users using one of several authentication server types, such as Google OAuth, LDAP, SAML, or OpenID Connect. Enabling any of these authentication methods will disable other authentication systems, such as email and password.
Looker admins can give a user an alternate login option that uses their email address if the user has either an Admin role or the login_special_email
permission.
Enabling alternate login on the Looker instance
Before you can enable the alternate login option for a user, the Looker instance must be configured to accept email credentials:
- Navigate to the Authentication section of the Admin panel, and select the currently enabled authentication type, Google OAuth, LDAP, SAML, or OpenID Connect.
- In the Migration Options section, enable the Alternate login for admins and specified users toggle.
Granting the user permission to use alternate login
Only users with the Admin role or the login_special_email
permission may use alternate login. One way to grant the login_special_email
permission to a non-admin user is to create a new role that contains that permission and then assign that role to the user, as follows:
- Navigate to the Roles page, located under the Users section in the Admin panel.
- Click the New Permission Set button.
- Enter a name for the new permission set, for example, Alternate Login.
- Select the box labeled login_special_email.
- Click New Permission Set.
- Click New Role.
- Enter a name for the new role, such as Alternate Login Role.
- In the Permission Set list, select your new permission set from the list.
- In the Model Set list, select All.
- In the Users list, select the user who is to be granted the alternate login permission.
- Click the New Role button to save the new role.
- Click Confirm.
Creating email credentials for the user
Once the user has been granted permission to use email credentials, the next step is to create the credentials. To create email credentials, a Looker admin can either use the Looker API to make a POST
request or use the Looker API SDK in the programming language of the admin's choice.
Making a POST request to the Looker API
Because of its manual nature, this is a better method to use when you have only a limited number of users for whom you want to set up the alternate login option.
This example uses a curl
command to make a POST
request to the create_user_credentials_email
API endpoint using a temporary access token:
- To generate the temporary token (
ACCESS_TOKEN
), follow the Authentication without an SDK instructions on the Looker API authentication documentation page. Using this temporary token in the authorization header, send a
POST
request to the Looker API using the user'suser_id
, and include their email in the body of the request.curl -H "Authorization: token ACCESS_TOKEN" -H 'Content-Type: application/json' -X POST -d '{ "email": "example_name@example_email.com" }' https://<instance_name<.api.looker.com/api/4.0/users/{user_id}/credentials_email
On the Users page in the Admin panel, find the user account and click Edit.
Click the Send reset link button. This will send an email to the email address you specified in your
POST
request.
To use the alternate login method, when the user logs in to Looker they will need to click the Alternate Login link and then enter their name and email address. They can still authenticate using their OAuth, LDAP, SAML, or OpenID Connect credentials through the Authenticate button.
Using the Looker API SDK
Rather than going through the manual steps of making requests directly to the Looker API, you can instead use a Looker-provided SDK to interact with the API in a programming language of your choice. After you have imported the Looker API SDK and established a client connection, follow these steps:
- Use the
create_user_credentials_email(user_id, body)
function, inserting theuser_id
andbody
as specified in the Looker API documentation. You can follow a similar example from this Looker Community post about automatically provisioning users with the Looker API. - Once the user accounts have been updated using the SDK method, on the Users page in the Admin panel, find the user account and click Edit.
- Click the Send reset link button. This will send an email to the email address you specified in your
POST
request.
To use the alternate login method, when the user logs in to Looker, they will need to click the Alternate Login link and then enter their name and email address. They can still authenticate using their OAuth, LDAP, SAML, or OpenID Connect credentials through the Authenticate button.