Version 4.0.24.20 (latest)
Update the SAML configuration.
Configuring SAML impacts authentication for all users. This configuration should be done carefully.
Only Looker administrators can read and update the SAML configuration.
SAML is enabled or disabled for Looker using the enabled field.
It is highly recommended that any SAML setting changes be tested using the APIs below before being set globally.
Calls to this endpoint may be denied by Looker (Google Cloud core).
Request
PATCH
/saml_config
Datatype
Description
Request
body
Expand HTTP Body definition...
body
SAML Config
Expand SamlConfig definition...
can
lock
Operations the current user is able to perform on this object
enabled
Enable/Disable Saml authentication for the server
idp_cert
Identity Provider Certificate (provided by IdP)
idp_url
Identity Provider Url (provided by IdP)
idp_issuer
Identity Provider Issuer (provided by IdP)
idp_audience
Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.
allowed_clock_drift
Count of seconds of clock drift to allow when validating timestamps of assertions.
user_attribute_map_email
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
Name of user record attributes used to indicate first name
user_attribute_map_last_name
Name of user record attributes used to indicate last name
new_user_migration_types
Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google'
alternate_email_login_allowed
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
test_slug
lock
Slug to identify configurations that are created in order to run a Saml config test
modified_at
lock
When this config was last modified
modified_by
lock
User id of user who last modified this config
default_new_user_roles
default_new_user_groups
default_new_user_role_ids
default_new_user_group_ids
set_roles_from_groups
Set user roles in Looker based on groups from Saml
groups_attribute
Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values'
groups
groups_with_role_ids
auth_requires_role
Users will not be allowed to login at all unless a role for them is found in Saml if set to true
user_attributes
user_attributes_with_ids
groups_finder_type
Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes']
groups_member_value
Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes'
bypass_login_page
Bypass the login page when user authentication is required. Redirect to IdP immediately instead.
allow_normal_group_membership
Allow SAML auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.
allow_roles_from_normal_groups
SAML auth'd users will inherit roles from non-reflected Looker groups.
allow_direct_roles
Allows roles to be directly assigned to SAML auth'd users.
url
lock
Link to get this item
Response
200: New state for SAML Configuration.
Datatype
Description
(object)
can
lock
Operations the current user is able to perform on this object
enabled
Enable/Disable Saml authentication for the server
idp_cert
Identity Provider Certificate (provided by IdP)
idp_url
Identity Provider Url (provided by IdP)
idp_issuer
Identity Provider Issuer (provided by IdP)
idp_audience
Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.
allowed_clock_drift
Count of seconds of clock drift to allow when validating timestamps of assertions.
user_attribute_map_email
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
Name of user record attributes used to indicate first name
user_attribute_map_last_name
Name of user record attributes used to indicate last name
new_user_migration_types
Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google'
alternate_email_login_allowed
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
test_slug
lock
Slug to identify configurations that are created in order to run a Saml config test
modified_at
lock
When this config was last modified
modified_by
lock
User id of user who last modified this config
default_new_user_roles
Expand Role definition...
can
lock
Operations the current user is able to perform on this object
id
lock
Unique Id
name
Name of Role
permission_set
lock
(Read only) Permission set
Expand PermissionSet definition...
can
lock
Operations the current user is able to perform on this object
all_access
lock
built_in
lock
id
lock
Unique Id
name
Name of PermissionSet
permissions
url
lock
Link to get this item
permission_set_id
(Write-Only) Id of permission set
model_set
lock
(Read only) Model set
Expand ModelSet definition...
can
lock
Operations the current user is able to perform on this object
all_access
lock
built_in
lock
id
lock
Unique Id
models
name
Name of ModelSet
url
lock
Link to get this item
model_set_id
(Write-Only) Id of model set
url
lock
Link to get this item
users_url
lock
Link to get list of users with this role
default_new_user_groups
Expand Group definition...
can
lock
Operations the current user is able to perform on this object
can_add_to_content_metadata
Group can be used in content access controls
contains_current_user
lock
Currently logged in user is group member
external_group_id
lock
External Id group if embed group
externally_managed
lock
Group membership controlled outside of Looker
id
lock
Unique Id
include_by_default
lock
New users are added to this group by default
name
Name of group
user_count
lock
Number of users included in this group
default_new_user_role_ids
default_new_user_group_ids
set_roles_from_groups
Set user roles in Looker based on groups from Saml
groups_attribute
Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values'
groups
Expand SamlGroupRead definition...
id
lock
Unique Id
looker_group_id
lock
Unique Id of group in Looker
looker_group_name
lock
Name of group in Looker
name
lock
Name of group in Saml
roles
Expand Role definition...
can
lock
Operations the current user is able to perform on this object
id
lock
Unique Id
name
Name of Role
permission_set
lock
(Read only) Permission set
permission_set_id
(Write-Only) Id of permission set
model_set
lock
(Read only) Model set
model_set_id
(Write-Only) Id of model set
url
lock
Link to get this item
users_url
lock
Link to get list of users with this role
url
lock
Link to saml config
groups_with_role_ids
Expand SamlGroupWrite definition...
id
Unique Id
looker_group_id
lock
Unique Id of group in Looker
looker_group_name
Name of group in Looker
name
Name of group in Saml
role_ids
url
lock
Link to saml config
auth_requires_role
Users will not be allowed to login at all unless a role for them is found in Saml if set to true
user_attributes
Expand SamlUserAttributeRead definition...
name
lock
Name of User Attribute in Saml
required
lock
Required to be in Saml assertion for login to be allowed to succeed
user_attributes
Expand UserAttribute definition...
can
lock
Operations the current user is able to perform on this object
id
lock
Unique Id
name
Name of user attribute
label
Human-friendly label for user attribute
type
Type of user attribute ("string", "number", "datetime", "yesno", "zipcode", "advanced_filter_string", "advanced_filter_number")
default_value
Default value for when no value is set on the user
is_system
lock
Attribute is a system default
is_permanent
lock
Attribute is permanent and cannot be deleted
value_is_hidden
If true, users will not be able to view values of this attribute
user_can_view
Non-admin users can see the values of their attributes and use them in filters
user_can_edit
Users can change the value of this attribute for themselves
hidden_value_domain_whitelist
Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
url
lock
Link to saml config
user_attributes_with_ids
Expand SamlUserAttributeWrite definition...
name
Name of User Attribute in Saml
required
Required to be in Saml assertion for login to be allowed to succeed
user_attribute_ids
url
lock
Link to saml config
groups_finder_type
Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes']
groups_member_value
Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes'
bypass_login_page
Bypass the login page when user authentication is required. Redirect to IdP immediately instead.
allow_normal_group_membership
Allow SAML auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.
allow_roles_from_normal_groups
SAML auth'd users will inherit roles from non-reflected Looker groups.
allow_direct_roles
Allows roles to be directly assigned to SAML auth'd users.
url
lock
Link to get this item
400: Bad Request
Datatype
Description
(object)
message
lock
Error details
documentation_url
lock
Documentation link
403: Permission Denied
Datatype
Description
(object)
message
lock
Error details
documentation_url
lock
Documentation link
404: Not Found
Datatype
Description
(object)
message
lock
Error details
documentation_url
lock
Documentation link
422: Validation Error
Datatype
Description
(object)
message
lock
Error details
errors
Expand ValidationErrorDetail definition...
field
lock
Field with error
code
lock
Error code
message
lock
Error info message
documentation_url
lock
Documentation link
documentation_url
lock
Documentation link
429: Too Many Requests
Datatype
Description
(object)
message
lock
Error details
documentation_url
lock
Documentation link