Meaning of SP Entity/IdP Audience parameter in configuration saml

(Viacheslav Bohatikov) #1

In your documentation here describes SP Entity/IdP Audience parameter for configuration information about identity provider. There you say next “This field is not required by Looker, but many IdPs will require this field. If you enter a value in this field, that value will be sent to your IdP as Looker’s “Entity ID” in authorization requests”. I researching about saml protocol and I don’t understand why we need this field. As I know service “Entity ID” sending in saml request in “Issuer”. But you say that “This value(means SP Entity/IdP Audience) is also used as the “issuer” field in messages sent to the IdP.”. Looks like in request we have 2 field that describe service provider url but in specification of saml protocol I don’t see any fields except “Issuer” that corresponds to the description.
Please can you help me and understand what this parameter means?


(Izzy) #2

I’m not a SAML expert, but from what I know, that field/specifying an “Entity ID” causes Looker to only accept authorization responses that have this same value as the Audience in the response. I think the confusion here is that although some platforms don’t require an audience value, others do, so we need to specify it separately.

In a nutshell: Even if you’ve entered an “Issuer” already, some IdP’s also require an “Entity ID”, which must be specified in that section, just for clarity’s sake.

Note that it is optional, so if your SAML setup is working without it, you don’t need to use it.

If someone knows more, feel free to jump in or correct me if I’m wrong!



To add some additional detail, the “IdP Issuer” field determines the specific IdP that Looker should communicate with for the authentication protocol. If we think of it as a funnel, at the top would be all IdPs and directories of users, the “IdP Issuer” is narrowing that down to just your provider and directory. The “Audience/Entity ID” field can be thought of as another layer in the funnel. This is an additional statement included in the assertion that is usually assigned to only some of the users within your directory; so with this field the funnel is narrowed from all users in your directory to just those users that have the specified value.

This page from Okta is a great resource for clarification on the various components of the SAML assertion and how they all play together. The page is Okta specific (uses their vernacular). If you’re using another service provider, it’s likely their documentation includes something similar.

1 Like