Note : There is now an Okta-provided Looker App that makes connecting the two systems easier than ever. While this method still works, we recommend that you follow the instructions here.
##SAML + Okta
As of Release 3.26, Looker supports SAML Authentication. A popular Identity Provider that leverages this authentication scheme is Okta. If you don’t have a preference for how to set up Okta, we recommend you Create an App from Template instead of following these instructions. However, if this is your preferred method, an example set-up is below.
To enable SAML on your instance, please contact Looker Support (help.looker.com) or your company’s Looker contacts.
NOTE: In Looker 3.26, it is not possible to configure groups using SAML Authentication.
Choosing to Create App
Once on the Add New Application page (admin/apps/add-app), select:
First, name the app. Here, we’ve chosen to call it “Looker.” You can choose to configure a photo and other relevant details about how users log into Looker using your preferred methods. None of these settings affect SAML setup in Looker.
Single Sign On URL: This must be the typical url you see when you access your looker instance + /samlcallback
Audience URI (SP Entity ID): From Looker’s perspective, this is optional, however the value that goes in this field must match the value that goes into the audience field in the setup UI on Looker. Most Identity Providers do require the audience to be specified.
Default RelayState: Leave this blank
Name ID Format: Select EmailAddress
Application username: Looker is agnostic to this setting - you can use your own preferences.
Then hit the “Matches Advanced” button to unlock an additional set of settings. Make sure the following settings match what you see:
Assertion Certificate: Signed
Request Compression: Compressed
Enable Single Logout: Leave unchecked
Attribute Statements: Make these the options match the inputs in the Looker UI.
If you use the Looker defaults (pictured)
Then input these attributes on the Okta side:
View Setup Instructions
Click through to the Sign On page. Click on “View Setup Instructions”.
Scroll to the bottom of the screen until you see the configuration data. You’ll need to copy all the text from number 4 to Looker, or select the Public Link button.
Paste that into the Looker admin panel page (/admin/saml):
Looker will do the job of parsing that file and updating the fields above:
Now you’re ready to finish up using the Looker-side SAML Setup Docs.