Setting Up Looker with Okta from Template (3.26+) with Groups (3.32+)

(Abby West) #1

Note : There is now an Okta-provided Looker App that makes connecting the two systems easier than ever. While this method still works, we recommend that you follow the instructions here.

##SAML + Okta
As of Release 3.26, Looker supports SAML Authentication. A popular Identity Provider that leverages this authentication scheme is Okta. Here we will take you through two ways of configuring Okta to work with Looker. To enable SAML on your instance, please contact Looker Support ( or your company’s Looker contacts.

NOTE: In Looker 3.26, it is not possible to configure groups using SAML Authentication.

##Getting Started with a Template App
Once you log into your Okta environment, you’ll be presented with two ways to configure a new application. We recommend getting started from a template app, which we will walk you through here. If you prefer, you can also get started by Creating a New App.

Choosing a Template

Once on the Add New Application page (admin/apps/add-app), search for “Template,” and select “Template SAML 2.0 App.”

General Settings

Application Label: The name you’ll see in Okta for this application - you’re using it to log into Looker, so we’ve chosen Looker for simplicity.
Force Authentication: This is optional from Looker’s perspective; you can select it if necessary for your company.
Post Back URL: This must be the typical url you see when you access your looker instance + /samlcallback
Name ID Format: Leave as the default, EmailAddress.
Recipient: Same url that you used for Post Back URL
Audience Restriction: From Looker’s perspective, this is optional, however the value that goes in this field must match the value that goes into the audience field in the setup UI on Looker. Most Identity Providers do require the audience to be specified.

Here’s an example of this section filled out:

For the next section of the form, use the defaults for the next section of the form - they should match what follows:

Destination: Use the same URL as before
Default Relay State: Skip this section
Attribute Statements: Try copying and pasting this string: Email |, FirstName | user.firstName, LastName | user.lastName . What’s important here is that you are linking the name of this attribute in Looker (“Email”) with how that’s stored in Okta ( Capitalization matters. Each set is defined as nameinlooker | nameinokta, . If the provided string doesn’t work, follow the instructions for inputting values that are written in the Okta setup page beneath this field.

Looker has support for groups as of version 3.32 – to enable groups from the Okta side, include hte word groups in the Group Name section.
Group Name: groups
Group filter: blank
Application Visibility: Set up as relevant for your company.

View Setup Instructions

You’ll next be asked to configure your users. Configure those as makes sense for your company (or, for testing, just apply your own user to the application). On the next page, hit the “View Setup Instructions.”

Scroll to the bottom of the screen until you see the configuration data. You’ll need to copy all the text from number 4 to Looker, or select the Public Link button.

Paste that into the Looker admin panel page (/admin/saml) then click Load.

Looker will do the job of parsing that file and updating the fields above:

Looker-side Setup

Now you’re ready to finish up using the Looker-side SAML Setup Docs.