Companies use different OpenID Connect Providers (OPs), such as Okta or OneLogin, to coordinate with OpenID Connect. The terms used in the following setup instructions and in the Looker UI may not directly match those used by your OP. For clarification during set up, contact your internal OpenID Connect or authentication team or reach out to Looker Support.
You can configure Looker to authenticate users using the OpenID Connect protocol. This page includes instructions for linking OpenID Connect groups to Looker roles and permissions.
- Consider using the Alternate Login for Specified Users option to allow Looker admins to access Looker without OpenID Connect.
- Don’t disable OpenID Connect authentication while you are logged into Looker using OpenID Connect unless you have an alternate account login set up. Otherwise, you could lock yourself out of the app.
- Looker can migrate existing accounts to OpenID Connect using email addresses that come from either current Email/Password setups, LDAP, SAML, or Google Auth. You will be able to configure this in the setup process.
- Looker supports OpenID Connect authentication only using OpenID Connect’s Authorization Code Flow. Other code flows are not supported.
- The OpenID Connect specification includes an optional Discovery mechanism. Looker does not support this mechanism — so you must provide explicit URLs in the OpenID Connect Auth Settings section as described below.
Steps On Your OpenID Connect Provider
You need to:
- give your Looker URL to your OpenID Connect Provider (OP)
- get various information from your OP.
Setting Up Looker on Your OP
Your OpenID Connect Provider (OP) will need to know the URL of your Looker instance. Your OP may call this the “Redirect URI” or “Login Redirect URI”, among other names. On your OP’s web site, provide your OP with the URL where you typically access your Looker instance in a browser, followed by
/openidconnect. For example,
Getting Information From Your OP
To configure Looker for OpenID Connect authentication, you will need the following information from your OP:
- A client identifier and client secret. These are usually supplied by the OP on their web site when you configure the Redirect URI as described above.
- During the OpenID Connect authentication process, Looker will connect to three different endpoints, an Authentication endpoint, a Token ID endpoint, and a User Information endpoint. You will need the URLs your OP uses for each of these endpoints.
- Each OP will provide user information in sets called “scopes”. You will need to know the names of the scopes your OP uses. The OpenID Connect requires the
openidscope, but your OP will likely include other scopes, such as
- In OpenID Connect, attributes that store user data are called “claims”. You will need to know which claims your OP passes to Looker to provide the user information you want on your Looker instance. Looker requires claims that contain email and name information, but if you have any other user attributes, such as timezone or department, Looker will also need to know which claims contain that information.
Many OPs provide information about configuring OpenID Connect in the form of a discovery document. If so, is a convenient way to gather some or all of the information you will need to configure Looker for OpenID Connect. If you do not have access to a discovery document, you will need to obtain the necessary information from your OP or internal authentication team.
For example, this is a section of an example discovery document provided by Google:
Overview of Steps on Looker
First, please contact your Account Manager or
firstname.lastname@example.org to update your license to include the OpenID Connect authentication feature.
Once your license is updated, navigate to OpenID Connect in the left panel of the Admin section of Looker, then click the Enabled button to see the configuration options. They are organized into these sections:
- OpenID Connect Auth Settings
- User Attributes Settings
- Role Settings
- Migration Options
While specifying this configuration, do not save your configuration until you have tested that Looker can talk to the OP and successfully retrieve user information. You can run the test multiple times before saving, which helps you see which parameters need configuration.
Any changes to configuration values do not take effect until you save them by clicking the Update Settings button at the bottom of the page.
Configuring OpenID Connect Auth Settings
Use the configuration information you obtained from your OP’s discovery document, your OP, or internal authentication team to enter connection settings in the following fields:
Identifier: The client identifier unique to your Looker instance. This should be provided by your OP.
Secret: The client secret key unique to your Looker instance. This should be provided by your OP.
Issuer: The secure URL that identifies your OP.
Audience: An identifier indicating to your OP who the client is. This is often the same as your Identifier value, but may be a different value.
Authorization URL: The URL of the OP where the authentication sequence begins. Often called
authorization_endpoint in a discovery document.
Token URL: The URL where Looker retrieves an OAuth token after Looker has been authorized. Often called
token_endpoint in a discovery document.
User Info URL: The URL where Looker will retrieve detailed user information. Often called
userinfo_endpoint in a discovery document.
Scopes: A comma-separated list of scopes used by the OP to provide user information to Looker. You must include the
openid scope and any scopes that include the information Looker requires, which includes email addresses, user names, and any user attributes configured on your Looker instance.
Configuring User Attributes Settings
In the User Attributes Settings section, enter the name of your OP’s claim that contains the corresponding information for each field. This tells Looker how to map those claims to Looker user information at login time. Looker isn’t particular about how claims are constructed, it’s just important that the claim information entered here matches the way that the claims are defined in your OP.
Looker requires user name and email information for user authentication. Enter your OP’s corresponding claim information in this section:
Email Claim: The claim your OP uses for user email addresses, such as
First Name Claim: The claim your OP uses for user first names, such as
Last Name Claim: The claim your OP uses for user last names, such as
Note that some OPs use a single claim for names, rather than separating first and last names. If this is the case with your OP, enter the claim that stores names in both of the First Name Claim and Last Name Claim fields. For each user, Looker will use the contents up to the first space as the First Name and everything afterwards as the Last Name.
Optionally, you can use the data in your OpenID Connect claims to automatically populate values in Looker user attributes when a user logs in. You set this up by pairing claims with corresponding Looker user attributes:
- Enter the claim as identified by your OP in the Claim field and the Looker user attribute you want to pair it with in the Looker User Attributes field.
- Check Required if you want to block log in by any user account that is missing a value in that claim field.
- Click + and repeat these steps to add more claim and attribute pairs.
Note that some OPs can have “nested” claims as shown below:
In the example above, the
locality claim is nested within the
address claim. For nested claims, specify the parent and nested claims, separated by a slash (
/ ) character. To configure Looker for the
locality claim above, you would enter
Configuring Role Settings
Optionally, you can assign Looker roles to users based on their OpenID Connect groups.
Assigning Roles in Looker Directly
Leave the Set Roles from Groups toggle to OFF, and choose the default roles and groups that all new users will receive:
Assigning Roles Using OpenID Connect Groups
If you choose to use OpenID Connect groups to define roles, set the Set Roles from Groups toggle to ON.
If this feature is on, all Looker roles will be overridden by the OpenID Connect roles.
Looker displays these settings:
Groups Claim: Enter the claim that your OP uses to store group names. Looker will make one Looker group for every OpenID Connect group that is introduced into the system by the Groups claim. Those Looker groups can be viewed on the Groups page of the Admin section of Looker. Groups can be used for setting content access controls and assigning user attributes.
Auth Requires Role: Setting this to ON means that users are required to have a role in order to log into Looker. If it is set to OFF, that means your OpenID Connect users can authenticate to Looker even if they have no role assigned. Having no role set means that a user will not be able to see any data or take any action in Looker.
Configuring Migration Options
As explained in this section, Looker recommends that you enable Alternate Login and provide a merging strategy for existing users.
Alternate Login for Specified Users
Looker email/password logins are always disabled for regular users when OpenID Connect authentication is enabled. The Alternate Login for Specified Users option enables alternate email-based login using
/login/email for admins and for specified users with the
Turning this option ON is useful as a fallback during OpenID Connect setup should OpenID Connect configuration problems occur later, or if you need to support some users who do not have accounts in your OpenID Connect directory.
Merge Users Using
Merge a first-time OpenID Connect login to an existing user account by one or more of the specified method here. Options are Looker Email/Password, Google, LDAP, and SAML.
If you have more than one system in place, you can specify more than one system to merge by in this field. Looker will look up users from the systems listed in the order that they are specified. For example, assume you created some users using Looker Email/Password, then you enabled LDAP, and now you want to use OpenID Connect. In the example above, Looker would merge by Email/Password first and then LDAP.
When a user logs in for the first time with OpenID Connect, this option will connect the user into their existing account by finding the account with a matching email address. If there is no existing account for the user, a new user account will be created.
Testing User Authentication
While [specifying this configuration], click Test OpenID Connect Authentication to test your OpenID Connect configuration.
Read the results of the test carefully, as some parts of the test can succeed even if others fail.
Tests will redirect out to the endpoints and will open a new browser tab. The tab displays:
- That Looker was able to talk to the various endpoints and validate
- A trace of the authentication endpoint response
- The user info it gets from the user info endpoint
- Both decoded and raw versions of the ID Token received
You can use this test to verify the information received from the various endpoints is correct, and to troubleshoot any errors.
- You can run this test any time, even if OpenID Connect is partially configured. Running a test can be helpful during configuration to see which parameters need configuration.
- The test uses the settings entered in the OpenID Connect Authentication page, even if those settings have not been saved. The test will not affect or change any of the settings in that page.
Saving Your Configuration
Be sure to first test your configuration and read the test results carefully to verify that all parts of the test succeeded. Saving incorrect OpenID Connect configuration information could lock yourself and others out of Looker.
Once you are done configuring settings and have verified that all parts of the test are succeeding, click Update Settings to save your configuration.