home User Guide Getting Started Help Center Documentation Community Training Certification
menu
close
settings
Looker keyboard_arrow_down
language keyboard_arrow_down
English
Français
Deutsch
日本語
search
print
OpenID Connect Authentication

Overview

Companies use different OpenID Connect Providers (OPs), such as Okta or OneLogin, to coordinate with OpenID Connect. The terms used in the following setup instructions and in the Looker UI may not directly match those used by your OP. For clarification during setup, contact your internal OpenID Connect or authentication team or reach out to Looker Support.

The OpenID Connect page in the Authentication section of the Admin menu lets you configure Looker to authenticate users using the OpenID Connect protocol. This page describes that process and includes instructions for linking OpenID Connect groups to Looker roles and permissions.

Support for OpenID Connect must be enabled by Looker. Contact your Looker Account Manager or open a support request in Looker’s Help Center by clicking Contact Us.

Planning Considerations

Steps on Your OpenID Connect Provider

You need to:

Setting Up Looker on Your OP

Your OpenID Connect Provider (OP) will need to know the URL of your Looker instance. Your OP may call this the Redirect URI or Login Redirect URI, among other names. On your OP’s website, provide your OP with the URL where you typically access your Looker instance in a browser, followed by /openidconnect. For example, https://instance_name.looker.com/openidconnect.

Getting Information from Your OP

To configure Looker for OpenID Connect authentication, you will need the following information from your OP:

Many OPs provide information about configuring OpenID Connect in the form of a discovery document. If so, is a convenient way to gather some or all of the information you will need to configure Looker for OpenID Connect. If you do not have access to a discovery document, you will need to obtain the necessary information from your OP or internal authentication team.

For example, this is a section of an example discovery document provided by Google:

Overview of Steps in Looker

To update your license to include the OpenID Connect authentication feature, contact your account manager or open a support request in Looker’s Help Center by clicking Contact Us.

Once your license is updated, navigate to OpenID Connect in the left panel of the Admin section of Looker, then click the Enabled button to see the configuration options. They are organized into these sections:

While specifying this configuration, do not save your configuration until you have verified that Looker can talk to the OP and successfully retrieve user information. You can run the test multiple times before saving, which helps you see which parameters need configuration.

Any changes to configuration values do not take effect until you save them by clicking the Update Settings button at the bottom of the page.

Configuring OpenID Connect Auth Settings

Use the configuration information you obtained from your OP’s discovery document, your OP, or your internal authentication team to enter connection settings in the following fields:

Identifier: The client identifier unique to your Looker instance. This should be provided by your OP.

Secret: The client secret key unique to your Looker instance. This should be provided by your OP.

Issuer: The secure URL that identifies your OP.

Audience: An identifier indicating to your OP who the client is. This is often the same as your Identifier value, but may be a different value.

Authorization URL: The URL of the OP where the authentication sequence begins. Often called authorization_endpoint in a discovery document.

Token URL: The URL where Looker retrieves an OAuth token after Looker has been authorized. Often called token_endpoint in a discovery document.

User Info URL: The URL where Looker will retrieve detailed user information. Often called userinfo_endpoint in a discovery document.

Scopes: A comma-separated list of scopes used by the OP to provide user information to Looker. You must include the openid scope and any scopes that include the information Looker requires, which includes email addresses, user names, and any user attributes configured on your Looker instance.

Configuring User Attribute Settings

In this section, you will map your OP’s claims to Looker user attributes.

In the User Attribute Settings section, enter the name of your OP’s claim that contains the corresponding information for each field. This tells Looker how to map those claims to Looker user information at login time. Looker isn’t particular about how claims are constructed, it’s just important that the claim information entered here matches the way that the claims are defined in your OP.

Standard Claims

Looker requires user name and email information for user authentication. Enter your OP’s corresponding claim information in this section:

Email Claim: The claim your OP uses for user email addresses, such as email.

First Name Claim: The claim your OP uses for user first names, such as given_name.

Last Name Claim: The claim your OP uses for user last names, such as family_name.

Note that some OPs use a single claim for names, rather than separating first and last names. If this is the case with your OP, enter the claim that stores names in both of the First Name Claim and Last Name Claim fields. For each user, Looker will use the contents up to the first space as the First Name and everything afterwards as the Last Name.

Attribute Pairings

Optionally, you can use the data in your OpenID Connect claims to automatically populate values in Looker user attributes when a user logs in. For example, if you have configured OpenID Connect to make user-specific connections to your database, you could pair your OpenID Connect claims with Looker user attributes to make your database connections user-specific in Looker.

To pair claims with corresponding Looker user attributes:

  1. Enter the claim as identified by your OP in the Claim field and the Looker user attribute you want to pair it with in the Looker User Attributes field.
  2. Check Required if you want to block login by any user account that is missing a value in that claim field.
  3. Click + and repeat these steps to add more claim and attribute pairs.

Note that some OPs can have “nested” claims as shown below:

In the example above, the locality claim is nested within the address claim. For nested claims, specify the parent and nested claims, separated by a slash ( / ) character. To configure Looker for the locality claim above, you would enter address/locality.

Groups and Roles

You have the option for Looker to create groups that mirror your externally managed OpenID Connect groups, and then assign Looker roles to users based on their mirrored OpenID Connect groups. When you make changes to your OpenID Connect group membership, those changes are automatically propagated into Looker’s group configuration

Mirroring OpenID Connect groups lets you use your externally defined OpenID Connect directory to manage Looker groups and users. This, in turn, lets you manage your group membership for multiple software as a service (SaaS) tools, such as Looker, in one place.

If you turn on Mirror OpenID Connect Groups, then Looker will make one Looker group for every OpenID Connect group that is introduced into the system. Those Looker groups can be viewed on the Groups page of the Admin section of Looker. Groups can be used for assigning roles to group members, setting content access controls and assigning user attributes.

Default Groups and Roles

By default, the Mirror OpenID Connect Groups switch is off. In this case, you can set a default group for new OpenID Connect users. In the New User Groups and New User Roles fields, enter the names of any Looker groups or roles to which you want to assign new Looker users when they first log in to Looker:

These groups and roles are applied to new users on their initial login. They are not applied to pre-existing users, and are not reapplied if they are removed from users after their initial login.

If you later enable mirror OpenID Connect groups, these defaults will be removed for users upon their next login and replaced by roles assigned in the Mirror OpenID Connect Groups section. These default options will no longer be available or assigned and are fully replaced by the mirrored groups configuration.

Enabling Mirror OpenID Connect Groups

If you choose to mirror your OpenID Connect groups within Looker, turn on the Mirror OpenID Connect Groups switch:

Groups Claim: Enter the claim that your OP uses to store group names. Looker will make one Looker group for every OpenID Connect group that is introduced into the system by the Groups claim. Those Looker groups can be viewed on the Groups page of the Admin section of Looker. Groups can be used for setting content access controls and assigning user attributes.

Preferred Group Name / Roles / OpenID Connect Group Name: This set of fields lets you assign a custom group name and one or more roles that are assigned to the corresponding OpenID Connect group in Looker:

  1. Enter the OpenID Connect group name in the OpenID Connect Group Name field. OpenID Connect users who are included in the OpenID Connect group will be added to the mirrored group within Looker.

  2. Enter a custom name for the mirrored group in the Custom Name field. This is the name that will be displayed in the Groups page of the Admin section of Looker.

  3. In the field to the right of the Custom Name field, select one or more Looker roles that will be assigned to each user in the group.

  4. Click + to add additional sets of fields to configure additional mirrored groups. If you have multiple groups configured and want to remove the configuration for a group, click X next to that group’s set of fields.

Editing a mirrored group previously configured in this screen changes the configuration of the group while leaving the group intact. For example, you could change the custom name of a group, which would change how the group appears in Looker’s Groups page but would leave the roles assigned and group members the same. Changing the OpenID Connect Group Name would maintain the group name and roles, but members of the group would be reassigned based on the users who are members of the external OpenID Connect group that has the new OpenID Connect group ID. If you delete a group in this page, that group will no longer be mirrored in Looker and its members will no longer have the roles in Looker assigned to them through that group.

Any edits made to a mirrored group will be applied to users of that group when they next log in to Looker.

Advanced Role Management

If you have enabled the Mirror OpenID Connect Groups switch, Looker displays these settings. The options in this section determine how much flexibility Looker admins have when configuring Looker groups and users who have been mirrored from OpenID Connect.

For example, if you want your Looker group and user configuration to strictly match your OpenID Connect configuration, turn on these options. When all of the first three options are enabled, Looker admins cannot modify membership of mirrored groups and can only assign roles to users through OpenID Connect mirrored groups.

If you want to have more flexibility to further customize your groups within Looker, turn off these options. Your Looker groups will still mirror your OpenID Connect configuration, but you will be able to do additional group and user management within Looker, such as adding OpenID Connect users to Looker-specific groups or assigning Looker roles directly to OpenID Connect users.

For new Looker instances, or instances that have no previously configured mirrored groups, these options are off by default.

For existing Looker instances that currently have configured mirrored groups, these options are on by default.

Turning on more restrictive settings will cause users to lose group membership or assigned roles that were configured in Looker directly. This occurs the next time those users log in to Looker.

The Advanced Role Management section contains these options:

Prevent Individual OpenID Connect Users from Receiving Direct Roles: Turning this option on prevents Looker admins from assigning Looker roles directly to OpenID Connect users. OpenID Connect users will receive roles only through their group memberships. If OpenID Connect users are allowed membership in native (not mirrored) Looker groups, they can still inherit their roles both from mirrored OpenID Connect groups and from native Looker groups. Any OpenID Connect users who were previously assigned roles directly will have those roles removed when they next log in.

If this option is off, Looker admins can assign Looker roles directly to OpenID Connect users as if they are users who were configured natively in Looker.

Prevent Direct Membership in non-OpenID Connect Groups: Turning this option on prevents Looker admins from adding OpenID Connect users directly to native Looker groups. If mirrored OpenID Connect groups are allowed to be members of native Looker groups, OpenID Connect users may retain membership in any parent Looker groups. Any OpenID Connect users who were previously assigned to native Looker groups will be removed from those groups when they next log in.

If this option is off, Looker admins can add OpenID Connect users directly to native Looker groups.

Prevent Role Inheritance from non-OpenID Connect Groups: Turning this option on prevents members of mirrored OpenID Connect groups from inheriting roles from native Looker groups. Any OpenID Connect users who previously inherited roles from a parent Looker group will lose those roles when they next log in.

If this option is off, mirrored OpenID Connect groups or OpenID Connect users who are added as a member of a native Looker group will inherit the roles assigned to the parent Looker group.

Auth Requires Role: If this option is on, OpenID Connect users are required to have a role assigned. Any OpenID Connect users who do not have a role assigned will not be able to log in to Looker at all.

If this option is off, OpenID Connect users can authenticate to Looker even if they have no role assigned. A user with no assigned role will not be able to see any data or take any action in Looker, but they will be able to log in to Looker.

Configuring Migration Options

As explained in this section, Looker recommends that you enable Alternate Login and provide a merging strategy for existing users.

Alternate Login for Specified Users

Looker email/password logins are always disabled for regular users when OpenID Connect authentication is enabled. The Alternate Login for Specified Users option enables alternate email-based login using /login/email for admins and for specified users with the login_special_email permission.

Turning this on is useful as a fallback during OpenID Connect setup should OpenID Connect configuration problems occur later, or if you need to support some users who do not have accounts in your OpenID Connect directory.

To enable alternate logins using the Looker API, see the Enabling the Alternate Login Option Help Center article.

Merge Users Using

Merge a first-time OpenID Connect login to an existing user account by one or more of the specified methods here. Options are Looker Email/Password, Google, LDAP, and SAML.

If you have multiple authentication systems in place, you can specify more than one system to merge by in this field. Looker will look up users from the systems listed in the order that they are specified. For example, assume you created some users using Looker email/assword, then you enabled LDAP, and now you want to use OpenID Connect. In the example above, Looker would merge by email/password first and then LDAP.

When a user logs in for the first time with OpenID Connect, this option will connect the user to their existing account by finding the account with a matching email address. If there is no existing account for the user, a new user account will be created.

Testing User Authentication

While specifying this configuration, click Test OpenID Connect Authentication to test your OpenID Connect configuration.

Read the results of the test carefully, as some parts of the test can succeed even if others fail.

Tests will redirect out to the endpoints and will open a new browser tab. The tab displays:

You can use this test to verify the information received from the various endpoints is correct, and to troubleshoot any errors.

Tips:

Save and Apply Settings

Be sure to first test your configuration and read the test results carefully to verify that all parts of the test succeeded. Saving incorrect OpenID Connect configuration information could lock you and others out of Looker.

Once you are done entering your information, and the tests are all passing, check I have confirmed the configuration above and want to enable applying it globally and click Update Settings to save.

Top