User Guide Getting Started Help Center Documentation Community Training
Looker
  
English
Français
Deutsch
日本語
Auth : Manage User Authentication Configuration

Get LDAP Configuration

GET/api/3.0/ldap_config
ldap_config()

Implementation Notes

Get the LDAP configuration.

Looker can be optionally configured to authenticate users against an Active Directory or other LDAP directory server. LDAP setup requires coordination with an administrator of that directory server.

Only Looker administrators can read and update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single LDAP configuration. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

LDAP is enabled or disabled for Looker using the enabled field.

Looker will never return an auth_password field. That value can be set, but never retrieved.

See the Looker LDAP docs for additional information.

Response Class

LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update LDAP Configuration

PATCH/api/3.0/ldap_config
update_ldap_config(body)

Implementation Notes

Update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the LDAP configuration.

LDAP is enabled or disabled for Looker using the enabled field.

It is highly recommended that any LDAP setting changes be tested using the APIs below before being set globally.

See the Looker LDAP docs for additional information.

Response Class

LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP Connection

PUT/api/3.0/ldap_config/test_connection
test_ldap_config_connection(body)

Implementation Notes

Test the connection settings for an LDAP configuration.

This tests that the connection is possible given a connection_host and connection_port.

connection_host and connection_port are required. connection_tls is optional.

Example:

{
  "connection_host": "ldap.example.com",
  "connection_port": "636",
  "connection_tls": true
}

No authentication to the LDAP server is attempted.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP Auth

PUT/api/3.0/ldap_config/test_auth
test_ldap_config_auth(body)

Implementation Notes

Test the connection authentication settings for an LDAP configuration.

This tests that the connection is possible and that a ‘server’ account to be used by Looker can authenticate to the LDAP server given connection and authentication information.

connection_host, connection_port, and auth_username, are required. connection_tls and auth_password are optional.

Example:

{
  "connection_host": "ldap.example.com",
  "connection_port": "636",
  "connection_tls": true,
  "auth_username": "cn=looker,dc=example,dc=com",
  "auth_password": "secret"
}

Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP User Info

PUT/api/3.0/ldap_config/test_user_info
test_ldap_config_user_info(body)

Implementation Notes

Test the user authentication settings for an LDAP configuration without authenticating the user.

This test will let you easily test the mapping for user properties and roles for any user without needing to authenticate as that user.

This test accepts a full LDAP configuration along with a username and attempts to find the full info for the user from the LDAP server without actually authenticating the user. So, user password is not required.The configuration is validated before attempting to contact the server.

test_ldap_user is required.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP User Auth

PUT/api/3.0/ldap_config/test_user_auth
test_ldap_config_user_auth(body)

Implementation Notes

Test the user authentication settings for an LDAP configuration.

This test accepts a full LDAP configuration along with a username/password pair and attempts to authenticate the user with the LDAP server. The configuration is validated before attempting the authentication.

Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.

test_ldap_user and test_ldap_password are required.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
url (string, read-only): Link to ldap config,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get OIDC Configuration beta

GET/api/3.0/oidc_config
oidc_config()

Implementation Notes

Get the OIDC configuration.

Looker can be optionally configured to authenticate users against an OpenID Connect (OIDC) authentication server. OIDC setup requires coordination with an administrator of that server.

Only Looker administrators can read and update the OIDC configuration.

Configuring OIDC impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single OIDC configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

OIDC is enabled or disabled for Looker using the enabled field.

Response Class

OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update OIDC Configuration beta

PATCH/api/3.0/oidc_config
update_oidc_config(body)

Implementation Notes

Update the OIDC configuration.

Configuring OIDC impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the OIDC configuration.

OIDC is enabled or disabled for Looker using the enabled field.

It is highly recommended that any OIDC setting changes be tested using the APIs below before being set globally.

Response Class

OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true OIDC Config body
OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get OIDC Test Configuration beta

GET/api/3.0/oidc_test_configs/{test_slug}
oidc_test_config(test_slug)

Implementation Notes

Get a OIDC test configuration by test_slug.

Response Class

OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Delete OIDC Test Configuration beta

DELETE/api/3.0/oidc_test_configs/{test_slug}
delete_oidc_test_config(test_slug)

Implementation Notes

Delete a OIDC test configuration.

Response Class

  None

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
204 Test config succssfully deleted. string

Create OIDC Test Configuration beta

POST/api/3.0/oidc_test_configs
create_oidc_test_config(body)

Implementation Notes

Create a OIDC test configuration.

Response Class

OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true OIDC test config body
OIDCConfig {
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get SAML Configuration

GET/api/3.0/saml_config
saml_config()

Implementation Notes

Get the SAML configuration.

Looker can be optionally configured to authenticate users against a SAML authentication server. SAML setup requires coordination with an administrator of that server.

Only Looker administrators can read and update the SAML configuration.

Configuring SAML impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single SAML configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

SAML is enabled or disabled for Looker using the enabled field.

Response Class

SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update SAML Configuration

PATCH/api/3.0/saml_config
update_saml_config(body)

Implementation Notes

Update the SAML configuration.

Configuring SAML impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the SAML configuration.

SAML is enabled or disabled for Looker using the enabled field.

It is highly recommended that any SAML setting changes be tested using the APIs below before being set globally.

Response Class

SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML Config body
SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get SAML Test Configuration

GET/api/3.0/saml_test_configs/{test_slug}
saml_test_config(test_slug)

Implementation Notes

Get a SAML test configuration by test_slug.

Response Class

SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Delete SAML Test Configuration

DELETE/api/3.0/saml_test_configs/{test_slug}
delete_saml_test_config(test_slug)

Implementation Notes

Delete a SAML test configuration.

Response Class

  None

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
204 Test config succssfully deleted. string

Create SAML Test Configuration

POST/api/3.0/saml_test_configs
create_saml_test_config(body)

Implementation Notes

Create a SAML test configuration.

Response Class

SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML test config body
SamlConfig {
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Role {
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role,
can (object, read-only): Operations the current user is able to perform on this object
}
PermissionSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
ModelSet {
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item,
can (object, read-only): Operations the current user is able to perform on this object
}
Group {
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.,
can (object, read-only): Operations the current user is able to perform on this object
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Parse SAML IdP XML

POST/api/3.0/parse_saml_idp_metadata
parse_saml_idp_metadata(body)

Implementation Notes

Parse the given xml as a SAML IdP metadata document and return the result.

Response Class

SamlMetadataParseResult {
idp_issuer (string, read-only): Identify Provider Issuer,
idp_url (string, read-only): Identify Provider Url,
idp_cert (string, read-only): Identify Provider Certificate,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML IdP metadata xml body string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Parse SAML IdP Url

POST/api/3.0/fetch_and_parse_saml_idp_metadata
fetch_and_parse_saml_idp_metadata(body)

Implementation Notes

Fetch the given url and parse it as a SAML IdP metadata document and return the result.

Note that this requires that the url be public or at least at a location where the Looker instance can fetch it without requiring any special authentication.

Response Class

SamlMetadataParseResult {
idp_issuer (string, read-only): Identify Provider Issuer,
idp_url (string, read-only): Identify Provider Url,
idp_cert (string, read-only): Identify Provider Certificate,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML IdP metadata public url body string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
Top