User Guide Getting Started Help Center Documentation Community Training
Looker
  
English
Français
Deutsch
日本語
Auth : Manage User Authentication Configuration

Create SSO Embed Url beta

POST/api/3.1/embed/sso_url
create_sso_embed_url(body)

Implementation Notes

Create SSO Embed URL.

Creates an SSO embed URL and cryptographically signs it with an embed secret. This signed URL can then be used to instantiate a Looker embed session in a PBL web application. Do not make any modifications to this URL - any change may invalidate the signature and cause the URL to fail to load a Looker embed session.

A signed SSO embed URL can only be used once. After it has been used to request a page from the Looker server, the URL is invalid. Future requests using the same URL will fail. This is to prevent ‘replay attacks’.

The target_url property must be a complete URL of a Looker UI page - scheme, hostname, path and query params. To load a dashboard with id 56 and with a filter of Date=1 years, the looker URL would look like https:/myname.looker.com/dashboards/56?Date=1%20years. The best way to obtain this target_url is to navigate to the desired Looker page in your web browser, copy the URL shown in the browser address bar and paste it into the target_url property as a quoted string value in this API request.

Permissions for the embed user are defined by the groups in which the embed user is a member (group_ids property) and the lists of models and permissions assigned to the embed user. At a minimum, you must provide values for either the group_ids property, or both the models and permissions properties. These properties are additive; an embed user can be a member of certain groups AND be granted access to models and permissions.

The embed user’s access is the union of permissions granted by the group_ids, models, and permissions properties.

This function does not strictly require all group_ids, user attribute names, or model names to exist at the moment the SSO embed url is created. Unknown group_id, user attribute names or model names will be passed through to the output URL. To diagnose potential problems with an SSO embed URL, you can copy the signed URL into the Embed URI Validator text box in <your looker instance>/admin/embed.

The secret_id parameter is optional. If specified, its value must be the id of an active secret defined in the Looker instance. if not specified, the URL will be signed using the newest active secret defined in the Looker instance.

Security Note

Protect this signed URL as you would an access token or password credentials - do not write it to disk, do not pass it to a third party, and only pass it through a secure HTTPS encrypted transport.

Response Class

EmbedSsoUrl {
url (string, read-only): The signed embed URL. Any modification to this string will invalidate the signature and make the URL unusable.
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SSO parameters body
EmbedSsoUrlParams {
target_url (string, required): The complete URL of the Looker UI page to display in the embed context. For example, to display the dashboard with id 34, target_url would look like: https://mycompany.looker.com:9999/dashboards/34. target_uri MUST contain a scheme (HTTPS), domain name, and URL path. Port must be included if it is required to reach the Looker server from browser clients. If the Looker instance is behind a load balancer or other proxy, target_uri must be the public-facing domain name and port required to reach the Looker instance, not the actual internal network machine name of the Looker instance.,
session_length (long): Number of seconds the SSO embed session will be valid after the embed session is started. Defaults to 300 seconds. Maximum session length accepted is 2592000 seconds (30 days).,
external_user_id (string): A value from an external system that uniquely identifies the embed user. Since the user_ids of Looker embed users may change with every embed session, external_user_id provides a way to assign a known, stable user identifier across multiple embed sessions.,
force_logout_login (boolean): When true, the embed session will purge any residual Looker login state (such as in browser cookies) before creating a new login state with the given embed user info. Defaults to true.,
first_name (string): First name of the embed user. Defaults to 'Embed' if not specified,
last_name (string): Last name of the embed user. Defaults to 'User' if not specified,
user_timezone (string): Sets the user timezone for the embed user session, if the User Specific Timezones setting is enabled in the Looker admin settings. A value of null forces the embed user to use the Looker Application Default Timezone. You MUST omit this property from the request if the User Specific Timezones setting is disabled. Timezone values are validated against the IANA Timezone standard and can be seen in the Application Time Zone dropdown list on the Looker General Settings admin page.,
permissions (Array[string]): List of Looker permission names to grant to the embed user. Requested permissions will be filtered to permissions allowed for embed sessions.,
models (Array[string]): List of model names that the embed user may access,
group_ids (Array[long]): List of Looker group ids in which to enroll the embed user,
external_group_id (long): A unique value identifying an embed-exclusive group. Multiple embed users using the same external_group_id value will be able to share Looker content with each other. Content and embed users associated with the external_group_id will not be accessible to normal Looker users or embed users not associated with this external_group_id.,
user_attributes (object): A dictionary of name-value pairs associating a Looker user attribute name with a value.,
secret_id (long): Id of the embed secret to use to sign this SSO url. If specified, the value must be an id of a valid (active) secret defined in the Looker instance. If not specified, the URL will be signed with the newest active embed secret defined in the Looker instance.
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get LDAP Configuration

GET/api/3.1/ldap_config
ldap_config()

Implementation Notes

Get the LDAP configuration.

Looker can be optionally configured to authenticate users against an Active Directory or other LDAP directory server. LDAP setup requires coordination with an administrator of that directory server.

Only Looker administrators can read and update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single LDAP configuration. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

LDAP is enabled or disabled for Looker using the enabled field.

Looker will never return an auth_password field. That value can be set, but never retrieved.

See the Looker LDAP docs for additional information.

Response Class

LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update LDAP Configuration

PATCH/api/3.1/ldap_config
update_ldap_config(body)

Implementation Notes

Update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the LDAP configuration.

LDAP is enabled or disabled for Looker using the enabled field.

It is highly recommended that any LDAP setting changes be tested using the APIs below before being set globally.

See the Looker LDAP docs for additional information.

Response Class

LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP Connection

PUT/api/3.1/ldap_config/test_connection
test_ldap_config_connection(body)

Implementation Notes

Test the connection settings for an LDAP configuration.

This tests that the connection is possible given a connection_host and connection_port.

connection_host and connection_port are required. connection_tls is optional.

Example:

{
  "connection_host": "ldap.example.com",
  "connection_port": "636",
  "connection_tls": true
}

No authentication to the LDAP server is attempted.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
can (object, read-only): Operations the current user is able to perform on this object,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP Auth

PUT/api/3.1/ldap_config/test_auth
test_ldap_config_auth(body)

Implementation Notes

Test the connection authentication settings for an LDAP configuration.

This tests that the connection is possible and that a ‘server’ account to be used by Looker can authenticate to the LDAP server given connection and authentication information.

connection_host, connection_port, and auth_username, are required. connection_tls and auth_password are optional.

Example:

{
  "connection_host": "ldap.example.com",
  "connection_port": "636",
  "connection_tls": true,
  "auth_username": "cn=looker,dc=example,dc=com",
  "auth_password": "secret"
}

Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
can (object, read-only): Operations the current user is able to perform on this object,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP User Info

PUT/api/3.1/ldap_config/test_user_info
test_ldap_config_user_info(body)

Implementation Notes

Test the user authentication settings for an LDAP configuration without authenticating the user.

This test will let you easily test the mapping for user properties and roles for any user without needing to authenticate as that user.

This test accepts a full LDAP configuration along with a username and attempts to find the full info for the user from the LDAP server without actually authenticating the user. So, user password is not required.The configuration is validated before attempting to contact the server.

test_ldap_user is required.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
can (object, read-only): Operations the current user is able to perform on this object,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Test LDAP User Auth

PUT/api/3.1/ldap_config/test_user_auth
test_ldap_config_user_auth(body)

Implementation Notes

Test the user authentication settings for an LDAP configuration.

This test accepts a full LDAP configuration along with a username/password pair and attempts to authenticate the user with the LDAP server. The configuration is validated before attempting the authentication.

Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.

test_ldap_user and test_ldap_password are required.

The active LDAP settings are not modified.

Response Class

LDAPConfigTestResult {
details (string, read-only): Additional details for error cases,
issues (Array[LDAPConfigTestIssue], read-only): Array of issues/considerations about the result,
message (string, read-only): Short human readable test about the result,
status (string, read-only): Test status code: always 'success' or 'error',
trace (string, read-only): A more detailed trace of incremental results during auth tests,
user (LDAPUser, read-only): User details from LDAP server for auth tests,
url (string, read-only): Link to ldap config
}
LDAPConfigTestIssue {
severity (string, read-only): Severity of the issue. Error or Warning,
message (string, read-only): Message describing the issue,
can (object, read-only): Operations the current user is able to perform on this object
}
LDAPUser {
all_emails (Array[string], read-only): Array of user's email addresses and aliases for use in migration,
attributes (object, read-only): Dictionary of user's attributes (name/value),
email (string, read-only): Primary email address,
first_name (string, read-only): First name,
groups (Array[string], read-only): Array of user's groups (group names only),
last_name (string, read-only): Last Name,
ldap_dn (string, read-only): LDAP's distinguished name for the user record,
ldap_id (string, read-only): LDAP's Unique ID for the user,
roles (Array[string], read-only): Array of user's roles (role names only),
can (object, read-only): Operations the current user is able to perform on this object,
url (string, read-only): Link to ldap config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true LDAP Config body
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true,
auth_username (string): Distinguished name of LDAP account used to access the LDAP server,
connection_host (string): LDAP server hostname,
connection_port (string): LDAP host port,
connection_tls (boolean): Use Transport Layer Security,
connection_tls_no_verify (boolean): Do not verify peer when using TLS,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP,
enabled (boolean): Enable/Disable LDAP authentication for the server,
force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.,
groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles,
groups_base_dn (string): Base dn for finding groups in LDAP searches,
groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server,
groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member',
groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches,
groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn',
groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids,
has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server,
merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP,
test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only.,
test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id,
user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids,
user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches,
user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.,
user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list),
user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
LDAPGroupRead {
name (string, read-only): Name of group in LDAP,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to ldap config
}
LDAPGroupWrite {
name (string): Name of group in LDAP,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to ldap config
}
LDAPUserAttributeRead {
name (string, read-only): Name of User Attribute in LDAP,
required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to ldap config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
LDAPUserAttributeWrite {
name (string): Name of User Attribute in LDAP,
required (boolean): Required to be in LDAP assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to ldap config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get OIDC Configuration beta

GET/api/3.1/oidc_config
oidc_config()

Implementation Notes

Get the OIDC configuration.

Looker can be optionally configured to authenticate users against an OpenID Connect (OIDC) authentication server. OIDC setup requires coordination with an administrator of that server.

Only Looker administrators can read and update the OIDC configuration.

Configuring OIDC impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single OIDC configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

OIDC is enabled or disabled for Looker using the enabled field.

Response Class

OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update OIDC Configuration beta

PATCH/api/3.1/oidc_config
update_oidc_config(body)

Implementation Notes

Update the OIDC configuration.

Configuring OIDC impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the OIDC configuration.

OIDC is enabled or disabled for Looker using the enabled field.

It is highly recommended that any OIDC setting changes be tested using the APIs below before being set globally.

Response Class

OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true OIDC Config body
OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get OIDC Test Configuration beta

GET/api/3.1/oidc_test_configs/{test_slug}
oidc_test_config(test_slug)

Implementation Notes

Get a OIDC test configuration by test_slug.

Response Class

OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Delete OIDC Test Configuration beta

DELETE/api/3.1/oidc_test_configs/{test_slug}
delete_oidc_test_config(test_slug)

Implementation Notes

Delete a OIDC test configuration.

Response Class

  None

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
204 Test config succssfully deleted. string

Create OIDC Test Configuration beta

POST/api/3.1/oidc_test_configs
create_oidc_test_config(body)

Implementation Notes

Create a OIDC test configuration.

Response Class

OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true OIDC test config body
OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object,
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
audience (string): OpenID Provider Audience,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true,
authorization_endpoint (string): OpenID Provider Authorization Url,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC,
enabled (boolean): Enable/Disable OIDC authentication for the server,
groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids,
identifier (string): Relying Party Identifier (provided by OpenID Provider),
issuer (string): OpenID Provider Issuer,
modified_at (date-time, read-only): When this config was last modified,
modified_by (long, read-only): User id of user who last modified this config,
new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
scopes (Array[string]): Array of scopes to request.,
secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider),
set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test,
token_endpoint (string): OpenID Provider Token Url,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids,
userinfo_endpoint (string): OpenID Provider User Information Url,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
OIDCGroupRead {
name (string, read-only): Name of group in OIDC,
roles (Array[Role], read-only): Looker Roles
}
OIDCGroupWrite {
name (string): Name of group in OIDC,
role_ids (Array[long]): Looker Role Ids,
can (object, read-only): Operations the current user is able to perform on this object
}
OIDCUserAttributeRead {
name (string, read-only): Name of User Attribute in OIDC,
required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
OIDCUserAttributeWrite {
name (string): Name of User Attribute in OIDC,
required (boolean): Required to be in OIDC assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
can (object, read-only): Operations the current user is able to perform on this object
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get Password Config beta

GET/api/3.1/password_config
password_config()

Implementation Notes

Get password config.

Response Class

PasswordConfig {
can (object, read-only): Operations the current user is able to perform on this object,
min_length (long): Minimum number of characters required for a new password. Must be between 7 and 100,
require_numeric (boolean): Require at least one numeric character,
require_upperlower (boolean): Require at least one uppercase and one lowercase letter,
require_special (boolean): Require at least one special character
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update Password Config beta

PATCH/api/3.1/password_config
update_password_config(body)

Implementation Notes

Update password config.

Response Class

PasswordConfig {
can (object, read-only): Operations the current user is able to perform on this object,
min_length (long): Minimum number of characters required for a new password. Must be between 7 and 100,
require_numeric (boolean): Require at least one numeric character,
require_upperlower (boolean): Require at least one uppercase and one lowercase letter,
require_special (boolean): Require at least one special character
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true Password Config body
PasswordConfig {
can (object, read-only): Operations the current user is able to perform on this object,
min_length (long): Minimum number of characters required for a new password. Must be between 7 and 100,
require_numeric (boolean): Require at least one numeric character,
require_upperlower (boolean): Require at least one uppercase and one lowercase letter,
require_special (boolean): Require at least one special character
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Force password reset beta

PUT/api/3.1/password_config/force_password_reset_at_next_login_for_all_users
force_password_reset_at_next_login_for_all_users()

Implementation Notes

Force all credentials_email users to reset their login passwords upon their next login.

Response Class

  string

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get SAML Configuration

GET/api/3.1/saml_config
saml_config()

Implementation Notes

Get the SAML configuration.

Looker can be optionally configured to authenticate users against a SAML authentication server. SAML setup requires coordination with an administrator of that server.

Only Looker administrators can read and update the SAML configuration.

Configuring SAML impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single SAML configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

SAML is enabled or disabled for Looker using the enabled field.

Response Class

SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update SAML Configuration

PATCH/api/3.1/saml_config
update_saml_config(body)

Implementation Notes

Update the SAML configuration.

Configuring SAML impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the SAML configuration.

SAML is enabled or disabled for Looker using the enabled field.

It is highly recommended that any SAML setting changes be tested using the APIs below before being set globally.

Response Class

SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML Config body
SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get SAML Test Configuration

GET/api/3.1/saml_test_configs/{test_slug}
saml_test_config(test_slug)

Implementation Notes

Get a SAML test configuration by test_slug.

Response Class

SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Delete SAML Test Configuration

DELETE/api/3.1/saml_test_configs/{test_slug}
delete_saml_test_config(test_slug)

Implementation Notes

Delete a SAML test configuration.

Response Class

  None

Parameters

Parameter Required? Description Parameter Type Data Type
test_slug true Slug of test config string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
204 Test config succssfully deleted. string

Create SAML Test Configuration

POST/api/3.1/saml_test_configs
create_saml_test_config(body)

Implementation Notes

Create a SAML test configuration.

Response Class

SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML test config body
SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object,
enabled (boolean): Enable/Disable Saml authentication for the server,
idp_cert (string): Identity Provider Certificate (provided by IdP),
idp_url (string): Identity Provider Url (provided by IdP),
idp_issuer (string): Identity Provider Issuer (provided by IdP),
idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.,
allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions.,
user_attribute_map_email (string): Name of user record attributes used to indicate email address field,
user_attribute_map_first_name (string): Name of user record attributes used to indicate first name,
user_attribute_map_last_name (string): Name of user record attributes used to indicate last name,
new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google',
alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.,
test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test,
modified_at (string, read-only): When this config was last modified,
modified_by (string, read-only): User id of user who last modified this config,
default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml,
default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml,
default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml,
default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml,
set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml,
groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values',
groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles,
groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids,
auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true,
user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes,
user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids,
groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'],
groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes',
bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead.,
url (string, read-only): Link to get this item
}
Role {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of Role,
permission_set (PermissionSet, read-only): (Read only) Permission set,
permission_set_id (long): (Write-Only) Id of permission set,
model_set (ModelSet, read-only): (Read only) Model set,
model_set_id (long): (Write-Only) Id of model set,
url (string, read-only): Link to get this item,
users_url (string, read-only): Link to get list of users with this role
}
PermissionSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
name (string): Name of PermissionSet,
permissions (Array[string]),
url (string, read-only): Link to get this item
}
ModelSet {
can (object, read-only): Operations the current user is able to perform on this object,
all_access (boolean, read-only),
built_in (boolean, read-only),
id (long, read-only): Unique Id,
models (Array[string]),
name (string): Name of ModelSet,
url (string, read-only): Link to get this item
}
Group {
can (object, read-only): Operations the current user is able to perform on this object,
can_add_to_content_metadata (boolean): Group can be used in content access controls,
contains_current_user (boolean, read-only): Currently logged in user is group member,
external_group_id (string, read-only): External Id group if embed group,
externally_managed (boolean, read-only): Group membership controlled outside of Looker,
id (long, read-only): Unique Id,
include_by_default (boolean, read-only): New users are added to this group by default,
name (string): Name of group,
user_count (long, read-only): Number of users included in this group
}
SamlGroupRead {
name (string, read-only): Name of group in Saml,
roles (Array[Role], read-only): Looker Roles,
url (string, read-only): Link to saml config
}
SamlGroupWrite {
name (string): Name of group in Saml,
role_ids (Array[long]): Looker Role Ids,
url (string, read-only): Link to saml config
}
SamlUserAttributeRead {
name (string, read-only): Name of User Attribute in Saml,
required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed,
user_attributes (Array[UserAttribute], read-only): Looker User Attributes,
url (string, read-only): Link to saml config
}
UserAttribute {
can (object, read-only): Operations the current user is able to perform on this object,
id (long, read-only): Unique Id,
name (string): Name of user attribute,
label (string): Human-friendly label for user attribute,
type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"),
default_value (string): Default value for when no value is set on the user,
is_system (boolean, read-only): Attribute is a system default,
is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted,
value_is_hidden (boolean): If true, users will not be able to view values of this attribute,
user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters,
user_can_edit (boolean): Users can change the value of this attribute for themselves,
hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
}
SamlUserAttributeWrite {
name (string): Name of User Attribute in Saml,
required (boolean): Required to be in Saml assertion for login to be allowed to succeed,
user_attribute_ids (Array[long]): Looker User Attribute Ids,
url (string, read-only): Link to saml config
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Parse SAML IdP XML

POST/api/3.1/parse_saml_idp_metadata
parse_saml_idp_metadata(body)

Implementation Notes

Parse the given xml as a SAML IdP metadata document and return the result.

Response Class

SamlMetadataParseResult {
can (object, read-only): Operations the current user is able to perform on this object,
idp_issuer (string, read-only): Identify Provider Issuer,
idp_url (string, read-only): Identify Provider Url,
idp_cert (string, read-only): Identify Provider Certificate
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML IdP metadata xml body string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Parse SAML IdP Url

POST/api/3.1/fetch_and_parse_saml_idp_metadata
fetch_and_parse_saml_idp_metadata(body)

Implementation Notes

Fetch the given url and parse it as a SAML IdP metadata document and return the result.

Note that this requires that the url be public or at least at a location where the Looker instance can fetch it without requiring any special authentication.

Response Class

SamlMetadataParseResult {
can (object, read-only): Operations the current user is able to perform on this object,
idp_issuer (string, read-only): Identify Provider Issuer,
idp_url (string, read-only): Identify Provider Url,
idp_cert (string, read-only): Identify Provider Certificate
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true SAML IdP metadata public url body string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Get Session Config beta

GET/api/3.1/session_config
session_config()

Implementation Notes

Get session config.

Response Class

SessionConfig {
can (object, read-only): Operations the current user is able to perform on this object,
allow_persistent_sessions (boolean): Allow users to have persistent sessions when they login,
session_minutes (long): Number of minutes for user sessions. Must be between 5 and 43200,
unlimited_sessions_per_user (boolean): Allow users to have an unbounded number of concurrent sessions (otherwise, users will be limited to only one session at a time).,
use_inactivity_based_logout (boolean): Enforce session logout for sessions that are inactive for 15 minutes.,
track_session_location (boolean): Track location of session when user logs in.
}

Parameters

  None

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Update Session Config beta

PATCH/api/3.1/session_config
update_session_config(body)

Implementation Notes

Update session config.

Response Class

SessionConfig {
can (object, read-only): Operations the current user is able to perform on this object,
allow_persistent_sessions (boolean): Allow users to have persistent sessions when they login,
session_minutes (long): Number of minutes for user sessions. Must be between 5 and 43200,
unlimited_sessions_per_user (boolean): Allow users to have an unbounded number of concurrent sessions (otherwise, users will be limited to only one session at a time).,
use_inactivity_based_logout (boolean): Enforce session logout for sessions that are inactive for 15 minutes.,
track_session_location (boolean): Track location of session when user logs in.
}

Parameters

Parameter Required? Description Parameter Type Data Type
body true Session Config body
SessionConfig {
can (object, read-only): Operations the current user is able to perform on this object,
allow_persistent_sessions (boolean): Allow users to have persistent sessions when they login,
session_minutes (long): Number of minutes for user sessions. Must be between 5 and 43200,
unlimited_sessions_per_user (boolean): Allow users to have an unbounded number of concurrent sessions (otherwise, users will be limited to only one session at a time).,
use_inactivity_based_logout (boolean): Enforce session logout for sessions that are inactive for 15 minutes.,
track_session_location (boolean): Track location of session when user logs in.
}

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
422 Validation Error
ValidationError {
message (string, read-only, required): Error details,
errors (Array[ValidationErrorDetail], read-only): Error detail array,
documentation_url (string, read-only, required): Documentation link
}
ValidationErrorDetail {
field (string, read-only): Field with error,
code (string, read-only): Error code,
message (string, read-only): Error info message,
documentation_url (string, read-only, required): Documentation link
}

Get All User Login Lockouts beta

GET/api/3.1/user_login_lockouts
all_user_login_lockouts(fields)

Implementation Notes

Get currently locked-out users.

Response Class

  array

Parameters

Parameter Required? Description Parameter Type Data Type
fields false Include only these fields in the response string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Search User Login Lockouts beta

GET/api/3.1/user_login_lockouts/search
search_user_login_lockouts(fields, page, per_page, sorts, auth_type, full_name, email, remote_id, filter_or)

Implementation Notes

Search currently locked-out users.

Response Class

  array

Parameters

Parameter Required? Description Parameter Type Data Type
fields false Include only these fields in the response string string
page false Return only page N of paginated results integer int64
per_page false Return N rows of data per page integer int64
sorts false Fields to sort by. string string
auth_type false Auth type user is locked out for (email, ldap, totp, api) string string
full_name false Match name string string
email false Match email string string
remote_id false Match remote LDAP ID string string
filter_or false Combine given search criteria in a boolean OR expression boolean boolean

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}

Delete User Login Lockout beta

DELETE/api/3.1/user_login_lockout/{key}
delete_user_login_lockout(key)

Implementation Notes

Removes login lockout for the associated user.

Response Class

  None

Parameters

Parameter Required? Description Parameter Type Data Type
key true The key associated with the locked user string string

Response Messages

HTTP Status Code Reason Response Model
400 Bad Request
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
404 Not Found
Error {
message (string, read-only, required): Error details,
documentation_url (string, read-only, required): Documentation link
}
204 Successfully deleted. string
Top