How to Configure SAML 2.0 for Looker


Supported Features

The Okta/Looker SAML integration currently supports the following features:

Configuration Steps

  1. Log in to Looker as Administrator.

  2. Navigate to Admin > SAML Authentication

  3. Select Enabled.


  4. In the SAM Auth Settings section:

    1. Copy and paste the following Admin > SAML Authentication into the corresponding field:

      You can either use this metadata:

      Sign in to Okta Admin app to have this variable generated for you.

      Or this URL:

      Sign into the Okta Admin dashboard to generate this value.

    2. Click the Load button.


    3. A IdP Metadata loaded message appears. The IdP URL, IdP Issuer, and IdP Certificate files should be filled.

    4. Leave the IdP Audience (Optional) field empty.


  5. In the User Attribute Settings section:

    1. Email Attr: Enter Email.

    2. FName Attr: Enter FirstName.

    3. LName Attr: Enter LastName.


  6. In the Role Settings section:

    1. If you don’t need to set roles from groups, select Default New User Roles from the dropdown list.


    2. If you need to set roles from groups:

      • Set the Set Roles from Groups switch to ON.

      • Groups Attribute: Enter Groups.

      • Set the Auth Requires Role switch to ON.

      • In the Group To Role Pairings Section:

        • You need to enter a group name that will be sent and then select a corresponding role in Looker.

          For example: You can create LookerAdmin and LookerUser groups in OKTA for your Looker users. Then select Admin Role for the LookerAdmin group, and User Role for the LookerUser group in Looker.


        • In OKTA, select the Sign On tab for the Looker app, then click Edit.

        • Select your preferred Group filter from the dropdown list (the Regex rule with the value ".*" in order to send *all* groups to the Looker instance we used in our example).

        • Click Save.


  7. In the Test User Authentication (values are not saved) section:

    1. Click the Test SAML Authentication button.


    2. A new window with Server response successfully validated message should appear.

    3. Close the new window.

  8. In the Migration Options section: Select the appropiate options.

  9. Click Update Settings.


  10. Done!


The following SAML attributes are supported:

SP-initiated SSO