Looker is a Data Analytics and Visualization product recently acquired by Google. Looker’s capabilities include Modern BI & Analytics, Integrated Insights, Data-driven Workflows and Custom Applications.
Okta is a popular Identity Management Provider that has single-sign-on integrations with a wide range of applications including Looker.
We wanted to implement the integration of Looker with a Single-Sign-On (SSO) solution using Okta. However we also wanted to make sure that we are able to pass on user attributes from Okta to Looker for the purpose of filtering row and column data based on the user profile. This way administrators can restrict user’s access to data on Looker using the Identity Provider (Okta).
We created a custom application on Okta and enabled SAML integration. We deliberately did not use the Out-of-Box Looker integration as it does not pass custom user attributes during single-sign-on.
Before you begin – SAML configuration is restricted on Looker and must be enabled by Looker/Google Customer Support. Once enabled, you can begin configuring the application on Okta.
SAML Settings with user attributes. We use the SAML callback URL from Looker for the single sign-on URL
Looker SAML Integration
On Looker you have to enter the IDP metadata URL to auto-populate the values for the SAML integration attributes and add the custom user attribute that we wish to integrate from Okta.
Clicking on “Test the SAML Authentication” will display the user profile attributes being passed by the Okta if this has been configured correctly.
Once we are able to see the custom attribute “company_code” passed correctly from Okta we can proceed to configure our LookML views on Looker.
LookML for the Filtered View
We edited a LookML view dimension (column) that displays filtered average High values only if the dashboard viewer’s company code is “SPRINGML-SF”.
On the dashboard, since my user profile has the company code value as “SPRINGMLGOOGL” instead of the expected “SPRINGML-SF” we see the “Insufficient COMPANY CODE Permissions” on the restricted column as specified in the view LookML.
Looker’s SAML integration with Okta makes it very easy to create and maintain a powerful centralized authorization mechanism where administrators can control user access to Looker assets from the identity provider.