Coming Soon! We’re launching a new sub-community within the Google Cloud Community dedicated to cloud security: The Google Cloud Security Community. In preparation for the launch, this site will be in read only mode from 22 September 12am PST - 23 September 7pm PST

Set Looker Roles from IdP Groups

Knowledge Drop

Last tested: Jul 24, 2020

You can set Looker roles based on the groups in your IdP. If you already have users split up into working groups in the IdP, this is a great option as it means you don't have to set new users up in Looker directly. It can also be helpful for ensuring all users in the same team in your organization has the same abilities in Looker without having to use the Looker UI. If the IdP is already used for such things with other applications, it saves a lot of admin oversight.

The specifics of how Looker does this can be a bit confusing, though. First off, if you have group to role pairings turned on, then you won't be able to make lasting changes to a user's role from inside of Looker when using the default advanced settings options - each time they re-authenticate, their role will be re-mapped based on what is found in the IdP. Second, this process uses shadow groups in order to map groups to roles.

When this option is enabled, the admin can specify each external group to be shadowed in the authentication section of the admin panel. Unlike regular groups, roles for shadow groups can only be set in the authentication section and are not editable in the “Users” or “Roles” sections. 

Shadow groups are created automatically in Looker and have names that look like 'shadowing saml config group xx'. You can map these to readable names as of 7.6. They may appear to the end user to be duplicate groups that cannot be deleted or modified in Looker. These groups are created to ensure other, existing Looker groups aren't modified in the mapping process. Their purpose is to fit the groups in the IdP into the Looker permissioning framework.

When group to role mapping is enabled with default advanced settings, you won't be able to add users to Looker groups in a lasting way - that is, every time they re-authenticate, they'll be kicked out of that group. Instead, you can add the shadow group the users are in to the Looker group, which will persist upon re-authentication.

As of Looker 6.14 these groups will be dropped once they have been empty for 31 days. More on that behavior here.

This content is subject to limited support.                

Version history
Last update:
‎06-14-2021 05:59 PM
Updated by: