Looker SSO User Attribute Integration with Okta

Looker is a Data Analytics and Visualization product recently acquired by Google. Looker’s capabilities include Modern BI & Analytics, Integrated Insights, Data-driven Workflows and Custom Applications.

Okta is a popular Identity Management Provider that has single-sign-on integrations with a wide range of applications including Looker. 

The Problem

We wanted to implement the integration of Looker with a Single-Sign-On (SSO) solution using Okta. However we also wanted to make sure that we are able to pass on user attributes from Okta to Looker for the purpose of filtering row and column data based on the user profile. This way administrators can restrict user’s access to data on Looker using the Identity Provider (Okta).

The Solution

We created a custom application on Okta and enabled SAML integration. We deliberately did not use the Out-of-Box Looker integration as it does not pass custom user attributes during single-sign-on.

Before you begin – SAML configuration is restricted on Looker and must be enabled by Looker/Google Customer Support. Once enabled, you can begin configuring the application on Okta.

Okta Application

 

SAML Settings with user attributes. We use the SAML callback URL from Looker for the single sign-on URL
SAML Settings


Looker SAML Integration

On Looker you have to enter the IDP metadata URL to auto-populate the values for the SAML integration attributes and add the custom user attribute that we wish to integrate from Okta.

Test SAML AuthenticationAttribute Pairing
looker SAML Authentication

Clicking on “Test the SAML Authentication” will display the user profile attributes being passed by the Okta if this has been configured correctly.

SAML Authentication Test Result

Once we are able to see the custom attribute “company_code” passed correctly from Okta we can proceed to configure our LookML views on Looker.

LookML for the Filtered View

We edited a LookML view dimension (column) that displays filtered average High values only if the dashboard viewer’s company code is “SPRINGML-SF”.

LookML for the filtered view

On the dashboard, since my user profile has the company code value as  “SPRINGMLGOOGL” instead of the expected “SPRINGML-SF” we see the “Insufficient COMPANY CODE Permissions” on the restricted column as specified in the view LookML.

Conclusion

 Looker’s SAML integration with Okta makes it very easy to create and maintain a powerful centralized authorization mechanism where administrators can control user access to Looker assets from the identity provider.

Some Useful Blogs-
https://springml.com/blog/looker-sso-user-attribute-integration-with-okta/
https://springml.com/data-analytics-and-visualization