Looker can authenticate users using one of several authentication server types, such as LDAP, SAML, or Google OAuth. Enabling any of these authentication methods will disable other authentication systems, such as email/password.
Admins can give users an alternate login option that uses their email address if the user or users have either an Admin role or login_special_email
permissions.
How do I give an account alternate login credentials?
Implementing the alternate login option configures a user's account user_id
to accept the user's email credentials when they log in to the Looker instance. Admins can use either the Looker API to make a POST request or the Looker API SDK in the programming language of the admin's choice. Both options require a few prerequisite steps:
- On the authentication page of the Admin panel, enable authentication by choosing the Enabled option.
- Under Migration Options, enable the Alternate Login for Specified Users switch.
- The user or users must have either an Admin role or
login_special_email
permissions.
Making a POST Request to the Looker API
Because of its manual nature, this is a better method to use when you have a limited number of users for whom you want to set up the alternate login option.
This example uses a curl command to make a POST request to the create_user_credentials_email
API endpoint using a temporary access token:
- To generate the temporary token (
ACCESS_TOKEN
), follow the steps on the API Authentication documentation page in the Authentication without a SDK section. - Using this temporary token in the authorization header, send a POST request to the Looker API using the user's
user_id
, and include their email in the body of the request.curl -H "Authorization: token ACCESS_TOKEN" -H 'Content-Type: application/json' -X POST -d '{ "email": "example_name@example_email.com" }' https://<instance_name<.api.looker.com/api/3.1/users/{user_id}/credentials_email
- On the Users page of the Admin section, find the user account and click Edit.
- Click the Send reset link button. This will send an email to the email address you specified in your POST request.
To use the alternate login method, when the user logs in to Looker, they will need to click the Alternate Login link below the Authenticate button and then enter their name and email address. They can still authenticate using their SAML, LDAP, or OAuth credentials through the Authenticate button.
Using the Looker API SDK
Rather than going through the manual steps of making requests directly to the Looker API, you can instead use a Looker-provided SDK to interact with the API in a programming language of your choice. After you have imported the Looker API SDK and established a client connection, follow these steps:
- Use the
create_user_credentials_email(user_id, body)
function, inserting theuser_id
andbody
as specified in the Looker API documentation. You can follow a similar example from this Looker Community topic about automatically provisioning users with the Looker API. - Once the user accounts have been updated using the SDK method, on the Users page of the Admin section, find the user account and click Edit.
- Click the Send reset link button. This will send an email to the email address you specified in your POST request.
To use the alternate login method, when the user logs in to Looker, they will need to click the Alternate Login link below the Authenticate button and then enter their name and email address. They can still authenticate using their SAML, LDAP, or OAuth credentials through the Authenticate button.