Create SSO Embed Url
Implementation Notes
Create SSO Embed URL.
Creates an SSO embed URL and cryptographically signs it with an embed secret. This signed URL can then be used to instantiate a Looker embed session in a PBL web application. Do not make any modifications to this URL - any change may invalidate the signature and cause the URL to fail to load a Looker embed session.
A signed SSO embed URL can only be used once. After it has been used to request a page from the Looker server, the URL is invalid. Future requests using the same URL will fail. This is to prevent ‘replay attacks’.
The target_url
property must be a complete URL of a Looker UI page - scheme, hostname, path and query params.
To load a dashboard with id 56 and with a filter of Date=1 years
, the looker URL would look like https:/myname.looker.com/dashboards/56?Date=1%20years
.
The best way to obtain this target_url is to navigate to the desired Looker page in your web browser,
copy the URL shown in the browser address bar and paste it into the target_url
property as a quoted string value in this API request.
Permissions for the embed user are defined by the groups in which the embed user is a member (group_ids property) and the lists of models and permissions assigned to the embed user. At a minimum, you must provide values for either the group_ids property, or both the models and permissions properties. These properties are additive; an embed user can be a member of certain groups AND be granted access to models and permissions.
The embed user’s access is the union of permissions granted by the group_ids, models, and permissions properties.
This function does not strictly require all group_ids, user attribute names, or model names to exist at the moment the
SSO embed url is created. Unknown group_id, user attribute names or model names will be passed through to the output URL.
To diagnose potential problems with an SSO embed URL, you can copy the signed URL into the Embed URI Validator text box in <your looker instance>/admin/embed
.
The secret_id
parameter is optional. If specified, its value must be the id of an active secret defined in the Looker instance.
if not specified, the URL will be signed using the newest active secret defined in the Looker instance.
Security Note
Protect this signed URL as you would an access token or password credentials - do not write it to disk, do not pass it to a third party, and only pass it through a secure HTTPS encrypted transport.
Response Class
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | SSO parameters | body |
EmbedSsoParams {
target_url (string, required): The complete URL of the Looker UI page to display in the embed context. For example, to display the dashboard with id 34, target_url would look like: https://mycompany.looker.com:9999/dashboards/34 . target_uri MUST contain a scheme (HTTPS), domain name, and URL path. Port must be included if it is required to reach the Looker server from browser clients. If the Looker instance is behind a load balancer or other proxy, target_uri must be the public-facing domain name and port required to reach the Looker instance, not the actual internal network machine name of the Looker instance.,session_length (long): Number of seconds the SSO embed session will be valid after the embed session is started. Defaults to 300 seconds. Maximum session length accepted is 2592000 seconds (30 days)., force_logout_login (boolean): When true, the embed session will purge any residual Looker login state (such as in browser cookies) before creating a new login state with the given embed user info. Defaults to true., external_user_id (string): A value from an external system that uniquely identifies the embed user. Since the user_ids of Looker embed users may change with every embed session, external_user_id provides a way to assign a known, stable user identifier across multiple embed sessions., first_name (string): First name of the embed user. Defaults to 'Embed' if not specified, last_name (string): Last name of the embed user. Defaults to 'User' if not specified, user_timezone (string): Sets the user timezone for the embed user session, if the User Specific Timezones setting is enabled in the Looker admin settings. A value of null forces the embed user to use the Looker Application Default Timezone. You MUST omit this property from the request if the User Specific Timezones setting is disabled. Timezone values are validated against the IANA Timezone standard and can be seen in the Application Time Zone dropdown list on the Looker General Settings admin page.,permissions (Array[string]): List of Looker permission names to grant to the embed user. Requested permissions will be filtered to permissions allowed for embed sessions., models (Array[string]): List of model names that the embed user may access, group_ids (Array[long]): List of Looker group ids in which to enroll the embed user, external_group_id (string): A unique value identifying an embed-exclusive group. Multiple embed users using the same external_group_id value will be able to share Looker content with each other. Content and embed users associated with the external_group_id will not be accessible to normal Looker users or embed users not associated with this external_group_id .,user_attributes (object): A dictionary of name-value pairs associating a Looker user attribute name with a value., secret_id (long): Id of the embed secret to use to sign this SSO url. If specified, the value must be an id of a valid (active) secret defined in the Looker instance. If not specified, the URL will be signed with the newest active embed secret defined in the Looker instance. }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
409 | Resource Already Exists |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
429 | Too Many Requests |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Get LDAP Configuration
Implementation Notes
Get the LDAP configuration.
Looker can be optionally configured to authenticate users against an Active Directory or other LDAP directory server. LDAP setup requires coordination with an administrator of that directory server.
Only Looker administrators can read and update the LDAP configuration.
Configuring LDAP impacts authentication for all users. This configuration should be done carefully.
Looker maintains a single LDAP configuration. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).
LDAP is enabled or disabled for Looker using the enabled field.
Looker will never return an auth_password field. That value can be set, but never retrieved.
See the Looker LDAP docs for additional information.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
LDAPGroupRead {
LDAPGroupWrite {
LDAPUserAttributeRead {
UserAttribute {
LDAPUserAttributeWrite {
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Update LDAP Configuration
Implementation Notes
Update the LDAP configuration.
Configuring LDAP impacts authentication for all users. This configuration should be done carefully.
Only Looker administrators can read and update the LDAP configuration.
LDAP is enabled or disabled for Looker using the enabled field.
It is highly recommended that any LDAP setting changes be tested using the APIs below before being set globally.
See the Looker LDAP docs for additional information.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
LDAPGroupRead {
LDAPGroupWrite {
LDAPUserAttributeRead {
UserAttribute {
LDAPUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | LDAP Config | body |
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true, auth_username (string): Distinguished name of LDAP account used to access the LDAP server, connection_host (string): LDAP server hostname, connection_port (string): LDAP host port, connection_tls (boolean): Use Transport Layer Security, connection_tls_no_verify (boolean): Do not verify peer when using TLS, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP, enabled (boolean): Enable/Disable LDAP authentication for the server, force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it., groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles, groups_base_dn (string): Base dn for finding groups in LDAP searches, groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server, groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member', groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches, groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn', groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids, has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server, merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user., modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP, test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only., test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id, user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes, user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids, user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches, user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses., user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list), user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id, allow_normal_group_membership (boolean): Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): LDAP auth'd users will be able to inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to LDAP auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }LDAPGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in LDAP, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to ldap config }LDAPGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in LDAP, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to ldap config }LDAPUserAttributeRead { name (string, read-only): Name of User Attribute in LDAP, required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to ldap config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }LDAPUserAttributeWrite { name (string): Name of User Attribute in LDAP, required (boolean): Required to be in LDAP assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to ldap config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Test LDAP Connection
Implementation Notes
Test the connection settings for an LDAP configuration.
This tests that the connection is possible given a connection_host and connection_port.
connection_host and connection_port are required. connection_tls is optional.
Example:
{
"connection_host": "ldap.example.com",
"connection_port": "636",
"connection_tls": true
}
No authentication to the LDAP server is attempted.
The active LDAP settings are not modified.
Response Class
LDAPConfigTestIssue {
LDAPUser {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | LDAP Config | body |
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true, auth_username (string): Distinguished name of LDAP account used to access the LDAP server, connection_host (string): LDAP server hostname, connection_port (string): LDAP host port, connection_tls (boolean): Use Transport Layer Security, connection_tls_no_verify (boolean): Do not verify peer when using TLS, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP, enabled (boolean): Enable/Disable LDAP authentication for the server, force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it., groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles, groups_base_dn (string): Base dn for finding groups in LDAP searches, groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server, groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member', groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches, groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn', groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids, has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server, merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user., modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP, test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only., test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id, user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes, user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids, user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches, user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses., user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list), user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id, allow_normal_group_membership (boolean): Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): LDAP auth'd users will be able to inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to LDAP auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }LDAPGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in LDAP, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to ldap config }LDAPGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in LDAP, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to ldap config }LDAPUserAttributeRead { name (string, read-only): Name of User Attribute in LDAP, required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to ldap config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }LDAPUserAttributeWrite { name (string): Name of User Attribute in LDAP, required (boolean): Required to be in LDAP assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to ldap config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Test LDAP Auth
Implementation Notes
Test the connection authentication settings for an LDAP configuration.
This tests that the connection is possible and that a ‘server’ account to be used by Looker can authenticate to the LDAP server given connection and authentication information.
connection_host, connection_port, and auth_username, are required. connection_tls and auth_password are optional.
Example:
{
"connection_host": "ldap.example.com",
"connection_port": "636",
"connection_tls": true,
"auth_username": "cn=looker,dc=example,dc=com",
"auth_password": "secret"
}
Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.
The active LDAP settings are not modified.
Response Class
LDAPConfigTestIssue {
LDAPUser {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | LDAP Config | body |
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true, auth_username (string): Distinguished name of LDAP account used to access the LDAP server, connection_host (string): LDAP server hostname, connection_port (string): LDAP host port, connection_tls (boolean): Use Transport Layer Security, connection_tls_no_verify (boolean): Do not verify peer when using TLS, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP, enabled (boolean): Enable/Disable LDAP authentication for the server, force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it., groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles, groups_base_dn (string): Base dn for finding groups in LDAP searches, groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server, groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member', groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches, groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn', groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids, has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server, merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user., modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP, test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only., test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id, user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes, user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids, user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches, user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses., user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list), user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id, allow_normal_group_membership (boolean): Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): LDAP auth'd users will be able to inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to LDAP auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }LDAPGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in LDAP, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to ldap config }LDAPGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in LDAP, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to ldap config }LDAPUserAttributeRead { name (string, read-only): Name of User Attribute in LDAP, required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to ldap config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }LDAPUserAttributeWrite { name (string): Name of User Attribute in LDAP, required (boolean): Required to be in LDAP assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to ldap config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Test LDAP User Info
Implementation Notes
Test the user authentication settings for an LDAP configuration without authenticating the user.
This test will let you easily test the mapping for user properties and roles for any user without needing to authenticate as that user.
This test accepts a full LDAP configuration along with a username and attempts to find the full info for the user from the LDAP server without actually authenticating the user. So, user password is not required.The configuration is validated before attempting to contact the server.
test_ldap_user is required.
The active LDAP settings are not modified.
Response Class
LDAPConfigTestIssue {
LDAPUser {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | LDAP Config | body |
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true, auth_username (string): Distinguished name of LDAP account used to access the LDAP server, connection_host (string): LDAP server hostname, connection_port (string): LDAP host port, connection_tls (boolean): Use Transport Layer Security, connection_tls_no_verify (boolean): Do not verify peer when using TLS, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP, enabled (boolean): Enable/Disable LDAP authentication for the server, force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it., groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles, groups_base_dn (string): Base dn for finding groups in LDAP searches, groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server, groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member', groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches, groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn', groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids, has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server, merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user., modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP, test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only., test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id, user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes, user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids, user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches, user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses., user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list), user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id, allow_normal_group_membership (boolean): Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): LDAP auth'd users will be able to inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to LDAP auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }LDAPGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in LDAP, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to ldap config }LDAPGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in LDAP, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to ldap config }LDAPUserAttributeRead { name (string, read-only): Name of User Attribute in LDAP, required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to ldap config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }LDAPUserAttributeWrite { name (string): Name of User Attribute in LDAP, required (boolean): Required to be in LDAP assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to ldap config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Test LDAP User Auth
Implementation Notes
Test the user authentication settings for an LDAP configuration.
This test accepts a full LDAP configuration along with a username/password pair and attempts to authenticate the user with the LDAP server. The configuration is validated before attempting the authentication.
Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.
test_ldap_user and test_ldap_password are required.
The active LDAP settings are not modified.
Response Class
LDAPConfigTestIssue {
LDAPUser {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | LDAP Config | body |
LDAPConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., auth_password (string): (Write-Only) Password for the LDAP account used to access the LDAP server, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in LDAP if set to true, auth_username (string): Distinguished name of LDAP account used to access the LDAP server, connection_host (string): LDAP server hostname, connection_port (string): LDAP host port, connection_tls (boolean): Use Transport Layer Security, connection_tls_no_verify (boolean): Do not verify peer when using TLS, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via LDAP, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via LDAP, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via LDAP, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via LDAP, enabled (boolean): Enable/Disable LDAP authentication for the server, force_no_page (boolean): Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it., groups (Array[LDAPGroupRead], read-only): (Read-only) Array of mappings between LDAP Groups and Looker Roles, groups_base_dn (string): Base dn for finding groups in LDAP searches, groups_finder_type (string): Identifier for a strategy for how Looker will search for groups in the LDAP server, groups_member_attribute (string): LDAP Group attribute that signifies the members of the groups. Most commonly 'member', groups_objectclasses (string): Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches, groups_user_attribute (string): LDAP Group attribute that signifies the user in a group. Most commonly 'dn', groups_with_role_ids (Array[LDAPGroupWrite]): (Read/Write) Array of mappings between LDAP Groups and arrays of Looker Role ids, has_auth_password (boolean, read-only): (Read-only) Has the password been set for the LDAP account used to access the LDAP server, merge_new_users_by_email (boolean): Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user., modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, set_roles_from_groups (boolean): Set user roles in Looker based on groups from LDAP, test_ldap_password (string): (Write-Only) Test LDAP user password. For ldap tests only., test_ldap_user (string): (Write-Only) Test LDAP user login id. For ldap tests only., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attribute_map_ldap_id (string): Name of user record attributes used to indicate unique record id, user_attributes (Array[LDAPUserAttributeRead], read-only): (Read-only) Array of mappings between LDAP User Attributes and Looker User Attributes, user_attributes_with_ids (Array[LDAPUserAttributeWrite]): (Read/Write) Array of mappings between LDAP User Attributes and arrays of Looker User Attribute ids, user_bind_base_dn (string): Distinguished name of LDAP node used as the base for user searches, user_custom_filter (string): (Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses., user_id_attribute_names (string): Name(s) of user record attributes used for matching user login id (comma separated list), user_objectclass (string): (Optional) Name of user record objectclass used for finding user during login id, allow_normal_group_membership (boolean): Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): LDAP auth'd users will be able to inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to LDAP auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }LDAPGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in LDAP, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to ldap config }LDAPGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in LDAP, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to ldap config }LDAPUserAttributeRead { name (string, read-only): Name of User Attribute in LDAP, required (boolean, read-only): Required to be in LDAP assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to ldap config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }LDAPUserAttributeWrite { name (string): Name of User Attribute in LDAP, required (boolean): Required to be in LDAP assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to ldap config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Get OIDC Configuration
Implementation Notes
Get the OIDC configuration.
Looker can be optionally configured to authenticate users against an OpenID Connect (OIDC) authentication server. OIDC setup requires coordination with an administrator of that server.
Only Looker administrators can read and update the OIDC configuration.
Configuring OIDC impacts authentication for all users. This configuration should be done carefully.
Looker maintains a single OIDC configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).
OIDC is enabled or disabled for Looker using the enabled field.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
OIDCGroupRead {
OIDCGroupWrite {
OIDCUserAttributeRead {
UserAttribute {
OIDCUserAttributeWrite {
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Update OIDC Configuration
Implementation Notes
Update the OIDC configuration.
Configuring OIDC impacts authentication for all users. This configuration should be done carefully.
Only Looker administrators can read and update the OIDC configuration.
OIDC is enabled or disabled for Looker using the enabled field.
It is highly recommended that any OIDC setting changes be tested using the APIs below before being set globally.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
OIDCGroupRead {
OIDCGroupWrite {
OIDCUserAttributeRead {
UserAttribute {
OIDCUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | OIDC Config | body |
OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., audience (string): OpenID Provider Audience, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true, authorization_endpoint (string): OpenID Provider Authorization Url, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC, enabled (boolean): Enable/Disable OIDC authentication for the server, groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles, groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values', groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids, identifier (string): Relying Party Identifier (provided by OpenID Provider), issuer (string): OpenID Provider Issuer, modified_at (date-time, read-only): When this config was last modified, modified_by (long, read-only): User id of user who last modified this config, new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google', scopes (Array[string]): Array of scopes to request., secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider), set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC, test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test, token_endpoint (string): OpenID Provider Token Url, user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes, user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids, userinfo_endpoint (string): OpenID Provider User Information Url, allow_normal_group_membership (boolean): Allow OIDC auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): OIDC auth'd users will inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to OIDC auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }OIDCGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in OIDC, roles (Array[Role], read-only): Looker Roles }OIDCGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in OIDC, role_ids (Array[long]): Looker Role Ids, can (object, read-only): Operations the current user is able to perform on this object }OIDCUserAttributeRead { name (string, read-only): Name of User Attribute in OIDC, required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }OIDCUserAttributeWrite { name (string): Name of User Attribute in OIDC, required (boolean): Required to be in OIDC assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, can (object, read-only): Operations the current user is able to perform on this object }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Get OIDC Test Configuration
Implementation Notes
Get a OIDC test configuration by test_slug.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
OIDCGroupRead {
OIDCGroupWrite {
OIDCUserAttributeRead {
UserAttribute {
OIDCUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
test_slug | true | Slug of test config | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Delete OIDC Test Configuration
Implementation Notes
Delete a OIDC test configuration.
Response Class
None
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
test_slug | true | Slug of test config | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
204 | Test config succssfully deleted. | string |
Create OIDC Test Configuration
Implementation Notes
Create a OIDC test configuration.
Response Class
Group {
Role {
PermissionSet {
ModelSet {
OIDCGroupRead {
OIDCGroupWrite {
OIDCUserAttributeRead {
UserAttribute {
OIDCUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | OIDC test config | body |
OIDCConfig {
can (object, read-only): Operations the current user is able to perform on this object, alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., audience (string): OpenID Provider Audience, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in OIDC if set to true, authorization_endpoint (string): OpenID Provider Authorization Url, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via OIDC, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via OIDC, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via OIDC, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via OIDC, enabled (boolean): Enable/Disable OIDC authentication for the server, groups (Array[OIDCGroupRead], read-only): (Read-only) Array of mappings between OIDC Groups and Looker Roles, groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values', groups_with_role_ids (Array[OIDCGroupWrite]): (Read/Write) Array of mappings between OIDC Groups and arrays of Looker Role ids, identifier (string): Relying Party Identifier (provided by OpenID Provider), issuer (string): OpenID Provider Issuer, modified_at (date-time, read-only): When this config was last modified, modified_by (long, read-only): User id of user who last modified this config, new_user_migration_types (string): Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google', scopes (Array[string]): Array of scopes to request., secret (string): (Write-Only) Relying Party Secret (provided by OpenID Provider), set_roles_from_groups (boolean): Set user roles in Looker based on groups from OIDC, test_slug (string, read-only): Slug to identify configurations that are created in order to run a OIDC config test, token_endpoint (string): OpenID Provider Token Url, user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, user_attributes (Array[OIDCUserAttributeRead], read-only): (Read-only) Array of mappings between OIDC User Attributes and Looker User Attributes, user_attributes_with_ids (Array[OIDCUserAttributeWrite]): (Read/Write) Array of mappings between OIDC User Attributes and arrays of Looker User Attribute ids, userinfo_endpoint (string): OpenID Provider User Information Url, allow_normal_group_membership (boolean): Allow OIDC auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): OIDC auth'd users will inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to OIDC auth'd users., url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }OIDCGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in OIDC, roles (Array[Role], read-only): Looker Roles }OIDCGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in OIDC, role_ids (Array[long]): Looker Role Ids, can (object, read-only): Operations the current user is able to perform on this object }OIDCUserAttributeRead { name (string, read-only): Name of User Attribute in OIDC, required (boolean, read-only): Required to be in OIDC assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }OIDCUserAttributeWrite { name (string): Name of User Attribute in OIDC, required (boolean): Required to be in OIDC assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, can (object, read-only): Operations the current user is able to perform on this object }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Get Password Config
Implementation Notes
Get password config.
Response Class
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Update Password Config
Implementation Notes
Update password config.
Response Class
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | Password Config | body |
PasswordConfig {
can (object, read-only): Operations the current user is able to perform on this object, min_length (long): Minimum number of characters required for a new password. Must be between 7 and 100, require_numeric (boolean): Require at least one numeric character, require_upperlower (boolean): Require at least one uppercase and one lowercase letter, require_special (boolean): Require at least one special character }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
429 | Too Many Requests |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Force password reset
Implementation Notes
Force all credentials_email users to reset their login passwords upon their next login.
Response Class
string
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
429 | Too Many Requests |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Get SAML Configuration
Implementation Notes
Get the SAML configuration.
Looker can be optionally configured to authenticate users against a SAML authentication server. SAML setup requires coordination with an administrator of that server.
Only Looker administrators can read and update the SAML configuration.
Configuring SAML impacts authentication for all users. This configuration should be done carefully.
Looker maintains a single SAML configuation. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).
SAML is enabled or disabled for Looker using the enabled field.
Response Class
Role {
PermissionSet {
ModelSet {
Group {
SamlGroupRead {
SamlGroupWrite {
SamlUserAttributeRead {
UserAttribute {
SamlUserAttributeWrite {
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Update SAML Configuration
Implementation Notes
Update the SAML configuration.
Configuring SAML impacts authentication for all users. This configuration should be done carefully.
Only Looker administrators can read and update the SAML configuration.
SAML is enabled or disabled for Looker using the enabled field.
It is highly recommended that any SAML setting changes be tested using the APIs below before being set globally.
Response Class
Role {
PermissionSet {
ModelSet {
Group {
SamlGroupRead {
SamlGroupWrite {
SamlUserAttributeRead {
UserAttribute {
SamlUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | SAML Config | body |
SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object, enabled (boolean): Enable/Disable Saml authentication for the server, idp_cert (string): Identity Provider Certificate (provided by IdP), idp_url (string): Identity Provider Url (provided by IdP), idp_issuer (string): Identity Provider Issuer (provided by IdP), idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP., allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google', alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test, modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml, set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml, groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values', groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles, groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true, user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes, user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids, groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'], groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes', bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead., allow_normal_group_membership (boolean): Allow SAML auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): SAML auth'd users will inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to SAML auth'd users., url (string, read-only): Link to get this item }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }SamlGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in Saml, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to saml config }SamlGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in Saml, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to saml config }SamlUserAttributeRead { name (string, read-only): Name of User Attribute in Saml, required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to saml config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }SamlUserAttributeWrite { name (string): Name of User Attribute in Saml, required (boolean): Required to be in Saml assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to saml config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Get SAML Test Configuration
Implementation Notes
Get a SAML test configuration by test_slug.
Response Class
Role {
PermissionSet {
ModelSet {
Group {
SamlGroupRead {
SamlGroupWrite {
SamlUserAttributeRead {
UserAttribute {
SamlUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
test_slug | true | Slug of test config | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Delete SAML Test Configuration
Implementation Notes
Delete a SAML test configuration.
Response Class
None
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
test_slug | true | Slug of test config | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
204 | Test config succssfully deleted. | string |
Create SAML Test Configuration
Implementation Notes
Create a SAML test configuration.
Response Class
Role {
PermissionSet {
ModelSet {
Group {
SamlGroupRead {
SamlGroupWrite {
SamlUserAttributeRead {
UserAttribute {
SamlUserAttributeWrite {
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | SAML test config | body |
SamlConfig {
can (object, read-only): Operations the current user is able to perform on this object, enabled (boolean): Enable/Disable Saml authentication for the server, idp_cert (string): Identity Provider Certificate (provided by IdP), idp_url (string): Identity Provider Url (provided by IdP), idp_issuer (string): Identity Provider Issuer (provided by IdP), idp_audience (string): Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP., allowed_clock_drift (long): Count of seconds of clock drift to allow when validating timestamps of assertions., user_attribute_map_email (string): Name of user record attributes used to indicate email address field, user_attribute_map_first_name (string): Name of user record attributes used to indicate first name, user_attribute_map_last_name (string): Name of user record attributes used to indicate last name, new_user_migration_types (string): Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google', alternate_email_login_allowed (boolean): Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled., test_slug (string, read-only): Slug to identify configurations that are created in order to run a Saml config test, modified_at (string, read-only): When this config was last modified, modified_by (string, read-only): User id of user who last modified this config, default_new_user_roles (Array[Role], read-only): (Read-only) Roles that will be applied to new users the first time they login via Saml, default_new_user_groups (Array[Group], read-only): (Read-only) Groups that will be applied to new users the first time they login via Saml, default_new_user_role_ids (Array[long]): (Write-Only) Array of ids of roles that will be applied to new users the first time they login via Saml, default_new_user_group_ids (Array[long]): (Write-Only) Array of ids of groups that will be applied to new users the first time they login via Saml, set_roles_from_groups (boolean): Set user roles in Looker based on groups from Saml, groups_attribute (string): Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values', groups (Array[SamlGroupRead], read-only): (Read-only) Array of mappings between Saml Groups and Looker Roles, groups_with_role_ids (Array[SamlGroupWrite]): (Read/Write) Array of mappings between Saml Groups and arrays of Looker Role ids, auth_requires_role (boolean): Users will not be allowed to login at all unless a role for them is found in Saml if set to true, user_attributes (Array[SamlUserAttributeRead], read-only): (Read-only) Array of mappings between Saml User Attributes and Looker User Attributes, user_attributes_with_ids (Array[SamlUserAttributeWrite]): (Read/Write) Array of mappings between Saml User Attributes and arrays of Looker User Attribute ids, groups_finder_type (string): Identifier for a strategy for how Looker will find groups in the SAML response. One of ['grouped_attribute_values', 'individual_attributes'], groups_member_value (string): Value for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes', bypass_login_page (boolean): Bypass the login page when user authentication is required. Redirect to IdP immediately instead., allow_normal_group_membership (boolean): Allow SAML auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login., allow_roles_from_normal_groups (boolean): SAML auth'd users will inherit roles from non-reflected Looker groups., allow_direct_roles (boolean): Allows roles to be directly assigned to SAML auth'd users., url (string, read-only): Link to get this item }Role { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of Role, permission_set (PermissionSet, read-only): (Read only) Permission set, permission_set_id (long): (Write-Only) Id of permission set, model_set (ModelSet, read-only): (Read only) Model set, model_set_id (long): (Write-Only) Id of model set, url (string, read-only): Link to get this item, users_url (string, read-only): Link to get list of users with this role }PermissionSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, name (string): Name of PermissionSet, permissions (Array[string]), url (string, read-only): Link to get this item }ModelSet { can (object, read-only): Operations the current user is able to perform on this object, all_access (boolean, read-only), built_in (boolean, read-only), id (long, read-only): Unique Id, models (Array[string]), name (string): Name of ModelSet, url (string, read-only): Link to get this item }Group { can (object, read-only): Operations the current user is able to perform on this object, can_add_to_content_metadata (boolean): Group can be used in content access controls, contains_current_user (boolean, read-only): Currently logged in user is group member, external_group_id (string, read-only): External Id group if embed group, externally_managed (boolean, read-only): Group membership controlled outside of Looker, id (long, read-only): Unique Id, include_by_default (boolean, read-only): New users are added to this group by default, name (string): Name of group, user_count (long, read-only): Number of users included in this group }SamlGroupRead { id (long, read-only): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string, read-only): Name of group in Looker, name (string, read-only): Name of group in Saml, roles (Array[Role], read-only): Looker Roles, url (string, read-only): Link to saml config }SamlGroupWrite { id (long): Unique Id, looker_group_id (long, read-only): Unique Id of group in Looker, looker_group_name (string): Name of group in Looker, name (string): Name of group in Saml, role_ids (Array[long]): Looker Role Ids, url (string, read-only): Link to saml config }SamlUserAttributeRead { name (string, read-only): Name of User Attribute in Saml, required (boolean, read-only): Required to be in Saml assertion for login to be allowed to succeed, user_attributes (Array[UserAttribute], read-only): Looker User Attributes, url (string, read-only): Link to saml config }UserAttribute { can (object, read-only): Operations the current user is able to perform on this object, id (long, read-only): Unique Id, name (string): Name of user attribute, label (string): Human-friendly label for user attribute, type (string): Type of user attribute ("string", "number", "datetime", "yesno", "zipcode"), default_value (string): Default value for when no value is set on the user, is_system (boolean, read-only): Attribute is a system default, is_permanent (boolean, read-only): Attribute is permanent and cannot be deleted, value_is_hidden (boolean): If true, users will not be able to view values of this attribute, user_can_view (boolean): Non-admin users can see the values of their attributes and use them in filters, user_can_edit (boolean): Users can change the value of this attribute for themselves, hidden_value_domain_whitelist (string): Destinations to which a hidden attribute may be sent. Once set, cannot be edited. }SamlUserAttributeWrite { name (string): Name of User Attribute in Saml, required (boolean): Required to be in Saml assertion for login to be allowed to succeed, user_attribute_ids (Array[long]): Looker User Attribute Ids, url (string, read-only): Link to saml config }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
Parse SAML IdP XML
Implementation Notes
Parse the given xml as a SAML IdP metadata document and return the result.
Response Class
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | SAML IdP metadata xml | body | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Parse SAML IdP Url
Implementation Notes
Fetch the given url and parse it as a SAML IdP metadata document and return the result.
Note that this requires that the url be public or at least at a location where the Looker instance can fetch it without requiring any special authentication.
Response Class
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | SAML IdP metadata public url | body | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Get Session Config
Implementation Notes
Get session config.
Response Class
Parameters
None
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Update Session Config
Implementation Notes
Update session config.
Response Class
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
body | true | Session Config | body |
SessionConfig {
can (object, read-only): Operations the current user is able to perform on this object, allow_persistent_sessions (boolean): Allow users to have persistent sessions when they login, session_minutes (long): Number of minutes for user sessions. Must be between 5 and 43200, unlimited_sessions_per_user (boolean): Allow users to have an unbounded number of concurrent sessions (otherwise, users will be limited to only one session at a time)., use_inactivity_based_logout (boolean): Enforce session logout for sessions that are inactive for 15 minutes., track_session_location (boolean): Track location of session when user logs in. }
|
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
422 | Validation Error |
ValidationError {
message (string, read-only, required): Error details, errors (Array[ValidationErrorDetail], read-only): Error detail array, documentation_url (string, read-only, required): Documentation link }ValidationErrorDetail { field (string, read-only): Field with error, code (string, read-only): Error code, message (string, read-only): Error info message, documentation_url (string, read-only, required): Documentation link }
|
429 | Too Many Requests |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Get All User Login Lockouts
Implementation Notes
Get currently locked-out users.
Response Class
array
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
fields | false | Include only these fields in the response | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Search User Login Lockouts
Implementation Notes
Search currently locked-out users.
Response Class
array
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
fields | false | Include only these fields in the response | string | string |
page | false | Return only page N of paginated results | integer | int64 |
per_page | false | Return N rows of data per page | integer | int64 |
sorts | false | Fields to sort by. | string | string |
auth_type | false | Auth type user is locked out for (email, ldap, totp, api) | string | string |
full_name | false | Match name | string | string |
false | Match email | string | string | |
remote_id | false | Match remote LDAP ID | string | string |
filter_or | false | Combine given search criteria in a boolean OR expression | boolean | boolean |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
Delete User Login Lockout
Implementation Notes
Removes login lockout for the associated user.
Response Class
None
Parameters
Parameter | Required? | Description | Parameter Type | Data Type |
---|---|---|---|---|
key | true | The key associated with the locked user | string | string |
Response Messages
HTTP Status Code | Reason | Response Model |
---|---|---|
400 | Bad Request |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
404 | Not Found |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
429 | Too Many Requests |
Error {
message (string, read-only, required): Error details, documentation_url (string, read-only, required): Documentation link }
|
204 | Successfully deleted. | string |