Getting started with Looker

Best Practices

Documentation

Community

Training

Certification

Articles in this section

See more

Does revoking a user on the idP side affect the user in Looker? (Community)

Avatar
Looker Support
Follow

View the original community article here

Last tested: June 2021

No. Looker doesn't automatically keep track of whether the user has been revoked on the SAML/LDAP/OIDC/Google side. There is a request to Force all users to log out or Automatically recognize new SAML groups if mapping gets updated that you can add your vote through our feedback system.

So the user will just stay logged in??

Yes. Any users logged in will stay logged in for the remainder of their session (up to 30 days). Of course, once they log out of Looker or otherwise end their Looker session they won't be able to log back in. They will not be deleted or disabled by the Looker system.

Can I force the user to log out?

You can disable the user via the UI, which logs them out.

A robust workaround would be an API script that:

  1. Watches the IdP for when a user is revoked.

  2. Finds the Looker user corresponding to the IdP user, and their current session ID(s).

  3. Kill sessions for that user.

  4. Disables that user.

This content is subject to limited support.