View the original community article here
Last Tested: Jun 17, 2019
All SSO embed parameters can be found here!
nonce
is a value that identifies this request (16 character hexadecimal string). It shouldn’t be re-used (it’s a single sign-on) and should come from by a secure random number generator.time
is a timestamp to identify when the session begins.session_length
is how long a user should be authenticated (in seconds). Pick something reasonable (no more than 30 days)external_user_id
is Looker instance user ID of the user being authenticated - customers should be using a unique identifier for their users. This is how Looker maps SSO uri’s to actual Looker users. This is not the user id in Looker and can be a string.permissions
should be a grouping of Looker permissions, comma separated list of single quoted elementsmodels
is a group of models your user will have access to. Make sure they’re spelled correctly and in quotes.group_ids
: This is a list of the actual id of groups in Looker. You may leave this empty if you want to use the default for the instance, which isAll Users with Access to Shared Spaces
.external_group_id
: A unique identifier for the group the user belongs to in the application that is embedding Looker, if desired. Users who have permission to save content, and share an external group ID, will be able to save and edit content in a shared Looker Space called “Group”.user_attributes
: The list of user attributes the user should have, if any. Contains a list of user attribute names followed by the user attribute value. In JSON, ex: { "vendor_id" : 17, "company" : "acme"}access_filters:
this parameter is required, but it can contain an empty hash. As of Looker 3.10 that is our suggestion; user attributes are a superior way to achieve the same result.first_name
will be the first name of your authenticated Looker user, as displayed in Looker - if left blank, will retain the value from the last request, or be “Embed” if no first name has ever been set.last_name
will be the last name of your authenticated Looker user, as displayed in Looker - If left blank, will retain the value from the last request, or be “Embed” if no last name has ever been set.user_timezone
works if user-specific time zones are enabled, then you can set or update the user timezone hereforce_logout_login:
Either true or false. This only applies if a normal Looker user is logged into Looker already. In general, it is recommended to keep this set to true to avoid confusion arising from using an existing session instead of applying the parameters specified in the URL.signature
will be generated by your code. It is used by Looker to verify that the secret used to sign the request is valid and that the parameters that are present in the request are identical to those that were signed when the signature was generated.This content is subject to limited support.