Stay organized with collections
Save and categorize content based on your preferences.
Version 4.0.25.14 (latest)
Datatype
Description
(object)
object
can
lock
object
Operations the current user is able to perform on this object
enabled
boolean
Enable/Disable Saml authentication for the server
idp_cert
string
Identity Provider Certificate (provided by IdP)
idp_url
string
Identity Provider Url (provided by IdP)
idp_issuer
string
Identity Provider Issuer (provided by IdP)
idp_audience
string
Identity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP.
allowed_clock_drift
integer
Count of seconds of clock drift to allow when validating timestamps of assertions.
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
new_user_migration_types
string
Merge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google'
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
test_slug
lock
string
Slug to identify configurations that are created in order to run a Saml config test
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[],[],null,["# SamlConfig\n\nVersion 4.0.25.14 (latest) \nDatatype \nDescription \n(object) \nobject \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nenabled \nboolean \nEnable/Disable Saml authentication for the server \nidp_cert \nstring \nIdentity Provider Certificate (provided by IdP) \nidp_url \nstring \nIdentity Provider Url (provided by IdP) \nidp_issuer \nstring \nIdentity Provider Issuer (provided by IdP) \nidp_audience \nstring \nIdentity Provider Audience (set in IdP config). Optional in Looker. Set this only if you want Looker to validate the audience value returned by the IdP. \nallowed_clock_drift \ninteger \nCount of seconds of clock drift to allow when validating timestamps of assertions. \nuser_attribute_map_email \nstring \nName of user record attributes used to indicate email address field \nuser_attribute_map_first_name \nstring \nName of user record attributes used to indicate first name \nuser_attribute_map_last_name \nstring \nName of user record attributes used to indicate last name \nnew_user_migration_types \nstring \nMerge first-time saml login to existing user account by email addresses. When a user logs in for the first time via saml this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google' \nalternate_email_login_allowed \nboolean \nAllow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled. \ntest_slug \n*lock* \nstring \nSlug to identify configurations that are created in order to run a Saml config test \nmodified_at \n*lock* \nstring \nWhen this config was last modified \nmodified_by \n*lock* \nstring \nUser id of user who last modified this config \ndefault_new_user_roles \n[Role](/looker/docs/reference/looker-api/latest/types/Role)\\[\\] \nExpand Role definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of Role \npermission_set \n*lock* \n[PermissionSet](/looker/docs/reference/looker-api/latest/types/PermissionSet) \n(Read only) Permission set\nExpand PermissionSet definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nall_access \n*lock* \nboolean \nbuilt_in \n*lock* \nboolean \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of PermissionSet \npermissions \nstring\\[\\] \nurl \n*lock* \nstring \nLink to get this item \npermission_set_id \nstring \n(Write-Only) Id of permission set \nmodel_set \n*lock* \n[ModelSet](/looker/docs/reference/looker-api/latest/types/ModelSet) \n(Read only) Model set\nExpand ModelSet definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nall_access \n*lock* \nboolean \nbuilt_in \n*lock* \nboolean \nid \n*lock* \nstring \nUnique Id \nmodels \nstring\\[\\] \nname \nstring \nName of ModelSet \nurl \n*lock* \nstring \nLink to get this item \nmodel_set_id \nstring \n(Write-Only) Id of model set \nurl \n*lock* \nstring \nLink to get this item \nusers_url \n*lock* \nstring \nLink to get list of users with this role \ndefault_new_user_groups \n[Group](/looker/docs/reference/looker-api/latest/types/Group)\\[\\] \nExpand Group definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \ncan_add_to_content_metadata \nboolean \nGroup can be used in content access controls \ncontains_current_user \n*lock* \nboolean \nCurrently logged in user is group member \nexternal_group_id \n*lock* \nstring \nExternal Id group if embed group \nexternally_managed \n*lock* \nboolean \nGroup membership controlled outside of Looker \nid \n*lock* \nstring \nUnique Id \ninclude_by_default \n*lock* \nboolean \nNew users are added to this group by default \nname \nstring \nName of group \nuser_count \n*lock* \ninteger \nNumber of users included in this group \ndefault_new_user_role_ids \nstring\\[\\] \ndefault_new_user_group_ids \nstring\\[\\] \nset_roles_from_groups \nboolean \nSet user roles in Looker based on groups from Saml \ngroups_attribute \nstring \nName of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values' \ngroups \n[SamlGroupRead](/looker/docs/reference/looker-api/latest/types/SamlGroupRead)\\[\\] \nExpand SamlGroupRead definition... \nid \n*lock* \nstring \nUnique Id \nlooker_group_id \n*lock* \nstring \nUnique Id of group in Looker \nlooker_group_name \n*lock* \nstring \nName of group in Looker \nname \n*lock* \nstring \nName of group in Saml \nroles \n[Role](/looker/docs/reference/looker-api/latest/types/Role)\\[\\] \nExpand Role definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of Role \npermission_set \n*lock* \n[PermissionSet](/looker/docs/reference/looker-api/latest/types/PermissionSet) \n(Read only) Permission set \npermission_set_id \nstring \n(Write-Only) Id of permission set \nmodel_set \n*lock* \n[ModelSet](/looker/docs/reference/looker-api/latest/types/ModelSet) \n(Read only) Model set \nmodel_set_id \nstring \n(Write-Only) Id of model set \nurl \n*lock* \nstring \nLink to get this item \nusers_url \n*lock* \nstring \nLink to get list of users with this role \nurl \n*lock* \nstring \nLink to saml config \ngroups_with_role_ids \n[SamlGroupWrite](/looker/docs/reference/looker-api/latest/types/SamlGroupWrite)\\[\\] \nExpand SamlGroupWrite definition... \nid \nstring \nUnique Id \nlooker_group_id \n*lock* \nstring \nUnique Id of group in Looker \nlooker_group_name \nstring \nName of group in Looker \nname \nstring \nName of group in Saml \nrole_ids \nstring\\[\\] \nurl \n*lock* \nstring \nLink to saml config \nauth_requires_role \nboolean \nUsers will not be allowed to login at all unless a role for them is found in Saml if set to true \nuser_attributes \n[SamlUserAttributeRead](/looker/docs/reference/looker-api/latest/types/SamlUserAttributeRead)\\[\\] \nExpand SamlUserAttributeRead definition... \nname \n*lock* \nstring \nName of User Attribute in Saml \nrequired \n*lock* \nboolean \nRequired to be in Saml assertion for login to be allowed to succeed \nuser_attributes \n[UserAttribute](/looker/docs/reference/looker-api/latest/types/UserAttribute)\\[\\] \nExpand UserAttribute definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of user attribute \nlabel \nstring \nHuman-friendly label for user attribute \ntype \nstring \nType of user attribute (\"string\", \"number\", \"datetime\", \"yesno\", \"zipcode\", \"advanced_filter_string\", \"advanced_filter_number\") \ndefault_value \nstring \nDefault value for when no value is set on the user \nis_system \n*lock* \nboolean \nAttribute is a system default \nis_permanent \n*lock* \nboolean \nAttribute is permanent and cannot be deleted \nvalue_is_hidden \nboolean \nIf true, users will not be able to view values of this attribute \nuser_can_view \nboolean \nNon-admin users can see the values of their attributes and use them in filters \nuser_can_edit \nboolean \nUsers can change the value of this attribute for themselves \nhidden_value_domain_whitelist \nstring \nDestinations to which a hidden attribute may be sent. Once set, cannot be edited. \nurl \n*lock* \nstring \nLink to saml config \nuser_attributes_with_ids \n[SamlUserAttributeWrite](/looker/docs/reference/looker-api/latest/types/SamlUserAttributeWrite)\\[\\] \nExpand SamlUserAttributeWrite definition... \nname \nstring \nName of User Attribute in Saml \nrequired \nboolean \nRequired to be in Saml assertion for login to be allowed to succeed \nuser_attribute_ids \nstring\\[\\] \nurl \n*lock* \nstring \nLink to saml config \ngroups_finder_type \nstring \nIdentifier for a strategy for how Looker will find groups in the SAML response. One of \\['grouped_attribute_values', 'individual_attributes'\\] \ngroups_member_value \nstring \nValue for group attribute used to indicate membership. Used when 'groups_finder_type' is set to 'individual_attributes' \nbypass_login_page \nboolean \nBypass the login page when user authentication is required. Redirect to IdP immediately instead. \nallow_normal_group_membership \nboolean \nAllow SAML auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login. \nallow_roles_from_normal_groups \nboolean \nSAML auth'd users will inherit roles from non-reflected Looker groups. \nallow_direct_roles \nboolean \nAllows roles to be directly assigned to SAML auth'd users. \nurl \n*lock* \nstring \nLink to get this item\n\nRelated Methods\n---------------\n\n- [Auth/saml_config](../methods/Auth/saml_config \"Auth/saml_config\")\n- [Auth/update_saml_config](../methods/Auth/update_saml_config \"Auth/update_saml_config\")\n- [Auth/saml_test_config](../methods/Auth/saml_test_config \"Auth/saml_test_config\")\n- [Auth/create_saml_test_config](../methods/Auth/create_saml_test_config \"Auth/create_saml_test_config\")"]]
