AndrasJ.16274 (Customer) asked a question.
Managing Looker access with OKTA Groups
Hi,
We are handling access to Looker via OKTA groups.
If a developer needs access to Looker, we add them via OKTA. OKTA groups are mirrored in Looker, and users are granted access almost immediately.
However, when we remove a user from OKTA (leaving the company, the team etc.) this change is not reflected in Looker, and the users still retains access there. We have to manually remove the user, once from the OKTA group and then from Looker.
Is there a way to ensure removing a user from the OKTA group is reflected in Looker?
Thanks!
Hi @AndrasJ.16274 (Customer) , Thank you for reaching out to the Okta Community!
I'm not familiar with the Looker app, but as far as I can see in the Okta Integrations Network catalog, it has two listings - one just that just supports SWA/SAML and a custom Provisioning integration.
Without Provisioning support, automated downstream user deactivation might not be an option. Ideally you would have to check with the Service Provider to discuss support for this use case, but if you have an account with us, you can open a case (SuperAdmin/Case Admin permissions required) to review your Okta side configuration together with the Support Team to confirm capabilities and options.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
@AndrasJ.16274 (Customer) - Based on your description it sounds like you need to leverage Event Hooks to monitor for when changes (add/remove) happen to a specific group and take additional actions that are not available as part of your current provisioning process.
So assuming your current remediation process can be completed via API calls (You would want to test this ahead of time using something like cURL or Postman) you could leverage Okta Workflows (or build your own program to be the recipient of Event Hooks payloads) to perform additional processing when a user is removed/added from a specific group.
See Event Hook Filtering: https://developer.okta.com/docs/guides/event-hook-filtering/main/
This isn't an uncommon type of use case and it would look something like this:
Workflow -> Event Hook created to monitor for user removed from group. Filter is configured for the id of the specific group so only removals from that specific group would trigger the event hook.
Destination of Okta Workflows (API Endpoint). This would receive the Event Hook payload which triggers an execution of processing. Workflows could then be configured to perform your current manual remediation steps via API calls to Okta (or the third party) to finish the offboarding.
Okta doesnt have a pre-built looker SCIM integration so you'll need to build a custom SCIM connector. Could try using workflows. but either way itll be a heavy lift. might not be worth it