Note: Alternate login is not available forLooker (Google Cloud core). By default, the backup authentication method for Looker (Google Cloud core) isOAuth.

Looker can authenticate users using one of several authentication server types, such asGoogle OAuth,LDAP,SAML, orOpenID Connect. Enabling any of these authentication methods will disable other authentication systems, such as email and password.

Looker admins can give a user an alternate login option that uses their email address if the user has either an Adminrole or thelogin_special_email permission.

Enabling alternate login on the Looker instance

Before you can enable the alternate login option for a user, the Looker instance must be configured to accept email credentials:

1. Navigate to theAuthentication section of theAdmin panel, and select the currently enabled authentication type,Google OAuth,LDAP,SAML, orOpenID Connect.
2. In theMigration Options section, enable theAlternate login for admins and specified users toggle.

Granting the user permission to use alternate login

Only users with the Admin role or thelogin_special_email permission may use alternate login. One way to grant thelogin_special_email permission to a non-admin user is to create a new role that contains that permission and then assign that role to the user, as follows:

1. Navigate to theRoles page, located under theUsers section in theAdmin panel.
2. Click theNew Permission Set button.
3. Enter a name for the new permission set, for example,Alternate Login.
4. Select the box labeledlogin_special_email.
5. ClickNew Permission Set.
6. ClickNew Role.
7. Enter a name for the new role, such asAlternate Login Role.
8. In thePermission Set list, select your new permission set from the list.
9. In theModel Set list, selectAll.
10. In theUsers list, select the user who is to be granted the alternate login permission.
11. Click theNew Role button to save the new role.
12. ClickConfirm.

Creating email credentials for the user

Once the user has been granted permission to use email credentials, the next step is to create the credentials. To create email credentials, a Looker admin can either use theLooker API to make aPOST request or use theLooker API SDK in the programming language of the admin's choice.

Making a POST request to the Looker API

Because of its manual nature, this is a better method to use when you have only a limited number of users for whom you want to set up the alternate login option.

This example uses acurl command to make aPOST request to thecreate_user_credentials_email API endpoint using a temporary access token:

1. To generate the temporary token (ACCESS_TOKEN), follow theAuthentication without an SDK instructions on theLooker API authentication documentation page.

2. Using this temporary token in the authorization header, send aPOST request to the Looker API using the user'suser_id, and include their email in the body of the request.

   curl -H "Authorization: token ACCESS_TOKEN" -H 'Content-Type: application/json' -X POST -d '{ "email": "example_name@example_email.com" }' https://<instance_name<.api.looker.com/api/4.0/users/{user_id}/credentials_email

3. On theUsers page in theAdmin panel, find the user account and clickEdit.

4. Click theSend reset link button. This will send an email to the email address you specified in yourPOST request.

To use the alternate login method, when the user logs in to Looker they will need to click theAlternate Login link and then enter their name and email address. They can still authenticate using their OAuth, LDAP, SAML, or OpenID Connect credentials through theAuthenticate button.

Using the Looker API SDK

Rather than going through the manual steps of making requests directly to the Looker API, you can instead use a Looker-provided SDK to interact with the API in a programming language of your choice. After you have imported the Looker API SDK and established a client connection, follow these steps:

1. Use thecreate_user_credentials_email(user_id, body) function, inserting theuser_id andbody as specified in theLooker API documentation. You can follow a similar example from this Looker Community post aboutautomatically provisioning users with the Looker API.
2. Once the user accounts have been updated using the SDK method, on theUsers page in theAdmin panel, find the user account and clickEdit.
3. Click theSend reset link button. This will send an email to the email address you specified in yourPOST request.

To use the alternate login method, when the user logs in to Looker, they will need to click theAlternate Login link and then enter their name and email address. They can still authenticate using their OAuth, LDAP, SAML, or OpenID Connect credentials through theAuthenticate button.