Set up Looker to connect to databases through Cyral
You can set up Cyral to allow secure SSO connections to your repositories from Looker users. When these users connect, a service account establishes the connection to the data repository. Cyral's service account resolution tracks the SSO end user's identity, disambiguating it from the common identity of the service account.
In the steps below, you’ll set up one or more service accounts that your Looker users can use to connect to a repository, and you’ll configure Cyral and Looker to resolve the SSO username and group when the service account is used.
- Set up Azure AD or Okta SSO for the repository.
- Set up the SCIM integration between Cyral and your identity provider (Azure AD or Okta)
In the Cyral control plane UI, go to Data Repos ➡️ choose your repository ➡️ Apps and BI Tools.
Click Register Database Account
In the Register Database Account wizard, provide the Database account name and click Next.
This account name must match an existing account on the database to which you're connecting. Connections via Looker will use this service account to connect, and Cyral's SSO capability will track the actual SSO user identity associated with each session.
Click Looker and click Next.
If you want to track users' group affiliations and write access policies based on groups, turn ON Retrieve SSO group membership for users accessing data through this application.
Below the checkbox, you can see the identity provider(s) (IdP) that will provide group information.
If you haven't set up SSO or SCIM for the repo, click the Configure IdP Integration or Configure SCIM button to set it up now.
The Cyral UI displays instructions for configuring the database connection in Looker. Open a new browser tab and log in to your Looker dashboard. Follow Cyral's on-screen instructions, also shown here:
- In Looker, select the Admin tab and navigate to Database ➡️ Connections.
- In Looker's Connection Settings, edit the database connection for this service account:
- Copy the Remote Host and Port values shown in the Cyral UI and paste them into the Connection Settings panel of your connection in Looker.
- Copy the Additional Params value from the Cyral UI and add it as a connection parameter in your connection in Looker.
- In Looker, click Update Connection to save your changes.
In the Cyral UI, click the "I've configured" checkbox and click Next.
Provide a name for your application and click Register. This name will be logged to identify user sessions initiated through this database account.
Your setup is complete. SSO users can start connecting to the repository via Looker, and Cyral will secure and monitor the connection, attributing each action to the responsible SSO user.
Handle persistent derived tables in Looker
If your Looker configuration uses persistent derived tables (PDT), follow these steps to ensure that your PDT process continues to run successfully.
In Looker, select the Admin tab and navigate to Database ➡️ Connections.
Edit the database connection for
In the PDT Overrides column, make sure the Additional Params field contains no user attributes, as shown in the example below.
In Looker, click Update Connection to save your changes.