Single Sign-On (SSO) Embedding Looker Content in Web Application

Shashank Tripathi
Google Cloud - Community
6 min readFeb 8, 2023
Photo by Stephen Phillips - Hostreviews.co.uk on Unsplash

Introduction:

In the previous blog of this series ‘Public and Private Embedding Looker Content in Web Application,’ we discussed Public and Private Embedding in Looker, its advantage, and disadvantage. In this article, we will mainly focus on Single-Sign-On(SSO) Embedding where we will look into how to generate the Signed URL, and the advantages, and disadvantages of Single-Sign-On (SSO) Embedding. Single-Sign-On (SSO) is generally preferred when you want your host application controls user authentication and authorization.

Prerequisites:

To work with embedding in Looker one should have exposure to integrating the frontend application with the backend. In SSO Embedding we need to have a Looker instance with Admin access. The looker admin needs to enable the embedded option in the administration panel to make this option available for the users.

Generating the Signed URL using the Embed Secret Key

We will cover the steps needed to generate the Secret Key, Build the Embed URL, and Test the generated URL:

Step 1: Generating the Looker’s secret Key:

In order to validate that the SSO embedding request is legitimate and hasn’t been forged by someone else, you’ll first need to generate an “embed secret”. To Do so:

  1. On the left corner under the ‘Admin’ Section -> Under ‘Find a setting’ search ‘Platform’ -> Click on Embed page.
  2. Select Enabled from the Embed SSO Authentication drop-down, and then click Update.
  3. Click the Reset Secret button to generate your embed secret. Be sure to copy this secret to a secure location, because you will not be able to retrieve it from Looker again without resetting it. Resetting the key will break any embeds that used the old key.

Note: Anyone with access to the secret key may create a URL to access any model that the Looker instance is connected to, as any user, with any permission. Disable the SSO Embedding option if you’re not using it.

Embed Option in Admin

Step 2: Building the Embed URL:

Enable SSO Authentication

Building the proper URL will require you to write code so that you can properly encode the URL with your secret key

  • Copy the secret to the secure location because you will not be able to retrieve it from Looker again without resetting it, and resetting the key will break any embeds that use the old key.

Note: Using the python script, we can build an SSO URL. Python is used as an example language in this video, but you can use whatever language you are most comfortable with. Looker has public scripts available for a variety of different languages.

For reference refer the below repository:

Follow the below Steps to create the Embed SSO URL:

  • First, create a blank file for your script — In this case name it -> python_example.py -> copy the Looker embed SSO script and paste the code into the file you’ve just created.
  • Now you just need to edit the URL data section of the code.
  • Enter the host of your Looker instance without the HTTPS.
  • Copy and paste the embed secret generated in previous steps.
  • nonce : Any random string you like, but it cannot be repeated within an hour and must be less than 255 characters. This prevents an attacker from re-submitting a legitimate user’s URL to gather information they shouldn’t have.
  • time: The current time as a UNIX timestamp.
  • permission: The list of permissions the user should have.
  • models: The list of model names the user should have access to.
  • external_user_id : any random id you would like to give.
  • external_group_id: The external group ID is a unique identifier for the group the user belongs to and the application that is embedding Looker. The external_group_id will create a folder where the users with the same ID can share content.
  • access_filter: Add any user attributes or access filters a user should have. In this case will leave this parameter blank.
  • session_length : It is pre-defined and doesn’t to be changed unless you’d like to.
  • embed_url : Finally, the embed URL for the content you’re embedding is added here, and the embed URL was generated in previous steps.
  • force_logout_login : If set true, if a normal user is already logged in to Looker, and they view an SSO embedded item, then they can view the item with their current credentials.
  • Save the changes and run the Python script -> script will generate the URL paste the URL script output into your browser and you’re done.
Generate Signed URL Code
SSO SignedURL

An SSO embed URL has the following format as above:

https://Host/login/embed/Embed_Url?Parameters&Signature=Signature

You can look into the more detailed parameters on this link where one can pass the options at the time of generating the URL. The list contains a lot of parameters depending on the use case one can check which to use when generating the URL.

Step 3: Testing the Embed URL

To test your final URL, paste it into the Embed URI Validator on the Embed page of Looker’s Admin section. While this option can’t tell you if the data and permissions you envision have been set up correctly, it can validate that your authentication is working properly.

Note: This setting is only revealed if the Embed Secret has been set.

After generating a URL for Looker’s Single Sign-on Embedding feature, you can test the URL by pasting it in the Embed URI Validator field and clicking Test URI. The URI validator will return a message indicating whether the SSO embed URL is valid.

Embed URI Validator

Conclusion:

In this article, we saw how we can generate a signed URL using Single-Sign-On (SSO) Embedding which can directly be used by iFrame in the frontend application. With the SSO Embedding, we can point the iFrame source attribute to a unique one-time use URL that you must generate for each embedded user session depending on the session_length specified. The one-time use URL sets the content access permissions of the session URL. The URL logs in to your user as an existing looker embed user or creates a new one with content access permission. Using SSO Embedding has its pros and cons. In terms of pros, we don’t need a looker account credential for sign-in. It is a safe way to share the Looker Content but not one of the best options to go with. The disadvantage of this embedding is that the signed URL generated is pretty hefty which can be overcome when we used Single-Sign-On (SSO) with Embed SDK which generates the shortened URL and the SDK is maintain by Looker developer which provide more security.

In the coming part of the series, we will focus on the Single-Sign-On (SSO) Embedding with Embed SDK which is a more secure and recommended way to integrate the Looker Content with the Web Application.

--

--