Single sign-on (SSO) Embedding in Looker
Introduction to SSO Embedding
Single sign-on (SSO) embedding is a way to present private embedded Looks, visualizations, Explores, dashboards, or LookML dashboards to your users without requiring them to have a separate Looker login. Instead, users will be authenticated through your own application.
SSO embedding works by creating a special Looker URL that you will use in an iframe. The URL contains the information you want to share, the ID of the user in your system, and the permissions you want that user to have. You’ll then sign the URL with a secret key provided by Looker.
SSO Embedding is the most advanced and complex embedding Looker functionality. It is one of the most secure concepts. You must perform a few tasks from the admin section or you need to ensure that the SSO Embedding is enabled on your Looker instance.
Let’s Start Hand’son:
FIRST LET’S GET UNDERSTAND THE WORKING FLOW OF SSO
Step 1. Enable the Embed Authentication
In the Embed pane, in the admin panel, find and enable the Embed Authentication option. This should trigger the creation of the Client Secret variable, which will appear on the same page. So you need to make sure that the SSO embedding features are enabled or not in your looker admin panel, if it is disabled you need to make it enable. For making it enabled you need to follow these steps.
Open Your Looker Instance Click Admin >> Embed >> Make Sure Embed SSO Authentication is enabled.
- Click on Admin.
2. Then search for Embed then click on that Embed Option.
3. Check for the Embed SSO Authentication & make sure it is enable.
Step 2. Create and copy the Embed secret
The Embed Secret should be available above on the same page. If it is not visiable, please click on the Reset Secret button. steps mentioned below:
- click on Admin.
2. Then search for Embed then click on that Embed Option.
3. When you click on that you are able to see the Embed Secret Section. if it’s visible it is fine or if it is not visible then you need to click on Set Secret button.
4. After clicking on Set Secret the new Secret will be generated.
Tip : Move this Secret in a safe place because if you generate the new secret it will affect your embed dashboard.
Step 3. Create a dedicated permissions set
In the Roles pane, choose New Permissions Set and create a new set as per your requirenment with the following permissions, you can also call it the SSO Permissions:
- access_data,
- embed_browse_spaces,
- see_looks.
Step 4. Create the Embed group
In the Groups pane, add a new Group, we call it the Embed Group. Once Embed group created go back to the Roles pane and add this group to the SSO Permissions role.
Step 5. Create a dedicated folder and content to be shared with the Embed Client
This step is required to keep the embedded content separate from the content we don’t want to share with the Embed Group. It might seem like a redundant step but is vital for the security and maintenance of the curated content.
Step 6. Grant the content access to the right Embed Group
In the Content Access pane, grant the access to the created folder, let’s call it Embed Content in the process above, to the Embed Group.
Step 7. Create a unique Embed URI.
For Creating an Embed URI the Requirement is Visual Studio code & Ruby Software. This is the ruby script I am giving below for creating an Embed URI. You need to do some modification in the below script as per your requirement.
require 'cgi'
require 'securerandom'
require 'uri'
require 'base64'
require 'json'
require 'openssl'
module LookerEmbedClient
def self.created_signed_embed_url(options)
# looker options
secret = options[:secret]
host = options[:host]
# user options
json_external_user_id = options[:external_user_id].to_json
json_first_name = options[:first_name].to_json
json_last_name = options[:last_name].to_json
json_permissions = options[:permissions].to_json
json_models = options[:models].to_json
json_group_ids = options[:group_ids].to_json
json_external_group_id = options[:external_group_id].to_json
json_user_attributes = options[:user_attributes].to_json
json_access_filters = options[:access_filters].to_json
# url/session specific options
embed_path = '/login/embed/' + CGI.escape(options[:embed_url])
json_session_length = options[:session_length].to_json
json_force_logout_login = options[:force_logout_login].to_json
# computed options
json_time = Time.now.to_i.to_json
json_nonce = SecureRandom.hex(16).to_json
# compute signature
string_to_sign = ""
string_to_sign += host + "\n"
string_to_sign += embed_path + "\n"
string_to_sign += json_nonce + "\n"
string_to_sign += json_time + "\n"
string_to_sign += json_session_length + "\n"
string_to_sign += json_external_user_id + "\n"
string_to_sign += json_permissions + "\n"
string_to_sign += json_models + "\n"
# optionally add settings not supported in older Looker versions
string_to_sign += json_group_ids + "\n" if options[:group_ids]
string_to_sign += json_external_group_id+ "\n" if options[:external_group_id]
string_to_sign += json_user_attributes + "\n" if options[:user_attributes]
string_to_sign += json_access_filters
signature = Base64.encode64(
OpenSSL::HMAC.digest(
OpenSSL::Digest.new('sha1'),
secret,
string_to_sign.force_encoding("utf-8"))).strip
# construct query string
query_params = {
nonce: json_nonce,
time: json_time,
session_length: json_session_length,
external_user_id: json_external_user_id,
permissions: json_permissions,
models: json_models,
access_filters: json_access_filters,
first_name: json_first_name,
last_name: json_last_name,
force_logout_login: json_force_logout_login,
signature: signature
}
# add optional parts as appropriate
query_params[:group_ids] = json_group_ids if options[:group_ids]
query_params[:external_group_id] = json_external_group_id if options[:external_group_id]
query_params[:user_attributes] = json_user_attributes if options[:user_attributes]
query_params[:user_timezone] = options[:user_timezone].to_json if options.has_key?(:user_timezone)
query_string = URI.encode_www_form(query_params)
"#{host}#{embed_path}?#{query_string}"
end
end
def sample
fifteen_minutes = 15 * 60
#YOU NEED TO MODIFY THE BELOW CODE AS PER YOUR REQUIRMENT.
url_data = {
host: 'instancename.cloud.looker.com',
secret: 'c17001c68440f858f4fed4',
external_user_id: '57',
first_name: 'Sagar',
last_name: 'choudhary',
permissions: ['see_user_dashboards', 'see_lookml_dashboards', 'access_data', 'see_looks'], #dedicated Permission Set
models: ['Model-name'],
group_ids: [],
external_group_id: '',
user_attributes: {},
access_filters: {},
session_length: fifteen_minutes,
embed_url: "/embed/dashboards/143",
force_logout_login: true
}
url = LookerEmbedClient::created_signed_embed_url(url_data)
puts "https://#{url}"
end
sample()User need to modify the last 20 line of code when you’re going to create the SSO embedd URI.
Commands For Running the code :
cd <folder name>
ruby <filename.rb>
After doing this steps you will get this type of SSO embed URI will be generate you need to validate that URI looker embed section.
Step 8. Check whether the URL correct or not.
For validating the URI Open Your Looker Instance Click Admin >> Embed >> there is one filed as Embed URI Validator you need to paste that URI for validating steps mentioned below:
- click on the Admin
2. Then search for Embed then click on that Embed Option.
3. You’re able to see the Embed URI Validator Section. You need to paste that link in this section and then need to Click on the Test URI button.
4. After clicking on Test URI if your link is correct you will get the pop-up Embed URI is valid so this new page will appear in front of you.
Step 9. Create Iframe using HTML.
1 . You need to create the iframe using HTML so you are able to embed the dashboard on a particular portal and you need to paste the embedded link in front of src.
<!DOCTYPE html>
<html>
<center><iframe src= "https://instancename.cloud.looker.com/embed/dashboards/143"
width="900" height="600"> # You need to paste your embedded link here</center>
</iframe>
</body>
</html>2. When you open this HTML file you are able to see the dashboard is embedded successfully on our portal. So like this you’re able to do the SSO embedding and able to embed the dashboard on the customer portal.
So here we successfully implemented SSO through embedding to use an iFrame, which is an HTML element that allows a website to be embedded within another website. To implement SSO using an iFrame, the parent website can include an iFrame that contains the login form for the other application or website. When the user submits the login form within the iFrame, their credentials are sent to the other application or website for authentication. If the authentication is successful, the user is granted access to both the parent website and the application or website contained within the iFrame.
Best practices for creating the embedded content :
- Make sure you are using a dedicated folder, where you store the shared content. Restrict the access for dedicated external users.
- Always use the PII access control, so the sensitive content is protected and can’t be reached within the embedded content.
- Put the managing curated content best practices in place, so it’s regularly checked for data protection.
Advantages :
- No looker account required
- All content types available for embedding
- The safest way to share the Looker content due to its most advanced security settings.
Disadvantages :
- Pretty hefty URL setting up a process
- Not available for Internet Explorer and Safari
Conclusion :
Looker is Powerful data visualization tool that is quite effective and interesting to use so in this blog we covered Single sign-on (SSO) embedding concept. I explain the end to end procedure of SSO embedding.SSO can be a useful tool for improving the user experience and increasing security on a blog or website. There are a variety of methods and technologies available for implementing SSO, and the best option will depend on the specific needs and resources of the organization.
Happy Reading 😊 !!
