SSO embed tools and troubleshooting resources

  • 4 November 2020
  • 0 replies

Userlevel 3

It can be challenging to create an SSO embed script and troubleshoot when errors appear. Here are some helpful tools and tricks you can use to troubleshoot:

Embed URI validator in the Embed page in Looker’s Admin panel

Common messages that may appear:

  • signature param failed to authenticate 

    • double check that the SSO embed secret in the URL matches the instance’s SSO embed secret, Make sure the embed parameters in the signature generation portion of the script are being concatenated in the right order.

    • Make sure that characters like '+' or '/' are encoded during the signature generation. The '+' could be interpreted as a space in Chrome.

  • Uh Oh something went wrong  

    • Open a support request with the Department of Customer Love to investigate possible causes. 

  • Time param is not within 5 minutes of the server's system time

    • The link needs to be hit within five minutes of generation. Try generating the link again.

    • The time on the server generating the URL is actually five minutes out of sync with the time on the Looker server. Check what the servers think the current time is with the date command line call.

  • This request includes invalid params​

    •  Are you using embed_domain? The embed_domain parameter is only necessary if your script is using Javascript event listeners, which is not a requirement for a basic SSO embed implementation. If you do not need to listen for Javascript events, the simplest option is to get rid of the embed_domain parameter completely.

    • If you do want to listen for Javascript events, you'll want to check the URL generation script to see where the embed_domain is being added. See the Single Sign-On (SSO) Embedding documentation page for the correct placement.


URL Decoder/Encoder​ to view and troubleshoot individual URL parameters 

When troubleshooting pieces of the SSO URL, the order of parameters listed in the URL decoder/encoder does not matter. However, the order does matter in the signature generation section of the script

Check the permissions and model access that is listed, and whether they are appropriate for the content that is being embedded.

Your browser’s JavaScript console (Opt+Command+J) and Network tab (Opt+Command+I)

Check that the network tab shows a login event and the event that embeds the content.

Fabio’s SSO Embed Generator Tool

Plug in the parameter specifications you are using in your embed URL.:

  • If this works, then the SSO embed secret and other information in the  parameters is correct. This indicates that something in the URL generation script itself is probably the cause of the error.

  • If this does not work, then something that is defined in the SSO URL parameters is not correct (check permissions, model access, possibly reset the SSO embed secret).

If you have Admin permissions, sudo as the embed user

Can you see the content when sudoed as the embed user? If not, then it’s most likely a permissions, model access, or folder permissions issue in the URL parameters.

If you do not see the embed user listed in the Users page in the Looker Admin panel,  then the user is not being created and the embed URL is failing. Try troubleshooting the URL with some of the other troubleshooting resources listed on this page.

Fabio’s SSO Embed Troubleshooting Tool

Click the error messages you are seeing when accessing your SSO embed link.

Looker’s example scripts

Compare Looker’s examples to your own script. Make sure the order is correct in the signature generation, and that you’re not missing any information in your URL.

create_sso_embed_url API call

This is one of the quickest ways to generate embed URLs for testing.


If none of the above troubleshooting resources are working, and you are seeing 401 errors, this might be a third party cookie issue. Check your browser’s settings that affect third party cookies. 

0 replies

Be the first to reply!