SSO Gives 401 in Chrome Incognito Window

PaulM1 · 07-15-2020 10:43 AM

I am unable to access any Looker resources in an Incognito window. I receive a 401 “not authenticated”. Looker login is a success (200) and returns a URL. But all Looker resources give a 401.

Is this simply a fact of SSO & incognito? Or is there a way to get SSO embed to work while incognito?

In a normal browser window, everything functions as expected. Unfortunately, I cannot test web browsers other than Chrome. The web app where Looker is embedded is only supported in Chrome.

Thank you

fabio1

Hi @PaulM1 ,

Normally, this should work fine. Have you been able to connect with our DCL team about this, either via email or our chat widget? They are really experienced in helping with issues like these.

If you want some self-serve info, I did write this troubleshooting guide as well: https://fabio-looker.github.io/looker_sso_tool/sso-embed-troubleshooting.html

priyanath

Hi @fabio1

I am new to Looker embedding, and I created a signed sso url via API explorer. the generated embed URL does not work in incognito mode. how to connect to DCL team?

fabio1

Hi @priyanath

In general, customers can reach the right support team starting from https://help.looker.com/

If you have a process that is specifically failing in incognito mode, it may be due to cookie settings. In addition to the troubleshooting page I linked above, this page also has information about some common situations and fixes, such as custom domains to enable first party cookies - https://developers.looker.com/embed/troubleshooting/embed-auth-errors

priyanath

Hi @fabio1

I tuned on "allow 3rd party cookies" and it still fails. I am not sure what else could be the issue.

thank you.

ezmarques

Hi Paul,

We are facing the same problem here.

The problem is related to cookie policy. The user has to configure the browser to allow third party cookies.

We are trying to detect it automatically to instruct the user on how to fix it, but the embed do not emit a message about that problem.

Looker team, could you emit a message to notify the application about the 401 problem?

ezmarques

Hi Paul,

Apparently, the way to fix it is to contact support and configure the DNS to fix it.

Still, I would hope the embed to emit a message when there are errors (401, invalid filters, sql errors, etc)

owen_price

Hey @PaulM1, it looks like this can be attributed to a recent Chrome browser update. Referencing here @ezmarques answer is on the money - we’ll want to allow cookies from Chrome settings. A longer term fix will be to reach out to either support or your account team to initiate the process of a new CNAME alias that aligns the origins of the Looker content with your application, so we will no longer need to work about 3rd party cookies in this sense.

graydon

This is accurate. We just went through an embedded implementation and the updated CNAME is what you will need, especially because you can’t expect that all of your embedded users are going to know to allow cookies. Basically you need to allow google to see Looker as a 1st party cookie and the CNAME alias will solve that.

jpklwr

This is very helpful, thank you!

We implemented the embed a couple years back and since then our helpdesk has a variety of canned responses built to help our users change this setting in their browsers, good to know we can avoid this problem instead of just treating its symptoms!

data_dog

Works for me