Scenario: We have a Looker self-hosted environment hosted behind DomainA.com We have our own product or brand website hosted behind DomainB.com We want to generate an embed URL per this handy troubleshooting guide - Troubleshooting Looker SSO Embed URL Generation The issue we are having is related to browser security & CORS. I think this Microsoft article summarizes it best, but at the fundamental level, what we are experiencing is a CORS problem - https://docs.microsoft.com/en-us/scripting/javascript/misc/access-is-denied Our product web site at DomainB.com is trying to generate an embed URL from DomainA.com - that will then be iFramed into a page within the DomainB.com site, but the web browser is having none of that & so an error page is displayed. Surprisingly, the error message differs depending on which web browser from the major players. More details about the example scenario above - Looker self-Hosted EC2 instance = DomainA.com Behind AWS ELB with listener ports with SSL wildcard certificate for DomainA.com AWS Beanstalk application (code that generated the Looker embed URL) = DomainB.com Typical web browser behavior for above cross-domain configuration Internet Explorer will NOT work unless Security settings are set to “Low” – renders “Dashboard Not Found” error Chrome will NOT work if Content Settings > Third party cookie blocking is turned on – browser renders HTTP 401 “Not Authorized” error Firefox – works most of the time. I was able to test everything on the same domain with the same domain SSL certificate on the ELB, & we didn’t have any browser security problems. In most cases, we have not encountered this issue before now because we had everything hosted on the same domain. However, our newest application is going to be a cross-platform product or brand, so before we can embed the new Dashboard, I’d like to have the technical details nailed down. I should also point out that we are able to run through this same scenario using https://unique-account.Looker.com & not encounter the CORS error from the browser. What am I missing? Do we need headers with Access-Control-Allow-Origin for our web site (DomainB.com)? Thanks for any insight into my issue the community can provide.

Question

Looker Self Hosted Instance with SSO Embed URL CORS Browser Security Issue

5 years ago
12 June 2017
3 replies
537 views

A

awoodcock
Member
3 replies

Scenario:

We have a Looker self-hosted environment hosted behind DomainA.com

We have our own product or brand website hosted behind DomainB.com

We want to generate an embed URL per this handy troubleshooting guide - Troubleshooting Looker SSO Embed URL Generation

The issue we are having is related to browser security & CORS.

I think this Microsoft article summarizes it best, but at the fundamental level, what we are experiencing is a CORS problem - https://docs.microsoft.com/en-us/scripting/javascript/misc/access-is-denied

Our product web site at DomainB.com is trying to generate an embed URL from DomainA.com - that will then be iFramed into a page within the DomainB.com site, but the web browser is having none of that & so an error page is displayed. Surprisingly, the error message differs depending on which web browser from the major players.

More details about the example scenario above -

Looker self-Hosted EC2 instance = DomainA.com

Behind AWS ELB with listener ports with SSL wildcard certificate for DomainA.com

AWS Beanstalk application (code that generated the Looker embed URL) = DomainB.com

Typical web browser behavior for above cross-domain configuration

Internet Explorer will NOT work unless Security settings are set to “Low” – renders “Dashboard Not Found” error

Chrome will NOT work if Content Settings > Third party cookie blocking is turned on – browser renders HTTP 401 “Not Authorized” error

Firefox – works most of the time.

I was able to test everything on the same domain with the same domain SSL certificate on the ELB, & we didn’t have any browser security problems. In most cases, we have not encountered this issue before now because we had everything hosted on the same domain. However, our newest application is going to be a cross-platform product or brand, so before we can embed the new Dashboard, I’d like to have the technical details nailed down.

I should also point out that we are able to run through this same scenario using https://unique-account.Looker.com & not encounter the CORS error from the browser. What am I missing? Do we need headers with Access-Control-Allow-Origin for our web site (DomainB.com)?

Thanks for any insight into my issue the community can provide.

3 replies

D

dave
Looker Staff
30 replies
5 years ago
12 June 2017

Hey there,

Per the “Technical SSO Embed Instructions” doc, the Looker instance and the place where you’re embedding need to share the same base host, but this is something we’re actively evaluating.

Cheers,

Dave

A

awoodcock
Author
Member
3 replies
5 years ago
12 June 2017

Thanks Dave.

If that is the case, I think I may be able to work around the issue using multiple CNAMEs and varying ELB listener ports to handle the CORS issue, but its not ideal. Do you mind DM-ing or directing me to the “Technical Instructions” guide or line you are referencing? Thx.

A

awoodcock
Author
Member
3 replies
5 years ago
13 June 2017

I noticed this Discourse thread also seemed relevant to my issue - SSO and embeding dashboard in Safari and IE10+

Reply

Sign up

Social Login

Login to the community

Social Login

Scanning file for viruses.

This file cannot be downloaded