Looker Self Hosted Instance with SSO Embed URL CORS Browser Security Issue

  • 12 June 2017
  • 3 replies


  1. We have a Looker self-hosted environment hosted behind

  2. We have our own product or brand website hosted behind

  3. We want to generate an embed URL per this handy troubleshooting guide - Troubleshooting Looker SSO Embed URL Generation

The issue we are having is related to browser security & CORS.

I think this Microsoft article summarizes it best, but at the fundamental level, what we are experiencing is a CORS problem -

Our product web site at is trying to generate an embed URL from - that will then be iFramed into a page within the site, but the web browser is having none of that & so an error page is displayed. Surprisingly, the error message differs depending on which web browser from the major players.

More details about the example scenario above -

  • Looker self-Hosted EC2 instance =

  • Behind AWS ELB with listener ports with SSL wildcard certificate for

  • AWS Beanstalk application (code that generated the Looker embed URL) =

  • Typical web browser behavior for above cross-domain configuration

  • Internet Explorer will NOT work unless Security settings are set to “Low” – renders “Dashboard Not Found” error

  • Chrome will NOT work if Content Settings > Third party cookie blocking is turned on – browser renders HTTP 401 “Not Authorized” error

  • Firefox – works most of the time.

I was able to test everything on the same domain with the same domain SSL certificate on the ELB, & we didn’t have any browser security problems. In most cases, we have not encountered this issue before now because we had everything hosted on the same domain. However, our newest application is going to be a cross-platform product or brand, so before we can embed the new Dashboard, I’d like to have the technical details nailed down.

I should also point out that we are able to run through this same scenario using & not encounter the CORS error from the browser. What am I missing? Do we need headers with Access-Control-Allow-Origin for our web site (

Thanks for any insight into my issue the community can provide.

3 replies

Hey there,

Per the “Technical SSO Embed Instructions” doc, the Looker instance and the place where you’re embedding need to share the same base host, but this is something we’re actively evaluating.



Thanks Dave.

If that is the case, I think I may be able to work around the issue using multiple CNAMEs and varying ELB listener ports to handle the CORS issue, but its not ideal. Do you mind DM-ing or directing me to the “Technical Instructions” guide or line you are referencing? Thx.

I noticed this Discourse thread also seemed relevant to my issue - SSO and embeding dashboard in Safari and IE10+