We are using Looker in our SaaS web application using private embeds and SSO. The web app has multiple customers, one schema per customer in Looker.
Our marketing team is excited about Looker and would like to make a private embed available on a marketing site. The goal is to allow potential customers to be able to run Explores using demo data.
Because the embed token doesn’t restrict access by schema we don’t want to put that token on a marketing site for security reasons. If the site were compromised the token might be exposed giving access to customer schemas.
While we could create a local Looker user account with schema-limited access, we use SSO for Looker logins, and the log in process isn’t very elegant when a local user has to log in to an SSO-enabled Looker instance.
One option is to build a custom application consisting of just an API that would create embed strings for the marketing site so that the embed key doesn’t need to be stored in the marketing site. We would limit access to just marketing’s demo schema in the application when the embed string was generated.
However, it would be another app to build and maintain so I’m wondering, has anyone has accomplished anything similar to this just using Looker? Other ideas welcome as well.