Last tested: Oct 7, 2020
There are a number of errors and settings to be aware of when using SAML authentication in an iframe for private embedding. You can test things out using a simple online HTML editor, using the following iframe code:
<iframe src="https://instance.looker.com/embed/dashboards/[id]" height="500" width="500"></iframe>
401: You are not authenticated to view this page
If you are not already logged into Looker, you will get this page by default when you attempt to access the embed URL through the iframe instead of getting the Authenticate button. To avoid this error, simply add
allow_login_screen=true to the URL:
<iframe src="https://instance.looker.com/embed/dashboards/[id]?allow_login_screen=true" height="500" width="500"></iframe>
Note that even if you are using the sso_bypass_login_page license feature to skip the login page, you will still need to add
allow_login_screen=true to avoid an error. You have to allow the login screen before you can bypass it!
Blank page with a 403
With the iframe embedding feature enabled on the IdP-side, if the iframe goes blank when you hit the Authenticate button and you get a 403 response from the request made to
<your_looker_url>/login/saml like in the screenshot below and no request gets made to the IdP, check the browser's setting on third-party cookies! (Note that if you were SSO embedding, this would result in a 401 response instead.)
[IdP url] Refused to connect with a 303
As of Oct 2020, a lot of IdPs do not allow iframe embedding, so hitting the Authenticate button in an iframe where Looker content is privately embedded will result in a "refused to connect" error.
However, Okta does have a flag called "iframe Embedding" that can be enabled: https://support.okta.com/help/s/question/0D51Y00008W3zGR/okta-sso-using-iframe?language=en_US