What makes SSO embed URLs secure? What is the purpose of the signature in SSO embed?

Knowledge Drop

Last tested: Apr 5, 2021
 

The signature is used to authenticate that the URL used in the embed context comes from an authorized party and has not been tampered with. If you edit the URL, it won't match the signature that was generated, and the URL won't work.

The signature is essentially the embed URL parameters signed with the embed secret -- so when a request is made to Looker in the form of a full embed URL (parameters + signature), Looker will compute its own signature with the embed secret and the URL parameters and compare that to the signature offered in the URL. if they don't match, the URL is invalid and will be rejected with a 401 error response.

The signature provides the following cryptographic proofs / safeguards:

  1. Proof of Origin That the signature in the URL was created with the embed secret, therefore the URL originated from someone who possesses the embed secret, and therefore we can trust them.
  2. Proof of Fidelity That the URL parameters have not been modified in transit.  

Example:

You run a script to generate an embed URL. The signature string looks like this:

instance.looker.com

/login/embed/embed%2Fdashboards%2F1527

"ac786cbc06162b1edde3a8b35920a93e"

1585244357

3600

"57"

["access_data","see_user_dashboards"]

["some_model","someother_model"]

[]

"test group space"

{"can_see_stuff":"yes"}

{}

The signature string above is signed with the instance's embed secret to create the signature for the URL. The final URL (decoded) looks like this:

https://instance.looker.com/login/embed/embed/dashboards/1527?nonce="a5060c75494ff5c01499ff97af5387ff"&time=1585240047&session_length=3600&external_user_id="57"&permissions=["access_data","see_user_dashboards"]&models=["some_model","someother_model"]&access_filters={}&first_name="Chris"&last_name="Embed"&force_logout_login=true&signature=81aqRNQCP4Upjx6ouM6kvPDDFjI=&group_ids=[]&external_group_id="test group space"&user_attributes={"can_see_stuff":"yes"}

A user retrieves the URL prior to loading it and sees that they do not have the explore permission. They try to give themselves the explore permission by modifying the URL like so:

https://instance.looker.com/login/embed/embed/dashboards/1527?nonce="a5060c75494ff5c01499ff97af5387ff"&time=1585240047&session_length=3600&external_user_id="57"&permissions=["access_data","see_user_dashboards","explore"]&models=["some_model","someother_model"]&access_filters={}&first_name="Chris"&last_name="Embed"&force_logout_login=true&signature=81aqRNQCP4Upjx6ouM6kvPDDFjI=&group_ids=[]&external_group_id="test group space"&user_attributes={"can_see_stuff":"yes"}

The user then loads the new URL in the browser. The information in the URL is checked against the information that was used to create the signature. Since the permissions parameter does not match, the embed authentication fails, and the user receives a 401.

This content is subject to limited support.                

Version history
Last update:
‎06-14-2021 06:17 PM
Updated by: