Admin settings - Embed

The Embed page in the Platform section of the Admin menu lets you configure settings for embedded Looker content.

Embedded Domain Allowlist

You need to use this setting to make use of JavaScript events to pass data or actions between a parent page and a Looker iframe.

In that case, add the domain where the iframe is being used to this field, and then select Update.

Same-Origin Protections for Looker Login Pages

Looker enforces a same-origin policy for iframe content, which means that a page cannot be displayed in an iframe if the parent page domain name is different from the iframe page domain name. This protects against possible UI redress attacks, commonly known as clickjacking.

The one exception to this policy is the Looker login page. For the login page, you can use the Same-Origin Protections for Looker Login Pages setting to indicate whether or not you want to enforce the same-origin policy:

Disabled: Looker does not enforce the same-origin policy for the login page.
Enabled: Looker enforces the same-origin policy for the login page.

For certain use cases, you must allow Looker login pages to appear within a Looker iframe even when the parent page is not compatible with the Looker instance's domain name. In these cases, you need to have the Same-Origin Protections for Looker Login Pages option set to Disabled:

If you use private embedding of Looker content in an iframe of a web page hosted by a non-Looker domain, you need to disable Same-Origin Protections for Looker Login Pages so that Looker can display the login page in the iframe and allow users to log into Looker.

Set Same-Origin Protections for Looker Login Pages to Enabled if either of the following is true:

You don't embed any Looker content.
You use only SSO embedding, since the Looker login page isn't used for SSO embeds.

To change the setting for same-origin protection, use the pull-down menu to select your desired option, and then be sure to select the Update button to save your selection.

Embed SSO Authentication

The Embed SSO Authentication feature needs to be enabled if you want to make use of Looker's Single Sign-on Embedding feature. To do so, select Enabled and then select Update.

Alerts and scheduling custom url

This option is available only if you have enabled the Custom urls for alert and schedule emails Labs feature.

Unless disabled, email deliveries from embedded dashboards, either from alerts or scheduled deliveries, include a link that reads View full dashboard. This link lets the email recipients connect to their Looker instance and further explore the data delivered in the email.

The Alerts and scheduling custom url option lets you configure a custom URL in alerts and scheduled email deliveries that will link embed users to the embedding application, rather than a Looker instance.

Embed domain for schedules and alerts allowlist

Specify all domains that custom URLs in email deliveries may link to. The domains listed here will populate the Domain field in the scheduling and alerts dialogs.

If this field is left blank, custom links are unavailable, since there will be no domain for a user to select in the schedule or alerts dialog.

Select content path

This drop-down lets you select how the URL in the custom link is formatted. It has the following options:

Only embed domain — The URL in the custom link includes only the domain selected in the Domain field in the scheduling or alerts dialog. For example, app.customer.com.
User defined url — The URL in the custom link includes the domain that is selected in the Domain field in the scheduling or alerts dialog and the path that is entered by the user in the Path field in the scheduling or alerts dialog. For example, app.customer.com/my_embed_app.
Embed domain URL with Looker IDs — The URL in the custom link will include the domain that is selected in the Domain field in the scheduling or alerts dialog and the Looker path to the embedded dashboard, using the content ID. For example, app.customer.com/dashboards/12.

Note: Instances that have a specific license feature enabled will add the Looker path using the dashboard slug, even when this option is selected. If this occurs and you want to use the dashboard ID in the custom link URL, contact support at help.looker.com.
Embed domain URL with Looker slugs — The URL in the custom link includes the domain that is selected in the Domain field in the scheduling or alerts dialog and the Looker path to the embedded dashboard, using the content slug. For example, app.customer.com/dashboards/CQ1fu99Z9Y1ggq2wcHDfMm.

Note: The slug is a randomly chosen short string that is used as an alternative to the content ID value for use in URLs. In the previous example, CQ1fu99Z9Y1ggq2wcHDfMm is the dashboard slug. You can view a dashboard slug by selecting Get link from the dashboard's three-dot menu.

Select content path is not available if the Embed domain for schedules and alerts allowlist field is left blank.

URL label

Use this field to enter new default link text, which will replace the text View full dashboard in email deliveries. The default text can be changed in the scheduling and alerts dialogs.

Show Filters on Embedded Looks

Set this option to Enabled if you want to display filter values in embedded Looks.

Set this option to Disabled to hide filter values in embedded Looks. Select Update to save your setting.

Remove Look Navigation

The Remove Look Navigation feature lets admins further customize embedded content, specifically embedded Explores and embedded dashboards.

Removing Look navigation from embedded Explores

By default, embed users who have the explore and save_content permissions will see the following options in the Explore Actions gear menu of an embedded Explore, including the option to Save as a Look. Embed users who have the send or scheduling permissions will also see the Save & Schedule option.

When set to Enabled, the Remove Look Navigation feature removes all references to Looks, including the options Save as a Look and Save & Schedule, from the embedded Explore's Explore Actions gear menu.

Leave the option set to Disabled to keep references to Looks and the options Save as a Look and Save & Schedule in embedded Explores.

Removing Look navigation from embedded dashboards

In addition to removing references and navigation to Looks from embedded Explores, the Remove Look Navigation feature will also remove references from embedded Look-linked tiles on dashboards when that feature is Enabled.

When Remove Look Navigation is Disabled, embed users will have the option to View Look from Look-linked tiles.

Dashboard Embed Content Navigation

When this option is enabled, embedded dashboard viewers who have been granted the necessary permissions can view folders and the Looks and dashboards that they contain from embedded dashboards. Enabling this feature is required to let viewers of embedded dashboards copy, move, and delete dashboards.

Embed Content Management

When this option is enabled, embedded dashboard viewers who have been granted the necessary permissions can copy, move, and delete dashboards.

Cookieless Embed

Starting in Looker 23.8, the embed domain can be included when the cookieless session is acquired. This is an alternative to adding the embed domain using the Looker Admin > Embed panel. Looker saves the embed domain in the Looker internal database, so it will not be shown on the Admin > Embed panel. Instead, the embed domain is associated with the cookieless session and exists for the duration of the session only. Review the security best practices if you decide to take advantage of this feature.

Embed JWT Secret

When the Embed SSO Authentication option is Enabled and the Cookieless Embed option is enabled, this setting is revealed.

A JSON Web Token (JWT) secret is required to make use of the cookieless embed feature. Cookieless embed requires that Embed SSO Authentication be enabled, but cookieless embed uses Embed JWT Secret instead of Embed Secret.

This option lets you set or reset the embed JWT secret. Setting the JWT secret is not necessary, since the very first attempt to create a cookieless embed session will create the JWT token. Unlike the embed secret, the embed JWT secret is never exposed as it is only used internally by the Looker server.

Resetting the JWT token will invalidate all active cookieless embed sessions.

Embed Secret

An embed secret is needed to make use of Looker's Single Sign-on Embedding feature.

To retrieve the embed secret, select the Set Secret button.

It's important to copy the secret and save it in a safe place immediately, as you cannot retrieve the secret from this page after you leave it.

To change your secret, select the Reset Secret button — you should be aware that this will break any existing SSO embeds, however.

Embed URI Validator

This setting is only revealed if the Embed Secret has been set.

After generating a URL for Looker's Single Sign-on Embedding feature, you can test the URL by pasting it in the Embed URI Validator field and clicking Test URI. The URI validator will return a message indicating whether the SSO embed URL is valid.

After you enter an SSO embed URL, the Embed URI quick check section will display the parameters and values that are included in the SSO embed URL.