Troubleshooting signed embed authentication errors

It can be challenging to troubleshoot authentication errors when you're using signed embed for your Looker content. There are a few different approaches you can take to try and diagnose issues, and you will choose an approach based on where your redirects are sending your users. The tips on this page assume that you are generating your signed embed URL using a script similar to those in Looker's Embed examples GitHub repository, unless stated otherwise.

General things to try first

Before you begin embedding, make sure that your embed secret has been generated in the Admin panel and that your embedded content is functional in Production Mode, not just in Development Mode.

If you have admin permissions, sudo as the embed user to check that your content is functional. If you get the error Oops, we can't find that page, then the issue is most likely with permissions or content access and not related to an authentication issue. If the embed user isn't showing up in the Users page of the Looker Admin panel, then the user has not been created and the embed URL is failing. You can try troubleshooting the issue using some of the suggestions and resources listed on this page.

If your instance is self-hosted, make sure that the client server can reach the Looker server, and, if the data between the client and the server is transmitted over the public Internet, make sure that SSL (HTTPS) is being used.

The rest of this page describes errors and other issues you may encounter along with steps for resolving them.

I'm getting redirected to either a login page or a "Single sign-on failure" page

If you're getting redirected to the login page or to a page with the error Single sign on failure. Please contact an adinistrator., this typically indicates that the signed embed authentication is not working properly.

First, generate a new signed embed URL and test it in the Embed URI Validator under the Embed page of the Looker Admin panel. The Embed URI Validator can sometimes reveal valuable information as to why you encounter an error.

Is the Embed URI Validator appearing as expected?

If you are on the Embed page of the Looker Admin panel and the Embed URI Validator does not appear on the page, this suggests that signed embedding has not been enabled yet. You will need to enable signed embedding.

I'm receiving the 'signature param' failed to authenticate error

If you see this error, the signature generated by your script is not working as expected. Refer to the following sections for possible solutions:

Do the embed secrets match?

The embed secret in your Looker instance should be identical to the signed embed secret in your signed embed URL generation script. If you are unsure if this is true, select Reset Secret to generate a new secret and add it to your script. Resetting the key will break any embeds that used the earlier key.

Try using the Create Signed Embed Url endpoint to create your embed URL, specifying the secret in your script for the secret_id in the body of the call. The response will let you know if the secret you are using is invalid.

Is the signature string in the correct order?

The embed parameters in the signature string must be in the proper order in the URL generation script. The proper order is documented on the Signed embedding documentation page.

The signature string, when printed, should look something like this before it is encoded:
  "test group space"

After signing the signature string with your embed secret, make sure that the parameters in the final URL match the parameters specified in the signature string. Make sure that special characters such as + and / are encoded in the URL parameters (for example, the + could be interpreted as a space if it isn't properly encoded) and that there aren't any line breaks in the signed embed URL, which could be missed after encoding.

Compare your script with our script examples to check whether your script goes through all the proper steps and whether the signature is using the proper encryption.

I'm receiving the This request includes invalid params: ["embed_domain"] error

Before you start troubleshooting this error, note that the embed_domain parameter is necessary only if your script is using JavaScript event listeners, which is typically not a requirement for a basic signed embed implementation. If your application does not need to listen for JavaScript events, then the simplest option is to get rid of the embed_domain parameter completely.

If you do need to use JavaScript events in your embed application, check the URL generation script to see where the embed_domain parameter is being added. The error usually means that the embed_domain parameter was accidentally placed as a signed embed parameter instead of directly within the embed_url. The script won't format the embed_domain parameter correctly unless it is actually part of the embed_url, and it should be added after the embed URL and before any parameters.

Here is what it should look like when the embed_domain parameter is specified correctly in your script:

  embed_url: "/embed/dashboards/3?embed_domain="
If you are using the Create Signed Embed Url endpoint, the embed_domain parameter should be placed at the end of the target_url.

I'm receiving the 'nonce' param already used this hour error

The value of the nonce parameter must not be repeated within the same hour, and it needs to be less than 255 characters. Therefore, you will see this error if you are testing a URL that has already been accessed. Make sure you are generating a fresh embed URL that has not yet been loaded in your browser and that the nonce is changing and not getting reused.

I'm getting redirected to an Uh-Oh, Something went wrong error

If you are seeing this error, please contact Looker Support to help you diagnose the issue.

I'm getting redirected to a page with the 401 error message You are not authenticated to view this page.

If you've tried all the applicable troubleshooting steps and the 401 issue persists, your browser is likely blocking third-party cookies. Most browsers are becoming more restrictive and will default to a cookie policy that blocks these cookies. For example, Safari's Prevent Cross-Site Tracking setting is enabled by default, as is Chrome's Block third-party cookies in Incognito setting.

If your application is embedding Looker content and the domain name of your Looker instance ends in, the browser won't authenticate the embedded iframe across domains unless the browser's cookie privacy settings are modified.

Looker-hosted instances

Looker-hosted admins who do not want to have their users manually enable third-party cookies in their browsers will need to change the domain name of the Looker-hosted instance. As an example, Looker-hosted instances typically take the format https://<hostname>.<subdomain>.<domain>.com. If the Looker domain name is changed, Looker will no longer be considered a third-party domain. See the What happens if the URL changes for my Looker instance? Best Practices page for more information.

If you're interested in adding a custom domain for your Looker instance, reach out to Looker Support to set up the necessary DNS configuration.

Self-hosted instances

If you are self-hosting your Looker instance, make sure that your application using signed embedding is on the same base domain as your Looker instance by changing the DNS entries for your Looker instance.

Chrome also requires that any session cookie with the samesite=none flag should also specify secure. Looker won't signal secure if your Looker instance is not provided with a --ssl-provided-externally-by=<s> startup flag, so make sure that this startup flag is configured.

I'm still having issues; what do I do now?

If you are still experiencing issues after trying the suggestions on this page, please reach out to your Looker contact, or visit Looker Support to open a ticket.