Open in app

Sign in

Write

Sign in

Embedding Looker Content

Lukasz Aszyk
6 min readJan 18, 2021

So you got your Looker instance up and running, users are making the data-driven decisions, but you are still wondering about how to expand the content usage by others? The Looker content embedding functionality comes to the rescue!

Currently, there are three options which allow you to create the iFrame depending on the level of user authentication. You can further embed into HTML based websites or tools. The iFrame by design is read-only and doesn’t allow to edit or write data into.

The Looker admin needs to enable the embedded option in the administration panel to make this option available for the users.

Best practices for creating the embedded content

  • Make sure you are using a dedicated folder, where you store the shared content. Restrict the access for dedicated external users.
  • Always use the PII access control, so the sensitive content is protected and can’t be reached within the embedded content.
  • Put the managing curated content best practices in place, so it’s regularly checked for the data protection.

Public embedding

The simplest but most insecure of the solutions is public embedding. This option has to be enabled by an admin in the settings section and then by the user on their dashboard/look (user needs the create_public_looks permission to do so).

There are multiple options to choose from for the Public Embedding output, for example:

  • Download the result in different formats like CSV, JSON, TXT, or HTML
  • An iFrame visualisation embedded in an HTML page
  • Result table in a Google Spreadsheets
  • A static embedded image

Example of the publicly embedded look:

Publicly embedded Looker map on the Confluence page

Pros:

  • Easy to implement
  • Google Spreadsheet and Excel integration
  • Variety of the output options

Cons:

  • Potential security threat if the URL shared outside the designated recipient list, sensitive data might be exposed to the unknown audience
  • Updates of the embedded content in the Google spreadsheet are unpredictable, so you might want to force these regularly

Private embedding

You can share looks, explores, and dashboards outside of the instance, but the user needs a Looker account to access the privately embedded content.

Creating the link is straightforward. Same logic work for all the privately embedded content. As the rule of thumb you should use:

https://instance_name.looker.com/embed/looks/15
Pseudocode for the iFrame

Example of the privately embedded dashboard:

Privately embedded look on the Confluence page

Pros:

  • Holds all the functionality of the Public Embedding but is far more secure as it needs looker login details
  • All the Looker functionalities for viewers are enabled, limited only to the user permissions

Cons:

  • Looker account is required, so the option is useless for the general audience
  • Looker admin needs to enable this option for the whole instance

Single Sign-On (SSO) embedding

This is the most advanced and complex embedding Looker functionality. It’s the most secure one too. You must perform a few actions to enable it on your Looker instance, so please find the complete guide to enable secure iFrame embedding.

Step 1. Contact your Looker account manager

To enable the SSO Embed, you must contact you Looker account manager to turn this functionality on.

Step 2. Create a dedicated permissions set

In the Roles pane, choose New Permissions Set and create a new set with the following permissions, let’s call it the SSO Permissions:

  • access_data,
  • embed_browse_spaces,
  • see_looks.

Step 3. Create a dedicated user role

In the same Roles pane, click New Role with the following setting:

  • Permissions set — SSO Permissions
  • Model set — leave unticked for now, unless you have a dedicated model created
  • Click save — will go back here after performing the next two steps

Step 4. Create the Embed group

In the Groups pane, add a new Group, let’s call it the Embed Group. Once created, go back to the Roles pane, and add this group to the SSO Permissions role.

Step 5. Create a dedicated folder and content to be shared with the Embed Client

This step is required to keep the embedded content separate from the content we don’t want to share with the Embed Group. It might seem like a redundant step but is vital for the security and maintenance of the curated content.

Step 6. Grant the content access to the right Embed Group

In the Content Access pane, grant the access to the created folder, let’s call it Embed Content in the process above, to the Embed Group.

Step 7. Enable the Embed Authentication

In the Embed pane, in the admin panel, find and enable the Embed Authentication option. This should trigger the creation of the Client Secret variable, which will appear on the same page.

Step 8. Create and copy the Embed secret

The Embed Secret should be available below on the same page. If it’s not showing up, please click Reset Secret (WARNING — Use with caution, as this will break all the existing SSO Embed URLs!), and copy it over for the further development. Please store it safely!

Step 9. Create a unique URL for each content link

This is a crucial step in order to get the iFrame working as an embed visualisation.

Use this link to validate the created URI for SSO embedded content.

The SSO embed URL has the following format:

https://HOST/login/embed/EMBED URL?PARAMETERS&signature=SIGNATURE

Example encoded URL for the SSO Embedded content:

https://yourinstance.eu.looker.com/login/embed/%2Fembed%2Flooks%2F121?nonce=%22LOOKER_SECRET_KEY_SPECIFIC_FOR_YOUR _INSTANCE_%22&time=1603705705&session_length=300&external_user_id=101&permissions=%5B%22see_lookml_dashboards%22%2C+%22access_data%22%5D&models=%5B%22TAA_COVID19%22%5D&group_ids=%5B5%5D&external_group_id=%22%22&user_attributes=%7B%7D&access_filters=%7B%7D&signature=SIGNATURE%3D&first_name=%22Lukasz%22&last_name=%22Embed%22&force_logout_login=false

Pros:

  • No looker account required
  • All content types available for embedding
  • The safest way to share the Looker content due to it’s most advanced security settings

Cons:

  • Pretty hefty URL setting up a process
  • Not available for IE and Safari

For admins

This section contains the steps the Looker admin needs to perform to enable the specific embedded options to be available on your instance.

Enable Public URLs for the Public Embedding:

Edit the content settings to make it publicly available:

Conclusion

Looker is providing its customers with a variety of content embedding. Every use of this functionality depends on specific requirements on the user output and data security on a case-basis. You should always follow best practices for content embedding so your data is secure and there are no data breaches. Please get in touch with The Analytics Academy, so we can assist with providing a solution to your specific problem.

Reference links to the Looker documentation

Please refer to the ‘Looker security best practices for the embedded analytics’ page here for more information on protecting your data.

More details on setting up the admin in Looker here.

The Embed pane link.

Create the encoded URL with the SSO Embedding. To create this, follow the instructions here.

Interested in learning more about Embedding Looker Content? Reach out to me on LinkedIn or check out the repository on Github.

Looker
Embedded
Analytics
Business Intelligence
Technology

--

--

Lukasz Aszyk

Written by Lukasz Aszyk

84 Followers

Artificial Intelligence Enthusiast and Analytics Engineering Lead. Loves Technology, Science, Art

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams