AD FS Help
Troubleshooting
SSO does not work and users are getting prompted for credentials
What does this guide do?
This workflow resolves Integrated Windows Authentication SSO issues. If users are seeing unexpected NTLM or forms based authentication prompts, use this workflow to troubleshoot such issues.
Who is the target audience?
Administrators who help diagnose SSO issues for their users.
How does it work?
We’ll begin by asking you the symptom and then we’ll take you through a series of troubleshooting steps that are specific to your situation.
This document provides steps to resolve common error messages you may encounter during the integration or use of SAML-based single sign-on (SSO) with Google Workspace when Google is the service provider (SP).
Configuration and activation
«This domain is not configured to use single sign-on.»
This error typically indicates that you’re trying to use single sign-on with a Standard (Free) Edition of G Suite, which doesn’t support SSO. If you’re certain that you’re using a Google Workspace edition that supports SSO, check the configuration in your identity provider to ensure that you have entered your Google Workspace domain name correctly.
If you encounter this error after setting up SSO using profiles, it’s likely that your IdP is incorrectly assuming that you’re using the SSO profile for your organization. If so, your IdP SSO profile settings may be usable only if you use them to configure the SSO profile for your organization.
«This account cannot be accessed because the domain is incorrectly configured. Please try again later.»
This error indicates you haven’t set up SSO correctly in the Google Admin console. Review the following steps to correct the situation:
- In the Admin console, go to Security
Set up single sign-on (SSO) with a third party IdP, and check Set up SSO with third-party identity provider. - Provide URLs for your organization’s sign-in page, sign-out page, and change password page in the corresponding fields.
- Choose and upload a valid verification certificate file.
- Click Save, wait a few minutes for your changes to take effect, and test your integration again.
Set up single sign-on (SSO) with a third party IdP, and check Set up SSO with third-party identity provider.Parsing the SAML Response
«The required response parameter SAMLResponse was missing»
This error message indicates that your Identity Provider is not providing Google with a valid SAML Response of some kind. This problem is almost certainly due to a configuration issue in the Identity Provider.
- Check your Identity Provider logs and make sure that there is nothing preventing it from correctly returning a SAML Response.
- Ensure that your Identity Provider is not sending Google Workspace an encrypted SAML Response. Google Workspace only accepts SAML Responses that are unencrypted. In particular, please note that Microsoft’s Active Directory Federation Services 2.0 often sends encrypted SAML Responses in default configurations.
«The required response parameter RelayState was missing»
The SAML 2.0 specification requires that Identity Providers retrieve and send back a RelayState URL parameter from Resource Providers (such as Google Workspace). Google Workspace provides this value to the Identity Provider in the SAML Request, and the exact contents can differ in every login. For authentication to complete successfully, the exact RelayState must be returned in the SAML Response. According to the SAML standard specification, your Identity Provider should not modify the RelayState during the login flow.
- Diagnose this issue further by capturing HTTP headers during a login attempt. Extract the RelayState from the HTTP headers with both the SAML Request and Response, and make sure that the RelayState values in the Request and Response match.
- Most commercially available or open-source SSO Identity Providers transmit the RelayState seamlessly by default. For optimum security and reliability, we recommend that you use one of these existing solutions and we cannot offer support for your own custom SSO software.
Contents of the SAML Response
«This service cannot be accessed because your login request contained invalid [destination|audience|recipient] information. Please log in and try again.»
This error indicates that the destination, audience or recipient elements in the SAML assertion contained invalid information or were empty. All elements must be included in the SAML assertion. Check the following table for descriptions and examples for each element.
| Element | <Audience> |
|---|---|
| Description | URI that identifies the intended audience that requires the value of ACS URI. Note: Element value cannot be empty. |
| Required Value | https://www.google.com/a/<example.com>/acs |
| Example |
<saml:Conditions NotBefore=»2014-11-05T17:31:37Z» |
| Element | Destination attribute of the <StatusResponseType> type |
|---|---|
| Description | URI the SAML assertion is sent to. Optional, but if declared it will need a value of the ACS URI. |
| Required Value | https://www.google.com/a/<example.com>/acs |
| Example |
<saml:Response |
| Element | Recipient attribute of <SubjectConfirmationData> |
|---|---|
| Description |
|
| Required Value | https://www.google.com/a/<example.com>/acs |
| Example |
<saml:Subject> |
For details of all the required elements, please review the article SSO assertion requirements.
«This service cannot be accessed because your login request contained no recipient information. Please log in and try again.»
This error usually indicates that the SAML Response from your Identity Provider lacks a readable Recipient value (or that the Recipient value is incorrect). The Recipient value is an important component of the SAML Response.
- Diagnose this issue further by capturing HTTP headers during a login attempt.
- Extract the SAML Request and Response from the HTTP headers.
- Ensure that the Recipient value in the SAML Response exists and that it matches the value in the SAML Request.
Note: This error message may also appear as «This service cannot be accessed because your login request contained invalid recipient information. Please log in and try again.»
«This account cannot be accessed because the login credentials could not be verified.»
This error indicates a problem with the certificates you’re using to sign the authentication flow. It usually means the private key used to sign the SAML Response doesn’t match the public key certificate that Google Workspace has on file.
It can also occur if your SAML Response doesn’t contain a viable Google Accounts username. Google Workspace parses the SAML Response for an XML element called a NameID, and expects this element to contain a Google Workspace username or a full Google Workspace email address.
- Ensure that you’ve uploaded a valid certificate to Google Workspace, and if necessary replace the certificate. In the Google Admin console, go to SecuritySet up single sign-on (SSO) with a third party IdP and click Replace certificate.
- If you’re using a full email address in your NameID element (you must be if you are using SSO with a multidomain Apps environment), ensure that the Format attribute of the NameID element specifies that a full email address is to be used, as in the following example: Format=»urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress».
- Ensure that you’re populating the NameID element with a valid username or email address. To be certain, extract the SAML Response you’re sending to Google Workspace, and check the value of the NameID element.
- NameID is case-sensitive: ensure that the SAML Response is populating NameID with a value that matches the case of the Google Workspace username or email address.
- If your Identity Provider is encrypting your SAML Assertion, disable encryption.
- Ensure that the SAML Response doesn’t include any non-standard ASCII characters. This issue most commonly occurs in the DisplayName, GivenName, and Surname attributes in the AttributeStatement, for example:
- <Attribute Name=»http://schemas.microsoft.com/identity/claims/displayname»>
<AttributeValue>Blüte, Eva</AttributeValue> </Attribute> - <Attribute Name=»http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname»>
<AttributeValue>Blüte</AttributeValue> </Attribute>
- <Attribute Name=»http://schemas.microsoft.com/identity/claims/displayname»>
For more information on how to format the NameID element, see SSO assertion requirements.
«This service cannot be accessed because your login credentials have expired. Please log in and try again.»
For security reasons, the SSO login flow must complete within a certain timeframe, or authentication fails. If the clock on your Identity Provider is incorrect, most or all login attempts will appear to be out of the acceptable timeframe, and authentication will fail with the above error message.
- Check the clock on your Identity Provider’s server. This error is almost always caused by the Identity Provider’s clock being incorrect, which adds incorrect timestamps to the SAML Response.
- Resync the Identity Provider server clock with a reliable internet time server. When this issue suddenly occurs in a production environment, it is typically because the last time sync failed, causing the server time to become inaccurate. Repeating the time sync (possibly with a more reliable time server) will quickly remedy this issue.
- This issue can also occur if you are resending SAML from a previous login attempt. Examining your SAML Request and Response (obtained from HTTP header logs captured during a login attempt) can help you debug this further.
«This service cannot be accessed because your login credentials are not yet valid. Please log in and try again.»
For security reasons, the SSO login flow must complete within a certain timeframe, or authentication fails. If the clock on your Identity Provider is incorrect, most or all login attempts will appear to be out of the acceptable timeframe, and authentication will fail with the above error message.
- Check the clock on your Identity Provider’s server. This error is almost always caused by the Identity Provider’s clock being incorrect, which adds incorrect timestamps to the SAML Response.
- Resync the Identity Provider server clock with a reliable internet time server. When this issue suddenly occurs in a production environment, it is typically because the last time sync failed, causing the server time to become inaccurate. Repeating the time sync (possibly with a more reliable time server) will quickly remedy this issue.
Was this helpful?
How can we improve it?
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.
Closed
criscmaia opened this issue
Jul 15, 2019
· 21 comments
Labels
bug
Something isn’t working
Comments
Bug Report
Steps to Reproduce
1, LAMP (Linux on WSL)
2. sudo apt-get update && sudo apt-get upgrade
3. sudo apt-get install lamp-server^
4. Update etc/apache2/apache2.conf:
Servername localhost
AcceptFilter http none
- MySQL removed as I had it on a server already
- sudo apt-get install php-curl
- VirtualHost configuration:
*:80 localhost (/etc/apache2/sites-enabled/000-default.conf:1)
*:8080 example.com (/etc/apache2/sites-enabled/000-default.conf:34)
- git clone https://github.com/directus/directus.git
- sudo chown www-data -R /var/www/directus
- sudo chown www-data -R /var/www/directus/public/upload
- Boilerplate System Database from /src/schema.sql
Expected Behavior
Load http://localhost:8080/admin to get the configuration page
Actual Behavior
It goes to the login page instead. Error message on the console:
Other Context & Screenshots
Technical Details
Window 10 Enterprise 1903
WSL Ubuntu 18.04.02
Apache 2.4.29
PHP 7.2.19
MySQL
criscmaia
changed the title
500 error on auth/sso
500 error on auth/sso when trying to run initial configuration
Jul 15, 2019
same configuration, same issue on 3 separate installations
Edit: Permissions error with something in latest version, File Cabinet — (190627A) works fine.
Seeing you populated the database manually, «Load http://localhost:8080/admin to get the configuration page» is not expected to happen.
Are there any PHP errors in either the /logs folder of the API or the server logs in general?
Are there any PHP errors in either the /logs folder of the API or the server logs in general?
I’ve deleted the instances, maybe @criscmaia still has logs.
My procedure as follows:
- Digital ocean LAMP droplet, Ubuntu 18.04.2 LTS, PHP 7.2.19, MySQL 5.7.26, Apache 2.4.29
- Setup mysql (mysql_secure_installation) new root password, create Directus database, username & pw. Grant privs, flush. Unbind address 127.0.0.1. Restart.
- Install php-curl, php-xml, php-imagick, php-cli, composer. Update.
- Enable rewrite, setup apache access as follow & restart:
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
- Download Directus via Git to /html, chown www-data -R /var/www/html/directus
- Composer Install Directus
- Setup HTTPS cert
- /public/admin to start set up.
Works fine with 190627A.
I also have this issue. I just followed https://docs.directus.io/getting-started/installation.html#setup
When it says «Navigate your browser to the App at /admin», this is what I got:
Note: I have no problem installing the standalone api and app.
@JbalTero Are there any PHP errors in either the /logs folder of the API or the server logs in general?
@rijkvanzanten in apache errors.log, this is what I get when I did tail -f
[Mon Jul 15 23:21:11.402192 2019] [php7:notice] [pid 408] [client 127.0.0.1:56905] PHP Notice: Undefined index: settings in /redacted/absolute/path/to/web/root/src/core/Directus/Application/Application.php on line 145, referer: http://devlocal.redacted/admin/
[Mon Jul 15 23:21:11.509259 2019] [php7:notice] [pid 408] [client 127.0.0.1:56905] PHP Notice: Undefined index: settings in /redacted/absolute/path/to/web/root/src/core/Directus/Application/Application.php on line 145, referer: http://devlocal.redacted/admin/
[Mon Jul 15 23:21:11.569340 2019] [php7:error] [pid 408] [client 127.0.0.1:56905] PHP Fatal error: Uncaught UnexpectedValueException: The stream or file "/redacted/absolute/path/to/web/root/logs" could not be opened: failed to open stream: Is a directory in /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php:107nStack trace:n#0 /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php(39): Monolog\Handler\StreamHandler->write(Array)n#1 /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Logger.php(344): Monolog\Handler\AbstractProcessingHandler->handle(Array)n#2 /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Logger.php(707): Monolog\Logger->addRecord(400, 'Directus\\Except...', Array)n#3 /redacted/absolute/path/to/web/root/src/core/Directus/Appli in /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php on line 107, referer: http://devlocal.redacted/admin/
php:
PHP 7.1.30-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: May 31 2019 11:43:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.1.30-1+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
I have the same problem.
The first visit to /admin produces the same exception @criscmaia showed above.
After a manual install, I still cannot login but I get «Unhandled promise rejection
Object { code: 3, message: «Unauthorized request» }» in the console.
I tried this:
- installing on local machine under localhost/directus
- on local machine under a locally defined domain (There are several other VirtualHost on the same machine)
- on a VPS under https (Which blocks loading of the fonts from http).
By doing some debugging, I’ve found exceptions raised because ‘something’ tries to write config/logs/app.log (yes, not under /logs) but with errors different than those in /logs/app.log.
I’ll gladly provide more info if needed.
EDIT: it is app.log (not api.log)
Here’s your answer:
The stream or file «/redacted/absolute/path/to/web/root/logs» could not be opened: failed to open stream
Try changing the owner of the folder to www-data:
chown -R www-data:www-data /redactred/absolute/path/to/web/root/logs
On my VPS /logs contains several:
[2019-07-15 15:34:15] api[].ERROR: DirectusExceptionUnauthorizedException: Unauthorized request in <path_to_vhost_root>/src/helpers/app.php:270
The ‘other’ app.log has:
[2019-07-15 15:47:26] api[_].ERROR: DirectusPermissionsExceptionForbiddenCollectionReadException: Reading items from "directus_settings" collection was denied in <path_to_vhost_root>/src/core/Directus/Permissions/Acl.php:988
...
[2019-07-15 15:47:26] api[_].ERROR: DirectusPermissionsExceptionForbiddenCollectionReadException: Reading items from "directus_collections" collection was denied in <path_to_vhost_root>/src/core/Directus/Permissions/Acl.php:988
BTW: I cannot reproduce now, but one of the first errors I got was about being impossible to write /logs because it’s a directory (as if the file name was missing).
Regarding this error:
PHP Fatal error: Uncaught UnexpectedValueException: The stream or file «/redacted/absolute/path/to/web/root/logs» could not be opened: failed to open stream: Is a directory in /redacted/absolute/path/to/web/root/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php:107nStack trace:n#0
The error is in
src/core/Directus/Application/CoreServicesProvider.php
on 133 line:
$path . '/' . sprintf($filenameFormat, strtolower($name), date('Y-m-d'));
must be changed to
$path .= '/' . sprintf($filenameFormat, strtolower($name), date('Y-m-d'));
But still after clean install and fixin logs issue I got error log entry:
api[_].ERROR: DirectusExceptionNotInstalledException: This Directus API instance has not been configured. Install via the Directus App (eg: /admin) or read more about configuration at: https://docs.directus.io/ +++getting-started/installation.html#configure in /vagrant/sites/directus/src/core/Directus/Application/ErrorHandlers/NotInstalledNotFoundHandler.php:21
which is nonsense because /admin page shows sign in dialog and no prompts to to complete configuration.
And here is our culprit for unfinished configuration:
src/core/Directus/Application/Application.php:145
'settings' => $appConfig['settings'],
should be something like:
'settings' => !empty($appConfig['settings']) ? $appConfig['settings'] : null,
There are a couple of other issues. I can install now, but still cannot login afterwards.
The fix above about $path does not work, it should be:
if ($path !== "php://stdout" && $path !== "php://stderr") {
$logPath = $path .'/' . sprintf($filenameFormat, strtolower($name), date('Y-m-d'));
} else {
$logPath = $path;
}
$handler = new StreamHandler(
$logPath,
$level,
false
);
and the default configuration schema should have:
if ($isEnv) {
$loggerPath = "php://stdout";
} else {
$loggerPath = __DIR__ . '/../../../../../logs';
}
I will try to gather the fixes in a PR, but perhaps I’ll wait after the first login actually works.
@savedario
The fix above about $path does not work, it should be
Well, it works but creates unnecessary directory structure. And considering commit 190709A changes there should be variable to pass to StreamHandler other then $path. Like you proposed.
I also have this issue. I just followed
https://docs.directus.io/getting-started/installation.html#setupWhen it says «Navigate your browser to the App at /admin», this is what I got:
Note: I have no problem installing the standalone api and app.
I encountered this error with a fresh LAMP droplet from digital ocean and fresh install. After battling this for several hours the error somehow went away when I followed the steps described here: https://docs.directus.io/advanced/api/configuration.html#configure-with-script
I ran the same script bin/directus install:config -n <database-name> -u <mysql-user> -p <mysql-password> -N <project name>. Note the -N params at the end, this was what caused the error for me if not specified.
Hope this helps.
@savedario @dapertutto
You will able to find your path related solution in PR #1096
should be something like:
'settings' => !empty($appConfig['settings']) ? $appConfig['settings'] : null,
It is fixed in #1116
Thus when we deploy our new release you guys will not able to find these issues.
Bug Triage
automation
moved this from Needs triage
to Closed
Jul 17, 2019
Seeing you populated the database manually, «Load http://localhost:8080/admin to get the configuration page» is not expected to happen.
Are there any PHP errors in either the
/logsfolder of the API or the server logs in general?
The /admin didn’t load even before I have populated the DB.
No files inside /directus/log
Log inside /var/log/apache2:
[Wed Jul 17 17:30:08.508800 2019] [php7:notice] [pid 8875] [client ::1:63759] PHP Notice: Undefined index: settings in /var/www/directus/src/core/Directus/Application/Application.php on line 145, referer: http://localhost:8080/admin/
[Wed Jul 17 17:30:09.370495 2019] [php7:notice] [pid 8875] [client ::1:63759] PHP Notice: Undefined index: settings in /var/www/directus/src/core/Directus/Application/Application.php on line 145, referer: http://localhost:8080/admin/
[Wed Jul 17 17:30:10.591603 2019] [php7:error] [pid 8875] [client ::1:63759] PHP Fatal error: Uncaught UnexpectedValueException: The stream or file «/var/www/directus/logs» could not be opened: failed to open stream: Is a directory in /var/www/directus/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php:107nStack trace:n#0 /var/www/directus/vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php(39): MonologHandlerStreamHandler->write(Array)n#1 /var/www/directus/vendor/monolog/monolog/src/Monolog/Logger.php(344): MonologHandlerAbstractProcessingHandler->handle(Array)n#2 /var/www/directus/vendor/monolog/monolog/src/Monolog/Logger.php(707): MonologLogger->addRecord(400, ‘Directus\Except…’, Array)n#3 /var/www/directus/src/core/Directus/Application/CoreServicesProvider.php(216): MonologLogger->error(‘Directus\Except…’)n#4 [internal function]: DirectusApplicationCoreServicesProvider->DirectusApplication{closure}(Object(DirectusExceptionNotInstalledException))n#5 /var/www/directus/src/core/Directus/Hook/Emitter.php(291): call_user_func_array(Object(Closure), Array in /var/www/directus/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php on line 107, referer: http://localhost:8080/admin/
Ignore this.
I just saw that the bug has been fixed already.
I am still having this issue. I too do not have anything logging into the directus/logs folder. There are no errors in the error_log for apache either. I have a api.php file that is setup for the database too, but whenever I got to the /admin page, I immediately get a 500 (Internal Server Error) from / _/auth/sso, and then the same error when I type in the email and password and submitted but its for the / _/auth/authenticate endpoint instead.
Not really sure what the issue is at this point. Any help would be appreciated.
It is the same for me, I want to test Directus but the error occur just at the first attempt. I will try again when the bug will be fix. I have downloaded the Baby Angel 190927A version. What is attempting to authorize on an anonymous way on the login page ???
Labels
bug
Something isn’t working
It can be challenging to troubleshoot authentication errors when you’re using SSO embed for your Looker content. There are a few different approaches you can take to try and diagnose issues, and you will choose an approach based on where your redirects are sending your users. The tips on this page assume that you are generating your SSO embed URL using a script similar to those in Looker’s SSO Examples GitHub repository, unless stated otherwise.
General things to try first
Before you begin embedding, make sure that your embed secret has been generated in the Admin panel and that your embedded content is functional in Production Mode, not just in Development Mode.
If you have admin permissions, sudo as the embed user to check that your content is functional. If you get the error Oops, we can't find that page, then the issue is most likely with permissions or content access and not related to an authentication issue. If the embed user isn’t showing up in the Users page of the Looker Admin panel, then the user has not been created and the embed URL is failing. You can try troubleshooting the issue using some of the suggestions and resources listed on this page.
If your instance is self-hosted, make sure that the client server can reach the Looker server, and, if the data between the client and the server is transmitted over the public Internet, make sure that SSL (HTTPS) is being used.
The rest of this page describes errors and other issues you may encounter along with steps for resolving them.
I’m getting redirected to either a login page or a «Single sign-on failure» page
If you’re getting redirected to the login page or to a page with the error Single sign on failure. Please contact an adinistrator., this typically indicates that the SSO embed authentication is not working properly.
First, generate a new SSO embed URL and test it in the Embed URI Validator under the Embed page of the Looker Admin panel. The Embed URI Validator can sometimes reveal valuable information as to why you encounter an error.
Is the Embed URI Validator appearing as expected?
If you are on the Embed page of the Looker Admin panel and the Embed URI Validator does not appear on the page, this suggests that SSO embedding has not been enabled yet. You will need to enable SSO embedding.
I’m receiving the 'signature param' failed to authenticate error
If you see this error, the signature generated by your script is not working as expected. Refer to the following sections for possible solutions:
Do the SSO secrets match?
The embed secret in your Looker instance should be identical to the SSO secret in your SSO generation script. If you are unsure if this is true, select Reset Secret to generate a new secret and add it to your script. Resetting the key will break any embeds that used the old key.
Try using the
create_sso_embed_urlendpoint to create your embed URL, specifying the secret in your script for thesecret_idin the body of the call. The response will let you know if the secret you are using is invalid.
Is the signature string in the correct order?
The embed parameters in the signature string must be in the proper order in the URL generation script. The proper order is documented on the Single sign-on (SSO) embedding documentation page.
The signature string, when printed, should look something like this before it is encoded:
company_name.looker.com
/login/embed/embed%2Fdashboards%2F123
"ac786cbc06162b1edde3a8b35920a93e"
15852443573600
"test_external_user_id"
["access_data","see_user_dashboards"]
["test_model"]
[]
"test group space"
{"test_user_attribute":"yes"}
{}
After signing the signature string with your embed secret, make sure that the parameters in the final URL match the parameters specified in the signature string. Make sure that special characters such as + and / are encoded in the URL parameters (for example, the + could be interpreted as a space if it isn’t properly encoded) and that there aren’t any line breaks in the SSO embed URL, which could be missed after encoding.
Compare your script with our script examples to check whether your script goes through all the proper steps and whether the signature is using the proper encryption.
I’m receiving the This request includes invalid params: ["embed_domain"] error
Before you start troubleshooting this error, note that the embed_domain parameter is necessary only if your script is using JavaScript event listeners, which is typically not a requirement for a basic SSO embed implementation. If your application does not need to listen for JavaScript events, then the simplest option is to get rid of the embed_domain parameter completely.
If you do need to use JavaScript events in your embed application, check the URL generation script to see where the embed_domain parameter is being added. The error usually means that the embed_domain parameter was accidentally placed as an SSO parameter instead of directly within the embed_url. The script will not format the embed_domain parameter correctly unless it is actually part of the embed_url, and it should be added after the embed URL and before any parameters.
Here is what it should look like when the embed_domain parameter is specified correctly in your script:
embed_url: "/embed/dashboards/3?embed_domain=https://company.com"
If you are using the
create_sso_embed_urlendpoint, theembed_domainparameter should be placed at the end of thetarget_url.
I’m receiving the 'nonce' param already used this hour error
The value of the nonce parameter must not be repeated within the same hour, and it needs to be less than 255 characters. Therefore, you will see this error if you are testing a URL that has already been accessed. Make sure you are generating a fresh embed URL that has not yet been loaded in your browser and that the nonce is changing and not getting reused.
I’m getting redirected to an Uh-Oh, Something went wrong error
If you are seeing this error, please contact Looker Support to help you diagnose the issue.
I’m getting redirected to a page with the 401 error message You are not authenitcated to view this page.
If you’ve tried all the applicable troubleshooting steps and the 401 issue persists, your browser is likely blocking third-party cookies. Most browsers are becoming more restrictive and will default to a cookie policy that blocks these cookies. For example, Safari’s Prevent Cross-Site Tracking setting is enabled by default, as is Chrome’s Block third-party cookies in Incognito setting.
If your application is embedding Looker content and the domain name of your Looker instance ends in company.looker.com, the browser won’t authenticate the embedded iframe across domains unless the browser’s cookie privacy settings are modified.
Looker-hosted instances
Looker-hosted admins who do not want to have their users manually enable third-party cookies in their browsers will need to change the domain name of the Looker-hosted instance. As an example, Looker-hosted instances typically take the format https://<hostname>.<subdomain>.<domain>.com. If the Looker domain name is changed, Looker will no longer be considered a third-party domain. See the What happens if the URL changes for my Looker instance? Best Practices page for more information.
If you’re interested in adding a custom domain for your Looker instance, reach out to Looker Support to set up the necessary DNS configuration.
Self-hosted instances
If you are self-hosting your Looker instance, make sure that your application using SSO embedding is on the same base domain as your Looker instance by changing the DNS entries for your Looker instance.
Chrome also requires that any session cookie with the samesite=none flag should also specify secure. Looker will not signal secure if your Looker instance is not provided with a --ssl-provided-externally-by=<s> startup flag, so make sure that this startup flag is configured.
I’m still having issues; what do I do now?
If you are still experiencing issues after trying the suggestions on this page, please reach out to your Looker contact, or visit Looker Support to open a ticket.