On line 90, when formatting the session length, the code uses the format "{0:N0}" which works fine for that example because the session length is 15 minutes (or 900 seconds). As soon as you get above a 999 second session length, however, that format adds commas to the result (ie 1,000), which breaks the embed. A better format would be "{0:D}" which would not add the commas.

The Python code sample sometimes creates an invalid signature.

The issue is that it is striping the '\n' off of the digest before calling b64encode:
https://github.com/looker/looker_embed_sso_examples/blob/master/python_example.py#L61

In our ruby example we do not strip the digest, only the result after base64 encoding:
https://github.com/looker/looker_embed_sso_examples/blob/master/ruby_example.rb#L56

I experimented in the python shell:

import base64
import binascii
import os
from hashlib import sha1
import hmac

def test():
  ok = 0
  bad = 0
  for x in range(0, 1000):
    digest = hmac.new(binascii.hexlify(os.urandom(16)),  binascii.hexlify(os.urandom(16)), sha1).digest()
    strip_dig = base64.b64encode(digest.rstrip('\n')).rstrip('\n')
    sig       = base64.b64encode(digest)
    strip_sig = base64.b64encode(digest).rstrip('\n')
    if sig != strip_sig:
      print "fail!"
    if strip_dig == strip_sig:
      ok += 1
    else:
      bad += 1
  print "ok %d" % (ok)
  print "bad %d" % (bad)

$ python
Python 2.7.13 (default, Feb 14 2017, 21:38:16) 
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> import binascii
>>> import os
>>> from hashlib import sha1
>>> import hmac
>>> 
>>> def test():
...   ok = 0
...   bad = 0
...   for x in range(0, 1000):
...     digest = hmac.new(binascii.hexlify(os.urandom(16)),  binascii.hexlify(os.urandom(16)), sha1).digest()
...     strip_dig = base64.b64encode(digest.rstrip('\n')).rstrip('\n')
...     sig       = base64.b64encode(digest)
...     strip_sig = base64.b64encode(digest).rstrip('\n')
...     if sig != strip_sig:
...       print "fail!"
...     if strip_dig == strip_sig:
...       ok += 1
...     else:
...       bad += 1
...   print "ok %d" % (ok)
...   print "bad %d" % (bad)
... 
>>> test()
ok 997
bad 3
>>> test()
ok 999
bad 1
>>> test()
ok 995
bad 5
>>> test()
ok 997
bad 3
>>> 

This shows that the strip of the base64 encoded part didn't matter in python anyway.

But, importantly, doing a strip on the digest before encoding will cause the sig to be wrong a small percent of the time!

I eyeballed the examples for other languages and do not find this bug in any of them.

Some optional params have been added since Looker first added SSO signing support. Not all params are supported in older Looker versions. This is especially important for those params that are used in building the signature because older Looker versions will fail to validate signatures that incorporate params that those versions don't recognize. This can be very frustrating to figure out. More info in the examples would help consumers of these examples who might be working with slightly older Lookers.

Hi,

C# code example where it generates nonce value is wrong.
Only DateTime.Now.Ticks is used which will return the long value but not alpha-numeric value.

Kindly update this code for nonce.

Thank you,
Sagar

It is claimed that user_timezone can be specified here: https://discourse.looker.com/t/user-specific-time-zones-3-22/875/8 and https://discourse.looker.com/t/looker-3-34-release-notes/1682

vincentFeb 1
Hi @Jay_Stricks,

To set an embed users timezone, in the same query params that you put the permissions, models, etc, you add another one like so user_timezone: json_user_timezone. Let me know if you have any questions on this.

Cheers,
Vincent

and

Powered By Looker
PDF Downloading for Embedded Dashboards. Permissions are configured in the same way as for regular Looker Users and Roles.
All Download Types for Embedded Elements. Permissions are configured in the same way as for regular Looker Users and Roles.
User Timezones for SSO Embedding. Set the parameter as part of the SSO embed setup process.

But there is no complete example of this and the feature is not documented in the PDF embedding instructions provided by Looker (update: i do see the parameter listed in the PDF document). This makes the API really, really difficult to use. Does the user_timezone parameter need to be included in the request signing? Is it just a dashboard filter parameter?

Furthermore, the python example here: https://github.com/looker/looker_embed_sso_examples/blob/master/python_example.py does not use the user_timezone parameter.

In the PHP example, when setting the $queryParams array with all fillable values, a boolean is passed in to the 'force_logout_login' on line 60.

However, later down this value is forcibly overwritten on line 69-70:

Please add support for the embed_domain which is required for catching javascript events.

I'm using a looker embed SSO with node JS. I'm placing the generated URL in an iframe but I noticed that it renders a filter, which I would like to disable it. Is there a parameter i need to pass in the url_data object? If so, what would that parameter be?

The permissions parameter is functionally a set, but it seems the signing process may introduce a requirement on sort order? Need to investigate.

user_timezone is a supported (non-signed) param since last year. Should be included in the samples.

I added it to ruby sample in #15. Needs to be added to the others.

There's some inconsistency between the different language examples around the ember url.
In ruby and node version its "/embed/sso/dashboards/3" and in python, php and csharp its "/embed/dashboards/3", is this significant?