GitHub user dosubot[bot] added a comment to the discussion: Embedded Superset dashboards with Keycloak Single Sign-On integration
<!-- Greeting --> Hi @silviam-97! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> Superset shows the login page in your iframe even after SSO because its authentication relies on a session cookie, which by default is set with `SameSite=Lax`. This prevents browsers from sending the cookie in iframe requests, so Superset doesn't recognize the user as logged in and renders the login page. The login view also doesn't automatically trigger the Keycloak SSO handshake; it waits for user interaction (the "Sign in" click) before redirecting to Keycloak for authentication. That's why you see the login page and need to click "Sign in" even though your Keycloak session is valid. The officially supported way to embed Superset dashboards with SSO is to use the Embedded SDK and guest token flow. This lets your backend generate a guest token for the user, which the frontend passes to Superset, allowing seamless access to the dashboard in the iframe without requiring a login or SSO redirect. This approach avoids session and cookie issues and is recommended for embedded scenarios [(details)](https://github.com/apache/superset/discussions/35231) [(Embedded SDK docs)](https://github.com/apache/superset/blob/master/superset-embedded-sdk/README.md). If you want to try seamless SSO in an iframe (not recommended), you need to: - Set `SESSION_COOKIE_SAMESITE = "None"` and `SESSION_COOKIE_SECURE = True` in your `superset_config.py` so the browser will send the session cookie in the iframe. - Adjust `TALISMAN_CONFIG['frame-ancestors']` to allow your portal domain. - Optionally, override the login view (e.g., in a custom security manager) to immediately redirect to Keycloak when the login page loads, so users don't have to click "Sign in" [(example)](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx#L66-L546). However, direct SSO embedding is fragile and can lead to session conflicts or unpredictable behavior, especially as browsers tighten cross-origin policies. The guest token/Embedded SDK method is more robust and future-proof. If you want anonymous access without login, you can also set `PUBLIC_ROLE_LIKE = "Gamma"` in your config to allow public dashboard viewing, but this exposes dashboards to anyone with the link [(reference)](https://github.com/apache/superset/discussions/31949). Let me know if you want step-by-step instructions for any of these approaches. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/d21711db-2c82-452e-a3ad-77fa2c27546e?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Superset%20shows%20the%20login%20page%20in%20your%20iframe%20even%20after%20SSO%20because%20its%20authentication%20relies%20on%20a%20session%20cookie%2C%20which%20by%20default%20is%20set%20with%20%60SameSite%3DLax%60.%20This%20prevents%20browsers%20from%20sending%20the%20cookie%20in%20iframe%20requests%2C%20so%20Superset%20doesn%27t%20recognize%20the%20user%20as%20logged%20in%20and%20renders%20the%20login%20page.%20The%20login%20view%20also%20doesn%27t%20automatically%20trigger%20the%20Keycloak%20SSO%20handshake%3B%20it%20waits%20for%20user%20interaction%20%28the%20%22Sign%20in%22%20click%29%20before%20redirecting%20to%20Keycloak%20for%20authentication.%20That%27s%20why%20you%20see%20the%20login%20page%20and%20need%20to%20click%20%22Sign%20in%22%20eve n%20though%20your%20Keycloak%20session%20is%20valid.%0A%0AThe%20officially%20supported%20way%20to%20embed%20Superset%20dashboards%20with%20SSO%20is%20to%20use%20the%20Embedded%20SDK%20and%20guest%20token%20flow.%20This%20lets%20your%20backend%20generate%20a%20guest%20token%20for%20the%20user%2C%20which%20the%20frontend%20passes%20to%20Superset%2C%20allowing%20seamless%20access%20to%20the%20dashboard%20in%20the%20iframe%20without%20requiring%20a%20login%20or%20SSO%20redirect.%20This%20approach%20avoids%20session%20and%20cookie%20issues%20and%20is%20recommended%20for%20embedded%20scenarios%20%5B%28details%29%5D%28https%3A//github.com/apache/superset/discussions/35231%29%20%5B%28Embedded%20SDK%20docs%29%5D%28https%3A//github.com/apache/superset/blob/master/superset-embedded-sdk/README.md%29.%0A%0AIf%20you%20want%20to%20try%20seamless%20SSO%20in%20an%20iframe%20%28not%20recommended%29%2C%20you%20need%20to%3A%0A-%20Set%20%60SESSION_COOKIE_SAMESITE%20%3D%20%22None%22%60%20and%20%60SESSION _COOKIE_SECURE%20%3D%20True%60%20in%20your%20%60superset_config.py%60%20so%20the%20browser%20will%20send%20the%20session%20cookie%20in%20the%20iframe.%0A-%20Adjust%20%60TALISMAN_CONFIG%5B%27frame-ancestors%27%5D%60%20to%20allow%20your%20portal%20domain.%0A-%20Optionally%2C%20override%20the%20login%20view%20%28e.g.%2C%20in%20a%20custom%20security%20manager%29%20to%20immediately%20redirect%20to%20Keycloak%20when%20the%20login%20page%20loads%2C%20so%20users%20don%27t%20have%20to%20click%20%22Sign%20in%22%20%5B%28example%29%5D%28https%3A//github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx%23L66-L546%29.%0A%0AHowever%2C%20direct%20SSO%20embedding%20is%20fragile%20and%20can%20lead%20to%20session%20conflicts%20or%20unpredictable%20behavior%2C%20especially%20as%20browsers%20tighten%20cross-origin%20policies.%20The%20guest%20token/Embedded%20SDK%20method%20is%20more%20robust%20and%20future-proof.%0A%0AIf%20you%20want%20anonymous%20access%20without%20login %2C%20you%20can%20also%20set%20%60PUBLIC_ROLE_LIKE%20%3D%20%22Gamma%22%60%20in%20your%20config%20to%20allow%20public%20dashboard%20viewing%2C%20but%20this%20exposes%20dashboards%20to%20anyone%20with%20the%20link%20%5B%28reference%29%5D%28https%3A//github.com/apache/superset/discussions/31949%29.%0A%0ALet%20me%20know%20if%20you%20want%20step-by-step%20instructions%20for%20any%20of%20these%20approaches.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36241) GitHub link: https://github.com/apache/superset/discussions/36241#discussioncomment-15065066 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
