Enterprise Embed - Endless 401 Loop after initial load

I’ve got a trial enterprise version of Metabase setup. It’s currently got SSO setup thru SAML connected to Auth0 (also has the normal “Admin Backup Login” enabled).

I’ve got a custom app (and I’ve also tried the example-sso app), and I’m trying to embed Metabase (full app) into the custom app.

When following the docs, I’m able to get the iframe to initially load, but then it goes into a loading loop trying to get /api/user/current which returns 401 (unauthorized). It continues to try and load - but just keeps looping - dying on the failed request to api/user/current.

This happens on both the example-sso app, and my custom app. I’ve only modified the example-sso app to connect to my deployed version of Metabase (instead of spinning up a new instance).

Has anyone seen this behavior before?

I should add… I can hit the endpoint that its trying to get in another browser tab - and it returns just fine (see blow).

{"email":"jeffpipas@#####.com","ldap_auth":false,"first_name":"Jeff","last_login":"2019-07-19T13:54:47.818Z","is_active":true,"is_qbnewb":false,"updated_at":"2019-07-19T13:54:47.818Z","group_ids":[1,5],"is_superuser":false,"login_attributes":{"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Pipas","http://schemas.auth0.com/organization_duid":"1998","http://schemas.auth0.com/identities/default/provider":"auth0","http://schemas.auth0.com/last_password_reset":"2019-07-18T19:04:42.092Z","http://schemas.xmlsoap.org/claims/Group":"Shepherd Analytics User","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"jeffpipas@######.com","http://schemas.auth0.com/created_at":"Fri Jun 14 2019 14:34:07 GMT+0000 (UTC)","http://schemas.auth0.com/email_verified":"true","http://schemas.auth0.com/identities/default/connection":"Username-Password-Authentication","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"Jeff Pipas","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"jeffpipas@######.com","http://schemas.auth0.com/clientID":"7X3WHVJvQIkt90ySCmUA5vV0endMAZD5","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"Jeff","http://schemas.auth0.com/nickname":"jeffpipas","http://schemas.auth0.com/picture":"https://s.gravatar.com/avatar/a1ebdc06bd183b3e5faba4961e34a7de?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fje.png","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"auth0|5d03b05f84da940cc37fd99f","http://schemas.auth0.com/identities/default/isSocial":"false","http://schemas.auth0.com/updated_at":"Fri Jul 19 2019 13:51:34 GMT+0000 (UTC)"},"id":7,"last_name":"Pipas","date_joined":"2019-07-02T18:06:18.108Z","personal_collection_id":13,"common_name":"Jeff Pipas","google_auth":false}

I’m on Metabase Enterprise 1.1.4

Hi @jpipas
I would recommend that you reach out to support@metabase[.]com, since you’re using EE - and you can give more details in private.
The documentation about SAML was just created, so maybe it’s missing something or it needs to be adjusted.

I’ve managed to reproduce the issue and have determined that the root cause is our session cookie not being passed along in the iframe because of the SameSite=Lax attribute. We are hoping to have a fix later today.

We are experiencing this problem still on version 1.33.4.1. Any update?

@dallerup + @jpipas
There was an update to the documentation yesterday (which hasn’t been added to the site yet) about specifying the embed domain:
https://github.com/metabase/metabase/blob/bd8049fb77d9153156ab125db5e2a607635b09f2/docs/enterprise-guide/full-app-embedding.md#enabling-embedding-in-metabase
I’m not sure if that will solve this problem. Also might want to checkout @jpipas post here: Iframe reloading infinitely
By the way, latest Enterprise release is v1.33.6.1

Hey there,

I’m seeing this issue as well. Based on the linked thread, it looks like the solution to this is to run both metabase and the SPA web-app on the same domain. However, this is impractical for development. Is there a workaround to this?

To develop the metabase full-app embed, I need to be able to use a remote metabase with a local app.

Using Metabase v1.37.0.2

Cheers,
John

@johnwiseheartcandid
I would recommend that you use the support email when using the Enterprise Edition.
I don’t understand what you mean with “use a remote metabase with a local app”.
You would need to define the allowed embedding addresses in Admin > Settings > Embedding.
Also, latest release is 1.37.7

We’re still on the Trial, but I can try the support email - thanks for the tip.

When I say “use a remote metabase with a local app”, I mean that I’m developing the embedding application locally - its url is localhost:3000. The metabase I’m using is metabase.mydomain.com (remote). Base on the thread above, the solution is to have both the app and metabase be at the same domain, but this is not possible when developing.

Cheers,
John

@johnwiseheartcandid Have you defined the embed addresses in settings?
Browser security has changed since that post was made too, so check you browser developer console.
A lot of things have become a lot more strict now than just a couple of years ago.

I did have the embed addresses, but I was still seeing the instant refreshes/401 loop.

I was just able to get metabase set up locally with my auth provider and now it works! It was definitely the issue described where the embedding app needs to be at the same domain as metabase.

Thanks for the help @flamber

We are experiencing the same issue as John here.
We have an enterprise trial edition which we are taking live shortly and are hit with a 401 loop.
I believe the resolution is to set the ‘MB_SESSION_COOKIE_SAMESITE’ environment variable but we’ve had no luck.
@flamber

@Wilcko I would recommend that you use supportATmetabase.com for any questions about the Enterprise Edition.
It would help to know which auth provider you’re using, and the domains used for embedding and which settings are used in Metabase > Admin > Settings > Embedding.
Also include errors from either Admin > Troubleshooting > Logs or the browser console depending on the problem.
And also “Diagnostic Info” from Admin > Troubleshooting.