Enterprise Embed - Endless 401 Loop after initial load

I’ve got a trial enterprise version of Metabase setup. It’s currently got SSO setup thru SAML connected to Auth0 (also has the normal “Admin Backup Login” enabled).

I’ve got a custom app (and I’ve also tried the example-sso app), and I’m trying to embed Metabase (full app) into the custom app.

When following the docs, I’m able to get the iframe to initially load, but then it goes into a loading loop trying to get /api/user/current which returns 401 (unauthorized). It continues to try and load - but just keeps looping - dying on the failed request to api/user/current.

This happens on both the example-sso app, and my custom app. I’ve only modified the example-sso app to connect to my deployed version of Metabase (instead of spinning up a new instance).

Has anyone seen this behavior before?

I should add… I can hit the endpoint that its trying to get in another browser tab - and it returns just fine (see blow).

{"email":"jeffpipas@#####.com","ldap_auth":false,"first_name":"Jeff","last_login":"2019-07-19T13:54:47.818Z","is_active":true,"is_qbnewb":false,"updated_at":"2019-07-19T13:54:47.818Z","group_ids":[1,5],"is_superuser":false,"login_attributes":{"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Pipas","http://schemas.auth0.com/organization_duid":"1998","http://schemas.auth0.com/identities/default/provider":"auth0","http://schemas.auth0.com/last_password_reset":"2019-07-18T19:04:42.092Z","http://schemas.xmlsoap.org/claims/Group":"Shepherd Analytics User","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"jeffpipas@######.com","http://schemas.auth0.com/created_at":"Fri Jun 14 2019 14:34:07 GMT+0000 (UTC)","http://schemas.auth0.com/email_verified":"true","http://schemas.auth0.com/identities/default/connection":"Username-Password-Authentication","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"Jeff Pipas","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"jeffpipas@######.com","http://schemas.auth0.com/clientID":"7X3WHVJvQIkt90ySCmUA5vV0endMAZD5","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"Jeff","http://schemas.auth0.com/nickname":"jeffpipas","http://schemas.auth0.com/picture":"https://s.gravatar.com/avatar/a1ebdc06bd183b3e5faba4961e34a7de?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fje.png","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"auth0|5d03b05f84da940cc37fd99f","http://schemas.auth0.com/identities/default/isSocial":"false","http://schemas.auth0.com/updated_at":"Fri Jul 19 2019 13:51:34 GMT+0000 (UTC)"},"id":7,"last_name":"Pipas","date_joined":"2019-07-02T18:06:18.108Z","personal_collection_id":13,"common_name":"Jeff Pipas","google_auth":false}

I’m on Metabase Enterprise 1.1.4

Hi @jpipas
I would recommend that you reach out to support@metabase[.]com, since you’re using EE - and you can give more details in private.
The documentation about SAML was just created, so maybe it’s missing something or it needs to be adjusted.

I’ve managed to reproduce the issue and have determined that the root cause is our session cookie not being passed along in the iframe because of the SameSite=Lax attribute. We are hoping to have a fix later today.

We are experiencing this problem still on version 1.33.4.1. Any update?

@dallerup + @jpipas
There was an update to the documentation yesterday (which hasn’t been added to the site yet) about specifying the embed domain:
https://github.com/metabase/metabase/blob/bd8049fb77d9153156ab125db5e2a607635b09f2/docs/enterprise-guide/full-app-embedding.md#enabling-embedding-in-metabase
I’m not sure if that will solve this problem. Also might want to checkout @jpipas post here: Iframe reloading infinitely
By the way, latest Enterprise release is v1.33.6.1