Setup SeekTable for secure embedding

You can embed SeekTable reports into your web application in a secure way by enabling JWT-based authorization for published reports or read-only app view. Secure embedding is available only for self-hosted SeekTable and only for users with Advanced Publishing subscription. How it works:

JWT lifetime can be is limited by its expiration date. JWT claims (payload) may be contain report parameters and in this way you can organize row-level security for embedded reports (without SSO): each 'main' app user may have its own set of parameters that restrict access to the data. Users cannot change these parameters because their JWT tokens are signed with a secret key. JWT tokens may be encrypted with symmetric algorithm, and in this case even values of parameters passed in JWT are secured (cannot be accessed by end-users).

If you want to evaluate this feature before purchase you can request free 14-day trial.
How to enable JWT-based auth for embedded SeekTable views:

Step 1: Configure SeekTable JWT validation for published reports

Find docker-compose.seektable.env file and add the following lines:

SeekTable_ST:PublicReport:AuthJwtUrlParameter=auth
SeekTable_ST:PublicReport:AuthJwtCookieName=cookie_name_or_empty_if_not_used
SeekTable_ST:PublicReport:AuthJwt:ValidIssuer=your_web_app_issuer_value
SeekTable_ST:PublicReport:AuthJwt:ValidateIssuer=true
SeekTable_ST:PublicReport:AuthJwt:ValidateAudience=false
SeekTable_ST:PublicReport:AuthJwt:ValidateLifetime=true
SeekTable_ST:PublicReport:AuthJwt:ValidateIssuerSigningKey=true
SeekTable_ST:PublicReport:AuthJwt:IssuerSigningKeyString=your_secret_signing_key_min_16_chars

If you want to use encrypted JWT also add:

SeekTable_ST:PublicReport:AuthJwt:TokenDecryptionKeyString=your_secret_decryption_key_min_16_chars

Then re-start your self-hosted SeekTable docker container (docker-compose restart).
Now you should see Security tab on "Configure Published Report" form:

Step 2: Generate JWT in your web application

The following code snippets illustrate how to generate JSON Web Token (.NET):

• Signed JWT (C#)
• Encrypted JWT (C#)

var handler = new JwtSecurityTokenHandler();
var signingCredentials = new SigningCredentials(
  new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")),
  SecurityAlgorithms.HmacSha256Signature);
var token = handler.CreateJwtSecurityToken(
  subject: new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }),
  signingCredentials: signingCredentials,
  audience: "",
  issuer: "your_web_app_issuer_value",
  expires: DateTime.UtcNow.AddMinutes(30));
var jwt = handler.WriteToken(token);

var handler = new JwtSecurityTokenHandler();
var signingCredentials = new SigningCredentials(
  new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_signing_key_min_16_chars")),
  SecurityAlgorithms.HmacSha256Signature);
var encryptCredentials = new EncryptingCredentials(
  new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes("your_secret_decryption_key_min_16_chars")),
  SecurityAlgorithms.Aes128KW,
  SecurityAlgorithms.Aes128CbcHmacSha256);
var tokenDescriptor = new SecurityTokenDescriptor {
  Audience = "",
  Issuer = "your_web_app_issuer_value",
  Subject = new ClaimsIdentity(new[] { new Claim("report_param_name", "report_param_val") }),
  Expires = DateTime.UtcNow.AddMinutes(5),
  EncryptingCredentials = encryptCredentials,
  SigningCredentials = signingCredentials
};
var encryptedJwt = handler.CreateEncodedJwt(tokenDescriptor);

If you don't use C#/.NET please check your development platform about how to generate JSON Web Token. Notes:

• signing should use symmetric algorithm
• encryption should use symmetric algorithm
• key length should be at least 16 bytes

Step 3: Pass JWT to embedded SeekTable report

There are 2 ways how you can pass generated JWT to the report embedded with IFRAME:

• as an URL parameter (parameter name is configured by SeekTable_ST:PublicReport:AuthJwtUrlParameter setting)
• as a cookie (cookie name is configured by SeekTable_ST:PublicReport:AuthJwtCookieName)
  This approach is possible only if self-hosted SeekTable is accessed as a sub-domain of your main web application.

Important notes:

• JWT authorization is used only for published reports where Link access control is set to JSON Web Token.
• Owner of published report always can view it (when logged in), even without JWT or if JWT is invalid. It is recommended to test secure published reports in another browser session (incognito/private window).

Embedded app view

If you want to offer to users of your app capability to make ad-hoc queries you can embed read-only SeekTable app view - to get the point just imagine that whole demo.seektable.com view is embedded (without top-menu):

Technically this works in this way:

• on your self-hosted SeekTable installation you can create a 'master' user account (or several ones) that will contain data sources / reports that you want to expose inside your main web application
  This user account should have Advanced Publishing capability.
• your main app generates JWT as described above + includes special claim seektable_user_email with login email of SeekTable 'master' account you want to embed. This JWT may contain additional name-value pairs to override appropriate report parameters (end-users will not be able to change these report parameters).
• to embed app view just include iFrame with a base URL to your on-premise SeekTable + pass the JWT with an URL parameter or cookie. This URL may be for the concrete cube (or report), if you want to select and show it by default.
• embedded app view is a read-only: end-users can view existing reports, change their options and even create new reports, but unable to save any modifications.
• any mentions of SeekTable (and the footer-line) may be removed with white-label mode capability. With white-labelling it is possible to customize CSS styles (colors, fonts etc) and even UI labels (say, you can rename "Cubes" to "Datasets" if you like).