Skip to content

Embedding the Web Interface in an iframe

This page outlines how to embed a Kdb Insights Enterprise URL in a third-party application, referred to as Client Application, through an iframe.

A client application can embed one of the following URLs:

  • The main kdb Insights Enterprise web interface, providing access to the entire kdb Insights Enterprise web application based on roles and entitlements.

  • A specific View share link, which only loads the specific View, without allowing navigation to the rest of the web interface

The applications can be configured to work together so that when a user logs into the client application using the company's chosen Identity Provider, they are automatically logged into kdb Insights Enterprise and presented with the chosen embed URL. This ensures a seamless authentication experience between the client application and kdb Insights Enterprise.

Configuration using Microsoft Entra ID

This section provides an example using OpenID Connect to facilitate single sign-on (SSO) using Microsoft Entra ID as an Identity Provider.

Multiple services are involved in this configuration:

  • Microsoft Entra ID to configure the client application to support Hybrid flow and allow Keycloak redirect URLs.
  • Keycloak to add the Azure application as an Identity Provider and allow redirect URLs.
  • Client application to include the keycloak redirection on login and log out.
  • kdb Insights Enterprise, which can be configured to allow its web interface to be embedded in an iframe through a URL.

Microsoft Entra ID Application Registration

  1. Log into your Azure portal

  2. Navigate to Microsoft Entra ID and navigate to Manage > App Registrations.

  3. Use an existing Azure app registration or create a new one

    Note

    This guide shows you how to create a sample application including the registration steps.

  4. Under Manage > Authentication, update the settings to include the following:

    1. Redirect URLs for:

      • the client application URL that receives the authorization code and exchanges it for an access token ({appUrl}/auth/redirect if using the ms-identity-node example linked above)

      • the Keycloak front-channel logout URL ({insightsUrl}/auth/realms/insights/protocol/openid-connect/logout)

    2. Enable the issue of ID tokens from the authorization endpoint

Keycloak

To register the above Azure application as an Identity Provider in Keycloak follow the instructions below:

  1. Log into the keycloak administration console

  2. Choose the target realm ($REALM_NAME) from the top-left realm drop-down

    Warning

    Ensure you select the correct realm ($REALM_NAME) as the UI defaults to the Master realm on login.

  3. Navigate to the Identity Providers menu and add an OpenID Connect Connect v1 provider

  4. Set the following:

    • Alias:azure

    • Display Name: Azure AD

  5. Set the Authorization URL field as follows:

    1. On the Overview screen for your Azure registered application, click Endpoints.

    2. Copy the URL for OpenID Connect metadata document.

    3. Paste it into the Discovery endpoint field in Keycloak, the other fields should be populated automatically.

  6. Set the Client Authentication to Client secret sent as post

  7. Set the Client ID as follows:

    1. In Azure, navigate to the Essentials section on the Overview screen for your registered application.

    2. Copy the Application (client) ID

    3. Paste it into the Client ID field in Keycloak

  8. Set the Client Secret as follows:

    1. In Azure, navigate to Manage > Certificates & Secrets for your registered application and create a new secret, providing a description and expiration period.

    2. Copy the secret value immediately as this is only displayed once

    3. Paste the secret into the Client Secret field in Keycloak

  9. In the Keycloak Advanced Settings, set the following:

    • Scopes: openid profile email

    • Trust email: On (indicates that Azure emails are verified)

    • Sync mode: Force (ensures user data updates at every login)

    • Prompt: None, (enables silent login if the user is already authenticated)

  10. In Keycloak, click Save

Configure user role mapping in Keycloak

Mappers can help determine how new users are configured when they log in to Keycloak for the first time. For example, set the Role Importer to insights.role.viewer role to give users read-only access, as follows:

  1. Click on the Mappers tab within the newly saved Identity Provider

  2. Add a mapper for the insights.role.viewer role

Update Azure with the redirect URI

  1. In Keycloak copy the Redirect URI value

  2. In Azure:

    1. Navigate to the Authentication menu of the registered application

    2. Add a web platform, if it is not already included

    3. Paste the Redirect URI copied in the previous step into the Redirect URIs textbox

Configure the Keycloak client

Navigate to the gui Keycloak client and follow steps below:

  1. In the Access settings section, update Valid redirect URIs and Valid post logout redirect URIs to include the relevant client application URLs

  2. In the Capability config section, enable Implicit flow

Client Application

Modify your application source code to redirect to Keycloak's authentication endpoint after a successful login, including the following parameters:

  • client_id

  • kc_idp_hint - set to the Identity Provider ID configured in Keycloak

  • redirect_uri - the URL that you would like Keycloak to return to after authenticating the user

For example: {appUrl}/auth/realms/insights/protocol/openid-connect/auth?redirect_uri=https%3A%2F%2Fmyapp.myco.com%2Fauth%2FredirectExt&client_id=gui&response_type=id_token&response_mode=form_post&scope=openid&nonce=678910&kc_idp_hint=azure

Similarly, you can modify your application to redirect to Keycloak's logout URL after a successful logout.

kdb Insights Enterprise

kdb Insights Enterprise must be configured to allow embedding in a iframe.

New installations

For new installations of kdb Insights Enterprise, embedding in a iframe is enabled by default.

To disable embedding into an iframe, merge the following to your values.yaml file, as described in the configuration documentation:

global:
  embedded:
    enabled: false

Upgrades

When upgrading from a version of kdb Insights Enterprise earlier than 1.14, iframe embedding is disabled by default to prevent unintended changes to your existing configuration.

To enable embedding into an iframe, merge the following to your values.yaml file (replacing *.kx.com with a space-separated list of domains where you intend to embed kdb Insights Enterprise), as described in the configuration documentation:

global:
  embedded:
    enabled: true
    host: "*.kx.com"