Metabase Dashboard Embedding – Executive Decision
Objective
Embed Metabase dashboards inside CXT Operations App (bounded layout: header + collapsible left pane) with strict multi-tenant isolation.
| DECISION - Feb 26, 2026 After discussion with Jason Wallace and David Walters, we agreed to go with Guest modular embedding (iframe) |
1. Authentication Model (Security Boundary)
Option A – Guest Embedding (Locked Parameters)
Documentation:
https://www.metabase.com/docs/latest/embedding/guest-embedding
Mechanism
-
Ops App signs embed token
-
Token includes locked
tenant_id -
No Metabase user accounts
Advantages
-
No Metabase user provisioning
-
No user lifecycle management
-
Lower operational overhead
-
Easier to implement
Critical Risk: Tenant isolation depends on correct dashboard configuration.
Cross-tenant data exposure can occur if:
-
A dashboard card is not mapped to tenant filter
-
A saved question omits tenant constraint
-
A future dashboard edit breaks filter mapping
-
A model/view drops tenant context
Isolation is dashboard level configuration-dependent, not centrally enforced.
Option B – SSO Embedding (Authenticated)
Documentation:
https://www.metabase.com/docs/latest/embedding/securing-embeds
https://www.metabase.com/docs/latest/people-and-groups/authenticating-with-saml
Authentication is enforced centrally via identity and row-level permissions.
Scenario 1 – Courier uses their own IdP (Enterprise SSO)Identity flow: Courier IdP Characteristics
Implications
|
Scenario 2 – Courier does not use his SSOIdentity flow: User authenticated directly in Ops App Characteristics
Implications
|
Advantages of SSO Embedding (both scenarios)
-
Tenant isolation enforced centrally via permissions
-
Not dependent on dashboard filter wiring
-
Enterprise-grade identity model
-
Reduced risk of configuration-based leakage
Constraints of SSO Embedding
-
Higher implementation complexity than Guest
-
User provisioning and lifecycle management in Metabase
-
Potential commercial impact if licensing is user-based
-
Requires careful attribute and permission design
2. Strategic Comparison
|
Dimension |
Guest Embed |
SSO Embed |
|---|---|---|
|
Implementation Complexity |
Lower |
Higher |
|
User Management |
None |
Required |
|
Tenant Isolation Strength |
Dashbaord Config-dependent |
Centrally enforced |
3. Embedding Surface (How dashboards appear inside Ops App)
Option A – Modular Embedding via iframe
Documentation:
https://www.metabase.com/docs/latest/embedding/static-embedding
What it is
Dashboard rendered via iframe inside Ops App.
Pros
-
Simplest implementation
-
Fastest path to production
-
Works with Guest or SSO authentication
-
Dashboards can be designed to fit typical operator screen sizes
-
Optional iframe resizing supported
Cons
-
Less seamless UX (iframe boundary)
-
Limited styling/theming control
-
Possible nested scroll if dashboard exceeds container height
Option B – Modular Embedding via SDK (React)
Documentation:
https://www.metabase.com/docs/latest/embedding/sdk/introduction
What it is
Dashboard embedded as a React component using Metabase SDK.
Supports
-
Guest embedding
-
SSO embedding (SAML or JWT)
Pros
-
More seamless UX inside bounded layout
-
Better control over interactivity and styling
-
Cleaner long-term integration
Cons
-
Higher integration complexity
-
Available only on Pro/Enterprise
-
Cannot embed multiple dashboards on the same page
Relative effort
-
Approximately 2×–5× the iframe implementation effort