Superset Embedded
Superset inside your product. Not an iframe.
Drop a fully interactive Apache Superset microfrontend into your own UI — same dashboards, filters and presets your analysts already build with your branding and your auth.
- Microfrontend
- White-label
- SSO + RLS
Why this exists
iframe embedding hits a wall — fast
Apache Superset ships an embedded mode out of the box, but it's an iframe. As soon as the product team needs to match your brand, share filter state with the host URL, pass through SSO, or add a custom action button on top of a chart, the iframe sandbox starts fighting back: cross-origin headers, postMessage glue, theme overrides that work in three out of four browsers, and a permissions story that lives in two places at once.
Our enterprise package ships a real microfrontend instead. It's the same Superset feature surface — dashboards, charts, filters, presets, native filter chains — rendered as React components that mount inside your application bundle. Same-origin, host-themed, host-authed. Your team builds dashboards once in Superset; your product surfaces them everywhere they need to live, with full control over which dashboards appear, in what order, and inside which screens.
iframe vs microfrontend
Where the two approaches actually diverge
The same Superset dashboard, embedded two ways. iframe wins on "five lines and you're live". The microfrontend plugin wins on every concern that matters once it's actually in front of your customers.
| Concern | Apache Superset iframe | Drafted microfrontend plugin |
|---|---|---|
| Theming & branding | Limited CSS injection across an iframe boundary. Brand colours, fonts and dark mode require plugin-specific overrides that drift between Superset releases. | Native CSS custom properties pipe your design tokens straight into the dashboard. Light/dark, brand colours, typography — all inherit from the host. |
| SSO & permissions | Token exchange + cross-origin cookies. Row-level security lives in Superset, app permissions live in your stack — keeping them in sync is a project of its own. | Inherits the host session. RLS rules can be derived from your existing auth context (tenant, role, user) without a second token flow. |
| Security posture | Cross-origin surface area: postMessage handshakes, X-Frame-Options, third-party cookies. Each one a vector your security team has to model. | Same-origin React component inside your bundle. No cross-document messaging, no third-party cookies, no clickjacking surface to mitigate. |
| Filter state in the URL | Filters live inside the iframe — sharing a link to a filtered view requires custom URL serialization on both sides. | Filter and dashboard state live in your router. Deep-link a filtered view, restore from history, integrate with your existing query params. |
| Performance & loading | Each dashboard switch reloads the iframe — full HTML parse, fresh JS bundle, fresh auth handshake. | Shared bundle with the host app. Switching dashboards is a React state change; charts re-fetch only the data they need. |
| Custom UI on top of charts | Locked behind the iframe boundary — you can frame the iframe but not extend it. | React props, slots and event hooks let you render host-side toolbars, drill-down panels and contextual actions next to any chart. |
| Editorial control | No native concept of "which dashboards to expose to which host product surface". Lives as a list of iframe URLs in your codebase. | Dedicated control surface inside Superset: pick which dashboards appear in which host slot, in which order, with role-based visibility. |
Theming & branding
Apache Superset iframe
Limited CSS injection across an iframe boundary. Brand colours, fonts and dark mode require plugin-specific overrides that drift between Superset releases.
Drafted microfrontend plugin
Native CSS custom properties pipe your design tokens straight into the dashboard. Light/dark, brand colours, typography — all inherit from the host.
SSO & permissions
Apache Superset iframe
Token exchange + cross-origin cookies. Row-level security lives in Superset, app permissions live in your stack — keeping them in sync is a project of its own.
Drafted microfrontend plugin
Inherits the host session. RLS rules can be derived from your existing auth context (tenant, role, user) without a second token flow.
Security posture
Apache Superset iframe
Cross-origin surface area: postMessage handshakes, X-Frame-Options, third-party cookies. Each one a vector your security team has to model.
Drafted microfrontend plugin
Same-origin React component inside your bundle. No cross-document messaging, no third-party cookies, no clickjacking surface to mitigate.
Filter state in the URL
Apache Superset iframe
Filters live inside the iframe — sharing a link to a filtered view requires custom URL serialization on both sides.
Drafted microfrontend plugin
Filter and dashboard state live in your router. Deep-link a filtered view, restore from history, integrate with your existing query params.
Performance & loading
Apache Superset iframe
Each dashboard switch reloads the iframe — full HTML parse, fresh JS bundle, fresh auth handshake.
Drafted microfrontend plugin
Shared bundle with the host app. Switching dashboards is a React state change; charts re-fetch only the data they need.
Custom UI on top of charts
Apache Superset iframe
Locked behind the iframe boundary — you can frame the iframe but not extend it.
Drafted microfrontend plugin
React props, slots and event hooks let you render host-side toolbars, drill-down panels and contextual actions next to any chart.
Editorial control
Apache Superset iframe
No native concept of "which dashboards to expose to which host product surface". Lives as a list of iframe URLs in your codebase.
Drafted microfrontend plugin
Dedicated control surface inside Superset: pick which dashboards appear in which host slot, in which order, with role-based visibility.
Built once, shipped everywhere
Why this is the cheaper path, not the fancier one
- 01
One dashboard, every product surface
Analysts build a dashboard in Superset once. Product surfaces it inside the customer record, the admin console, the partner portal — same data, same definitions, no parallel chart code.
- 02
Kill the "we'll build our own charting backend" tax
No second metrics service, no React chart library to maintain, no API contract between BI and product. The Superset semantic layer IS your product's analytics backend.
- 03
Editorial control without a code release
A dedicated control panel inside Superset chooses which dashboards appear in which host slot, in which order, for which roles. Product can re-arrange the embed without shipping a release.
Inside the plugin
What ships in the package
Filters, presets & native filter chains
All Superset filter mechanics — global filters, native filter scopes, saved presets — work identically inside the embed. Users get the same interactive surface they'd see in Superset itself.
Theming via CSS custom properties
Pipe your design tokens into the dashboard with `var(--your-token)`. Light/dark, brand colours, typography, density — all driven by the host, no per-release patching.
SSO, host auth & row-level security
Inherit the host session. Map host claims (tenant, role, user) to Superset RLS rules so the embedded dashboard sees only the data the host user is allowed to see.
Multi-dashboard switcher with editorial control
Expose a list of dashboards inside one host slot. The order, visibility and grouping live in a Superset control panel — not hard-coded in your product.
Need the system fixed fast?
Stop shipping decisions on broken numbers.
We audit what is failing, repair the foundation, and work with your team until data is reliable in day-to-day decisions.
- Founders in the implementation
- Clear priorities in week one
- Fixes shipped, not just slides
- Metric ownership made explicit
- Pipeline failures caught early
- BI logic aligned across teams
Book a focused call
Tell us where trust is breaking. We will map first fixes and ownership in one working session.