Home / Database SSO / SSO for ClickHouse
Analytical Database
ClickHouse native protocol
Query Audit

SAML/OIDC SSO for ClickHouse Access

ClickHouse Inc.

Add SAML/OIDC Single Sign-On to ClickHouse connections. Replace shared credentials with identity-based access. Full SQL audit trail for analytics query accountability.

How It Works
Overview

Why ClickHouse Needs Identity-Based Access

ClickHouse is a high-performance columnar database for real-time analytics, processing billions of rows per second. ClickHouse deployments often contain event logs, user behavior data, financial transactions, and business metrics. Despite handling sensitive analytical data, ClickHouse access relies on password-based or certificate authentication without modern SSO support. OnePAM's database proxy adds SAML/OIDC authentication to ClickHouse, providing identity-verified access to your analytical data.

Database Security Risks

ClickHouse Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 9000 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Shared Analytical Credentials

Data teams share ClickHouse credentials, making it impossible to track who ran which analytical query.

No Native SSO

ClickHouse supports password and LDAP auth but not SAML or OIDC for native protocol connections.

Sensitive Analytics Data

ClickHouse contains user behavior data, financial transactions, and business metrics subject to privacy regulations.

No Query-Level Identity

ClickHouse query logs show the database user but not the human analyst behind each query.

Data Exfiltration Risk

ClickHouse's high-speed data export capabilities mean a compromised credential can exfiltrate massive datasets quickly.

Compliance Gaps

GDPR, CCPA, and SOC 2 require knowing who accessed which data — shared credentials fail this requirement.

Setup Guide

How OnePAM Adds SSO to ClickHouse

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your ClickHouse client (clickhouse-client, DBeaver, Tabix) to OnePAM's proxy.

OnePAM speaks ClickHouse native protocol natively.
2

Authenticate via Corporate IdP

OnePAM authenticates you via SAML/OIDC with MFA.

Analysts authenticate with corporate credentials instead of shared database passwords.
3

Credential Injection

OnePAM retrieves ClickHouse credentials from its vault for the authenticated session.

Users never see database passwords. Access scoped to their identity.
4

Query Logging with Identity

Every analytical query logged with the analyst's corporate identity.

Complete audit trail for data governance and regulatory compliance.
Key Benefits

Benefits of SSO for ClickHouse

What changes when you deploy identity-based database access.

Analyst Accountability

Every analytical query tied to a specific data analyst via corporate identity.

100% query attribution

Zero Password Exposure

Analysts never handle ClickHouse passwords. Vault-injected credentials.

Zero credential exposure

Protect Analytics Data

User behavior data and business metrics accessible only to authorized analysts.

Data access controlled

MFA for Data Access

Enforce MFA before any analytical query execution.

MFA enforced

Instant Analyst Offboarding

Disable an analyst in your IdP and ClickHouse access stops.

Instant revocation

Data Governance Audit Trail

Identity-verified query logs for GDPR, CCPA, and SOC 2 compliance.

Audit-ready
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication for ClickHouse
Native ClickHouse protocol support
Works with clickhouse-client, DBeaver, Tabix, and BI tools
Database and table-level access control
Role mapping from IdP groups
Short-lived credentials
Read-only access policies for analysts
Time-limited sessions
Query result size limits
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic credential rotation
Query-level audit logging
Data masking in query logs
IP allowlist enforcement
TLS encryption for all connections
No direct ClickHouse port exposure
Session timeout enforcement
Large export detection and alerting
SIEM integration
Real-World Scenarios

ClickHouse SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Data analysts accessing ClickHouse analytics with individual identity
2
GDPR compliance requiring identity-verified query logs for user data access
3
Business intelligence teams with role-based ClickHouse access
4
DevOps teams managing ClickHouse Cloud and self-hosted clusters
5
Contractor access to analytical data with time limits and MFA
6
Preventing unauthorized large-scale data exports
7
Financial analytics with SOX compliance requirements
8
Multi-tenant analytics platforms with per-customer data isolation
Frequently Asked Questions

SSO for ClickHouse FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with ClickHouse Cloud?

Yes. OnePAM's proxy works with ClickHouse Cloud, self-hosted ClickHouse, and Altinity Cloud.

Does OnePAM support ClickHouse's HTTP interface?

OnePAM primarily proxies the native ClickHouse protocol. The HTTP interface can be protected via OnePAM's web proxy.

Can I restrict access to specific databases or tables?

Yes. OnePAM policies can restrict which databases and tables each analyst can query based on IdP groups.

Does OnePAM work with BI tools like Grafana and Superset?

Yes. BI tools connect through OnePAM's proxy using the ClickHouse native or JDBC driver. Service accounts can use API token auth.

Does OnePAM affect ClickHouse query performance?

OnePAM adds sub-millisecond latency per query. For ClickHouse's analytical workloads processing billions of rows, this is imperceptible.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine

Add SSO to ClickHouse Access

Deploy OnePAM database proxy in minutes. No ClickHouse configuration changes required.

Get Started All Database SSO Guides