Home / Database SSO / SSO for Elasticsearch
Search & Analytics Engine
HTTP REST API
Query Audit

SAML/OIDC SSO for Elasticsearch Access

Elasticsearch is a trademark of Elasticsearch B.V.

Add SAML/OIDC Single Sign-On to Elasticsearch connections. Replace shared API keys and basic auth with identity-based access. Full query audit trail with individual accountability for every REST API call.

How It Works
Overview

Why Elasticsearch Needs Identity-Based Access

Elasticsearch powers search, log analytics, SIEM, and observability for organizations of all sizes. Yet Elasticsearch access often relies on shared API keys, basic authentication credentials, or broad-scope tokens distributed across teams. When multiple engineers share the same superuser credentials or API keys, it becomes impossible to attribute queries to individuals — creating compliance gaps and security blind spots. OnePAM's database proxy sits between your applications and Elasticsearch, authenticating every connection via your corporate IdP (Okta, Azure AD, Google Workspace). Users connect through the proxy using their corporate identity instead of shared API keys. OnePAM injects short-lived credentials, logs every REST API call with identity context, and provides the compliance-ready audit trails that SOC 2, HIPAA, and PCI DSS require. The proxy supports Elasticsearch's HTTP REST API natively, works with Kibana, Logstash, curl, and any Elasticsearch client library.

Database Security Risks

Elasticsearch Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 9200 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Shared API Keys & Credentials

Elasticsearch superuser passwords and API keys are shared across teams via Slack, wikis, and .env files. Anyone with the key has full cluster access — no way to know who ran which query.

X-Pack Security Complexity

Elasticsearch's native security (X-Pack) requires per-index role definitions, realm configuration, and TLS setup that is complex and error-prone for most teams.

No Native SAML for API Access

While Kibana supports SAML via X-Pack (Platinum), direct Elasticsearch REST API access lacks SAML/OIDC support — leaving programmatic and CLI access unprotected.

License-Gated Security Features

SAML, OIDC, field-level security, and audit logging in Elasticsearch require Platinum or Enterprise licenses. Many organizations run Basic or Gold editions without these.

Sensitive Data Exposure

Elasticsearch indices contain logs, user data, financial records, and security events. Unrestricted access means full visibility into your most sensitive operational data.

Index-Level Access Sprawl

Elasticsearch roles proliferate across clusters. Managing per-index, per-user permissions manually across environments is error-prone and rarely audited.

Setup Guide

How OnePAM Adds SSO to Elasticsearch

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your Elasticsearch client, curl, Kibana, or application to the OnePAM proxy endpoint. The proxy speaks native HTTP REST API.

Connection changes from https://es-host:9200 to https://proxy-host:9200 — no application code changes required for standard REST clients.
2

Authenticate via Corporate IdP

OnePAM authenticates users via SAML/OIDC with your corporate IdP. MFA is enforced on every connection.

Works with Okta, Azure AD, Google Workspace, and any SAML/OIDC provider — even for self-managed Elasticsearch clusters.
3

Credential Injection

OnePAM retrieves Elasticsearch credentials from its vault and injects authentication headers. Users never see or handle API keys or passwords.

Access is scoped based on IdP groups — different groups map to different Elasticsearch roles and index permissions.
4

REST API Audit Logging

Every Elasticsearch REST API call is logged with the corporate identity, providing individual accountability for compliance and forensics.

Logs show '[email protected] executed GET /sensitive-index/_search' with full identity context and response metadata.
Key Benefits

Benefits of SSO for Elasticsearch

What changes when you deploy identity-based database access.

Individual Accountability

Every REST API call is tied to a corporate identity. No more shared elastic superuser or API key access.

100% identity attribution

SSO Without Platinum License

OnePAM provides SAML/OIDC SSO for Elasticsearch without requiring Platinum or Enterprise licensing.

Save on Elastic licensing

Protect Sensitive Data

Security logs, user data, and business intelligence in Elasticsearch stay behind identity-verified access only.

Zero unauthorized access

MFA Enforcement

Enforce MFA on every Elasticsearch connection via your IdP. No Elasticsearch-specific auth configuration needed.

MFA enforced

Instant Deprovisioning

Disable a user in your IdP and Elasticsearch access stops immediately across all clusters.

Instant revocation

Unified Multi-Cluster Access

One authentication layer for self-managed Elasticsearch, Elastic Cloud, and Amazon OpenSearch. Consistent policies everywhere.

Unified access
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication
Native HTTP REST API proxy
Works with Kibana, Logstash, curl, and client libraries
Elasticsearch 7.x+ and 8.x support
Index-level access control via IdP groups
Read-only vs read-write enforcement
API endpoint filtering and allow-listing
Time-limited cluster sessions
Cross-cluster unified access
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic API key and password rotation
REST API call-level audit logging
Sensitive data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct port 9200 exposure
Session timeout enforcement
Index lifecycle policy enforcement
SIEM integration for compliance evidence
Real-World Scenarios

Elasticsearch SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Security teams accessing SIEM data in Elasticsearch with individual identity for SOC 2-compliant audit trails
2
Data engineering teams querying production indices with read-only, MFA-protected access
3
DevOps teams managing Elasticsearch clusters with identity-verified admin access and approval workflows
4
Healthcare organizations requiring HIPAA-compliant access to Elasticsearch patient data indices
5
Multi-cluster environments needing unified SSO across self-managed, Elastic Cloud, and OpenSearch
6
Contractor access to staging Elasticsearch clusters with time-limited, audited sessions
7
Log analytics teams querying sensitive infrastructure logs with field-level access controls
8
Organizations needing enterprise SSO for Elasticsearch without Platinum license costs
Frequently Asked Questions

SSO for Elasticsearch FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with Elastic Cloud?

Yes. OnePAM works with Elastic Cloud, self-managed Elasticsearch, and Amazon OpenSearch. The proxy connects via the standard HTTP REST API used by all Elasticsearch variants.

Can OnePAM replace X-Pack security?

OnePAM can complement or replace X-Pack security features. It provides SAML/OIDC SSO, credential vaulting, and audit logging at the proxy level without requiring Platinum or Enterprise licenses.

How does OnePAM handle Elasticsearch API keys?

OnePAM vaults Elasticsearch credentials (passwords, API keys, bearer tokens) and injects them into requests after identity verification. Users never see or handle the actual credentials.

Does OnePAM work with Kibana as well?

Yes. OnePAM can proxy both Elasticsearch REST API and Kibana access. Users authenticate once via SSO and get access to both services based on their IdP group memberships.

Can I restrict access to specific indices?

Yes. OnePAM supports URL-based access policies that restrict users to specific indices or API endpoints. Combined with Elasticsearch RBAC, this provides fine-grained access control at both the proxy and cluster level.

What about bulk indexing and ingest pipelines?

OnePAM proxies all Elasticsearch REST API operations including bulk indexing, ingest pipelines, and cluster management. The proxy logs operations with identity context without modifying request content.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Redis
In-Memory Data Store

Add SSO to Elasticsearch Access

Deploy OnePAM database proxy in minutes. Works with self-managed Elasticsearch, Elastic Cloud, and Amazon OpenSearch.

Get Started All Database SSO Guides