Developer Portal

X-Forwarded-User / Authorization

Zero-Day Shield

SSO + Zero-Day Protection for Backstage

by Spotify (CNCF)

Add SAML/OIDC SSO to Backstage — Protect Your Developer Portal and Service Catalog

Overview

Why Backstage Needs an Authenticated Proxy

Backstage is Spotify's open-source developer portal platform, adopted by hundreds of organizations to provide a unified developer experience. Backstage aggregates service catalogs, TechDocs, CI/CD pipelines, infrastructure provisioning templates, and custom plugins into a single portal. A Backstage instance contains a comprehensive view of your software ecosystem — every service, its owner, dependencies, APIs, and documentation. While Backstage supports authentication plugins, deploying it behind OnePAM's authenticated proxy adds enterprise-grade SSO, zero-day protection, and session auditing without complex plugin configuration.

HTTP Header Authentication

X-Forwarded-User / Authorization

Backstage can be configured to trust authenticated user identity from a reverse proxy via HTTP headers. OnePAM injects the verified identity, and Backstage creates the session based on the trusted proxy authentication.

Zero-Day Risk Profile

Backstage Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Backstage has had critical RCE vulnerabilities via template rendering and plugin system

Service catalog reveals complete software architecture and ownership

Scaffolder templates can provision infrastructure and create resources

TechDocs and API specifications may contain sensitive system details

The Challenge

Security Challenges with Backstage

These are the risks organizations face when Backstage is not behind an authenticated proxy.

Software Architecture Exposure

Backstage's service catalog documents every service, API, team ownership, and dependency — a complete map of your software ecosystem.

Critical RCE History

Backstage has had RCE vulnerabilities via its template rendering engine. Without protection, these allow arbitrary code execution.

Scaffolder Template Risk

Backstage scaffolder templates can create repositories, provision infrastructure, and deploy services. Unauthorized use creates resources outside governance.

Plugin Attack Surface

Backstage's plugin ecosystem introduces third-party code that may contain vulnerabilities.

Complex Auth Plugin Setup

Backstage authentication requires configuring auth provider plugins, which can be complex and may break across upgrades.

TechDocs Sensitivity

Internal documentation, architecture decision records, and API specs may contain sensitive implementation details.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Backstage

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Backstage.

Deploy OnePAM as Backstage's Proxy

Place OnePAM in front of the Backstage application.

Backstage is configured to accept connections only from OnePAM. The Backstage login flow is handled by OnePAM's SSO.

Configure Your IdP

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles authentication, MFA enforcement, and group membership retrieval.

Enable Proxy Authentication

Backstage reads the authenticated user identity from OnePAM's HTTP headers.

Users authenticate via SSO and land on the Backstage portal without a separate login. User profiles are auto-created.

Map Portal Access

IdP groups determine who can access the catalog, use scaffolder templates, and view TechDocs.

All engineers see the catalog, platform teams use scaffolder, and managers see team ownership — from your IdP.

Audit Portal Access

Every Backstage access is logged with corporate identity for compliance.

Know who browsed the catalog, used templates, or viewed documentation.

Business Impact

Benefits of Securing Backstage with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Backstage.

Block Backstage RCE CVEs

Template rendering RCE vulnerabilities are blocked when OnePAM prevents unauthenticated access.

CVEs blocked at proxy layer

Protect Software Catalog

Your complete service catalog and architecture map is only accessible to authenticated users.

Zero unauthorized catalog access

Simpler SSO Setup

OnePAM replaces complex Backstage auth plugin configuration with straightforward proxy authentication.

No auth plugin management

Secure Scaffolder

Only authorized users can use scaffolder templates to provision infrastructure and create services.

Scaffolder access controlled

MFA for Developer Portal

Enforce MFA for portal access, especially for infrastructure provisioning templates.

MFA-protected portal

Complete Portal Audit

Every catalog browse, template use, and doc view is logged with identity.

Full portal audit trail

SSO Features

Backstage SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Backstage.

SAML 2.0 & OIDC SSO for Backstage via proxy authentication

Service catalog access policies from IdP groups

Scaffolder template authorization controls

TechDocs access policies

Session recording for portal activity

IP and geo-restriction for portal access

Device trust verification

API access policies

Plugin access controls

Multi-Backstage instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Backstage from exploitation.

Backstage isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against Backstage RCE vulnerabilities

Scaffolder template execution controls

Automatic session termination on IdP sign-out

Real-World Scenarios

Backstage SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Backstage.

Engineering teams accessing the developer portal via corporate SSO

Platform teams using scaffolder templates with authorized access

Managers viewing team ownership and service health in the catalog

Security teams auditing service catalog access with session recording

Protecting Backstage from template rendering RCE exploitation

Simplifying Backstage authentication without complex plugin configuration

Frequently Asked Questions

Backstage SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Backstage.

Does OnePAM replace Backstage's auth plugins?

Yes. OnePAM provides SSO at the proxy layer, eliminating the need for configuring auth provider plugins in Backstage. This simplifies the deployment and reduces maintenance.

Can we restrict who uses scaffolder templates?

Yes. OnePAM passes IdP group memberships. Backstage can use these to restrict which templates are available to which groups.

Does OnePAM work with Backstage plugins?

Yes. OnePAM protects all Backstage routes including those added by plugins. Plugin-specific pages are behind authenticated proxy access.

What about Backstage's backend APIs?

OnePAM protects both frontend and backend API access. Server-side plugin-to-plugin communication within Backstage is internal and unaffected.

Can some catalog items be public while others require SSO?

OnePAM supports path-based policies. Specific catalog routes or TechDocs can be configured with different access requirements.

Ready to Secure Backstage with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Backstage code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps