Home / Secure Access / BookStack
Documentation & Wiki
REMOTE_USER
Zero-Day Shield

SSO + Zero-Day Protection for BookStack

by BookStack Community

Add SAML/OIDC SSO to BookStack — Protect Internal Documentation with Zero Trust

Start Free Trial See How It Works
Overview

Why BookStack Needs an Authenticated Proxy

BookStack is a popular open-source wiki and documentation platform used for internal knowledge bases, runbooks, API documentation, and SOPs. Self-hosted BookStack instances contain sensitive operational knowledge — infrastructure runbooks, security procedures, incident response plans, and architectural decisions. OnePAM adds enterprise SSO to BookStack, ensuring only authenticated team members can access your organization's collective knowledge.

HTTP Header Authentication
REMOTE_USER

BookStack supports header-based authentication from a trusted reverse proxy. OnePAM injects the verified user identity, and BookStack auto-creates or maps the user session.

Zero-Day Risk Profile

BookStack Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

BookStack contains sensitive operational procedures and runbooks
Security documentation reveals defensive strategies and tool configurations
API documentation exposes endpoint structures and authentication methods
Incident response plans reveal organizational vulnerability handling
The Challenge

Security Challenges with BookStack

These are the risks organizations face when BookStack is not behind an authenticated proxy.

Knowledge Exposure

Internal documentation contains infrastructure details, security procedures, and operational knowledge valuable to attackers.

Runbook Sensitivity

Operational runbooks describe how to access, modify, and troubleshoot critical systems — essentially admin playbooks.

Limited Enterprise Auth

BookStack's built-in authentication supports SAML and OIDC but configuration can be complex and upgrade-sensitive.

Search Indexing Risk

BookStack's full-text search indexes all content. An attacker with access can quickly find sensitive information.

Attachment Security

Uploaded files, diagrams, and screenshots may contain sensitive technical details.

No Session Recording

BookStack does not provide session recording to audit what documentation users viewed.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to BookStack

A step-by-step guide to deploying OnePAM's authenticated proxy in front of BookStack.

1

Deploy OnePAM as BookStack Proxy

Place OnePAM in front of the BookStack web application.

BookStack accepts connections only from OnePAM. Direct browser access is blocked.
2

Configure Your Identity Provider

Connect OnePAM to your SAML/OIDC provider for corporate SSO.

Team members authenticate through your IdP with MFA before accessing any documentation.
3

Enable Header Authentication

BookStack reads the authenticated user identity from OnePAM's REMOTE_USER header.

Users are automatically provisioned in BookStack based on their corporate identity.
4

Define Content Access Policies

Control who can access which bookshelves and books based on IdP groups.

Engineering docs for engineers, security runbooks for the security team, HR policies for HR.
5

Audit Documentation Access

Every page view and edit is logged with corporate identity.

Know who accessed security runbooks, when incident response plans were read, and what documentation was modified.
Business Impact

Benefits of Securing BookStack with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of BookStack.

Protect Internal Knowledge

Only authenticated team members can access your organization's documentation.

Zero unauthorized access

Enterprise SSO for BookStack

Upgrade-proof SSO via proxy authentication — survives BookStack updates.

Upgrade-proof SSO

Secure Runbooks

Operational runbooks and security procedures are protected behind MFA.

MFA-protected runbooks

Content-Aware Policies

Different bookshelves accessible to different teams based on IdP groups.

Team-scoped access

Instant Deprovisioning

When someone leaves, disable them in your IdP. Documentation access stops immediately.

Real-time revocation

Documentation Audit Trail

Track who read which pages, when, and from where — essential for security investigations.

Complete access history
SSO Features

BookStack SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for BookStack.

SAML 2.0 & OIDC SSO for BookStack via proxy auth
Bookshelf-level access policies from IdP groups
Session recording for compliance auditing
IP and geo-restriction for documentation access
Device trust verification
Automatic user provisioning from IdP
Concurrent session management
Attachment access auditing
Search activity logging
Multi-BookStack instance SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield BookStack from exploitation.

BookStack isolated from direct network access
End-to-end TLS encryption
Request-level identity verification
Attachment download auditing
Header injection prevention
Automatic session invalidation on IdP sign-out
Real-World Scenarios

BookStack SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of BookStack.

1
Engineering teams accessing internal documentation with SSO and MFA
2
Restricting security runbook access to the security team
3
Auditing who accessed incident response documentation during security events
4
Securing API documentation for partner access with time-limited sessions
5
Protecting HR and compliance documentation with role-based access
6
Providing read-only documentation access to contractors with session recording
Frequently Asked Questions

BookStack SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for BookStack.

Does OnePAM work with BookStack's built-in SAML?

OnePAM replaces BookStack's built-in SAML/OIDC with proxy-level authentication. This is simpler, more reliable, and survives BookStack upgrades without reconfiguration.

Can we auto-create BookStack accounts from the IdP?

Yes. When OnePAM passes the authenticated identity via REMOTE_USER, BookStack auto-creates user accounts on first login.

Can different teams see different bookshelves?

Yes. OnePAM identifies users by IdP group. Combined with BookStack's role permissions, you can restrict bookshelf access per team.

Does OnePAM protect BookStack's API?

Yes. All BookStack endpoints including the REST API are protected behind OnePAM's authentication.

Does OnePAM affect BookStack's search?

No. Search functionality works normally for authenticated users. Unauthenticated users cannot reach BookStack at all.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure BookStack with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no BookStack code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps