Home / Secure Access / Harbor
Container Registry
X-Forwarded-User / X-Forwarded-Groups
Zero-Day Shield

SSO + Zero-Day Protection for Harbor

by CNCF (Cloud Native Computing Foundation)

Secure Harbor Registry with SAML/OIDC SSO — Shield Container Images from Zero-Day Exploits

Start Free Trial See How It Works
Overview

Why Harbor Needs an Authenticated Proxy

Harbor is the leading open-source container registry, providing enterprise-grade image management, vulnerability scanning, RBAC, and content trust for container images. Harbor is a critical supply chain component — every container deployed in your Kubernetes clusters originates from the registry. A compromised Harbor instance allows attackers to inject malicious images, modify existing ones, or exfiltrate proprietary application code. OnePAM adds authenticated proxy protection to Harbor, ensuring every request — whether UI access, API call, or docker pull/push — passes through identity verification. Users authenticate via your corporate IdP, and OnePAM handles SSO via trusted proxy headers. Your container supply chain gains enterprise SSO, MFA enforcement, and zero-day protection.

HTTP Header Authentication
X-Forwarded-User / X-Forwarded-Groups

Harbor supports external authentication via an auth proxy mode that trusts HTTP headers from a reverse proxy. OnePAM injects X-Forwarded-User and optionally X-Forwarded-Groups headers, and Harbor automatically creates or maps the user session.

Zero-Day Risk Profile

Harbor Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Harbor has had critical vulnerabilities including privilege escalation and SSRF
Container registry compromise enables supply chain attacks across all deployments
Malicious image injection can compromise every Kubernetes pod using the image
Harbor's Chartmuseum and Trivy components add additional attack surface
The Challenge

Security Challenges with Harbor

These are the risks organizations face when Harbor is not behind an authenticated proxy.

Supply Chain Criticality

Harbor is the source of truth for container images. A compromise enables supply chain attacks across every deployment that pulls from the registry.

Image Integrity Risk

Without strong authentication, attackers can push malicious images or modify existing ones, injecting backdoors into your deployment pipeline.

Credential Management

Harbor's built-in user management creates credential sprawl. Robot accounts and user passwords exist outside your corporate identity infrastructure.

Multi-Tenancy Complexity

Managing project-level access for multiple teams, each with different pull/push permissions, is operationally complex.

Vulnerability Scanner Access

Harbor's vulnerability scanning results contain detailed CVE information about your container images — valuable intelligence for attackers.

API Surface Exposure

Harbor's comprehensive REST API allows programmatic access to images, scan results, and configuration if not properly secured.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Harbor

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Harbor.

1

Deploy OnePAM in Front of Harbor

Place OnePAM as the authenticated proxy for Harbor's web UI and Docker registry API.

Harbor is configured with auth_mode=http_auth to trust OnePAM's proxy headers. OnePAM intercepts all traffic to Harbor's UI (port 443) and registry API.
2

Connect Your IdP

Configure your corporate IdP as OnePAM's authentication source.

OnePAM handles the full SAML/OIDC authentication flow including MFA enforcement and group sync.
3

Enable Harbor Auth Proxy Mode

Configure Harbor's auth proxy mode to trust the X-Forwarded-User header from OnePAM.

Harbor's auth_mode=http_auth setting tells it to read the authenticated username from OnePAM's headers. Users are automatically created or mapped in Harbor.
4

Map Projects to IdP Groups

IdP groups map to Harbor project roles (Admin, Developer, Guest), controlling who can push and pull images.

DevOps teams get push/pull access, developers get pull-only, and QA gets guest access — all managed from your IdP.
5

Secure and Audit

Every registry operation is logged with corporate identity context for supply chain compliance.

OnePAM's audit trail records every image push, pull, delete, and scan operation with full IdP context: who, when, from where, and with what authentication method.
Business Impact

Benefits of Securing Harbor with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Harbor.

Protect Container Supply Chain

Only authenticated users can push or pull images. Unauthorized access to your container registry is blocked at the proxy layer.

Supply chain integrity assured

SSO for Docker Operations

Developers authenticate once via SSO. Docker CLI operations are authenticated through OnePAM with the same identity.

Single identity for docker push/pull

Shield from Harbor CVEs

Privilege escalation and SSRF vulnerabilities in Harbor cannot be exploited without first passing identity verification.

CVEs blocked at proxy layer

Enterprise SSO for Harbor OSS

OnePAM provides SAML/OIDC SSO for Harbor without requiring additional licensing.

Enterprise SSO at no extra cost

Complete Registry Audit Trail

Every image operation (push, pull, delete, scan) is logged with corporate identity and MFA status.

Full supply chain visibility

Centralized Access Management

Manage Harbor project access from your IdP. Team changes automatically update registry permissions.

IdP-driven registry access
SSO Features

Harbor SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Harbor.

SAML 2.0 & OIDC SSO via Harbor auth proxy mode
Docker CLI authentication via proxy
IdP group to Harbor project role mapping
Image push/pull access policies
Vulnerability scan result access controls
Session recording for registry UI access
IP and geo-restriction for registry operations
Robot account management and auditing
Concurrent session controls
Multi-registry SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Harbor from exploitation.

Harbor isolated from direct network access
End-to-end TLS encryption for all registry traffic
Request-level authentication on every API call
Protection against Harbor privilege escalation CVEs
Image signing and content trust enforcement
Automatic session termination on IdP sign-out
Real-World Scenarios

Harbor SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Harbor.

1
DevOps teams pushing and pulling container images with corporate SSO and MFA
2
Developers accessing vulnerability scan results with project-level access controls
3
CI/CD pipelines authenticating image pushes with auditable service identities
4
Security teams reviewing container vulnerability reports with session recording
5
Multi-team registry access with project isolation from IdP groups
6
Protecting Harbor from internet-facing CVEs in hybrid cloud environments
Frequently Asked Questions

Harbor SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Harbor.

Does OnePAM work with Docker CLI push and pull?

Yes. OnePAM can authenticate Docker CLI operations. Docker login through OnePAM validates against your IdP, providing SSO for both the web UI and CLI operations.

How does Harbor auth proxy mode work?

When Harbor's auth_mode is set to http_auth, Harbor trusts the user identity from the X-Forwarded-User HTTP header. OnePAM authenticates users via your IdP and injects this header on every proxied request.

Can we still use Harbor robot accounts for CI/CD?

Yes. OnePAM supports path-based policies that allow robot account token authentication for CI/CD pipelines while requiring SSO for interactive web sessions and human docker CLI access.

What about Helm chart repository access?

OnePAM protects all Harbor endpoints including the Chartmuseum API for Helm charts. The same SSO and access policies apply to chart push/pull operations.

Can we enforce image signing policies through OnePAM?

OnePAM handles authentication and access control. Harbor's built-in content trust and Notary integration handles image signing. The two work together — OnePAM ensures only authorized users can push images, and Harbor ensures images are signed.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Harbor with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Harbor code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps