Home / Secure Access / Kibana
Log Analytics & SIEM
X-Proxy-User / es-security-runas-user
Zero-Day Shield

SSO + Zero-Day Protection for Kibana

by Elastic

Secure Kibana with SAML/OIDC SSO via Authenticated Proxy — Zero-Day Protection Included

Start Free Trial See How It Works
Overview

Why Kibana Needs an Authenticated Proxy

Kibana is the visualization and exploration layer for Elasticsearch, used by organizations worldwide for log analytics, security information and event management (SIEM), application performance monitoring, and business intelligence. Kibana instances routinely contain your most sensitive data — security logs, application traces, infrastructure events, and business transactions. A compromised Kibana instance is a goldmine for attackers. OnePAM secures Kibana by placing an authenticated reverse proxy in front of it. Users authenticate via your corporate IdP, and OnePAM injects trusted identity headers that Kibana and Elasticsearch accept. No unauthenticated user can reach Kibana, Elasticsearch APIs, or the data they contain. Zero-day exploits in Kibana or Elasticsearch are shielded by OnePAM's identity-first architecture.

HTTP Header Authentication
X-Proxy-User / es-security-runas-user

Kibana can be configured to trust authentication from a reverse proxy via HTTP headers. OnePAM injects user identity headers that Elasticsearch's PKI or proxy realm validates, enabling transparent SSO without Kibana-native authentication.

Zero-Day Risk Profile

Kibana Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Elasticsearch/Kibana have had critical RCE vulnerabilities (Log4Shell, etc.)
Kibana dashboards can expose security logs and incident response data
Elasticsearch APIs accessible via Kibana allow data exfiltration
Kibana's Reporting and Alerting features can be weaponized by attackers
The Challenge

Security Challenges with Kibana

These are the risks organizations face when Kibana is not behind an authenticated proxy.

Critical Data at Risk

Kibana provides direct access to security logs, application data, and infrastructure events. Unauthorized access means full visibility into your operations.

Complex Security Model

Elasticsearch security (X-Pack) requires per-index role definitions, RBAC configuration, and realm setup that is complex and error-prone.

Log4Shell-Class Risks

The Elastic stack was directly impacted by Log4Shell. Future Java-based zero-days pose ongoing risk to exposed Kibana instances.

Credential Silos

Elasticsearch native users are separate from your corporate directory, creating credential sprawl and manual user management.

SIEM Data Sensitivity

Organizations using Elastic SIEM store incident response data, threat intelligence, and detection rules that must be strictly access-controlled.

Audit Requirements

Compliance frameworks require audit trails for access to security monitoring tools. Kibana's built-in audit logging may not meet enterprise requirements.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Kibana

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Kibana.

1

Deploy OnePAM as Kibana's Gateway

Place OnePAM in front of Kibana, making it the sole network entry point to the Elastic stack.

Kibana and Elasticsearch are configured to accept connections only from OnePAM. Direct network access to port 5601 (Kibana) and 9200 (Elasticsearch) is blocked.
2

Configure IdP Federation

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the complete authentication flow: IdP redirect, MFA enforcement, assertion validation, and token management.
3

Enable Proxy Authentication

OnePAM injects the authenticated user identity via HTTP headers that Elasticsearch's proxy authentication realm trusts.

Configure Elasticsearch's PKI or proxy realm to accept the user identity from OnePAM's headers. Kibana inherits the authenticated session automatically.
4

Map IdP Roles to Elasticsearch RBAC

OnePAM passes IdP group memberships that map to Elasticsearch roles and index-level permissions.

Security analysts see SIEM indices, developers see application logs, and executives see business dashboards — all managed from your IdP groups.
5

Complete Audit Trail

Every Kibana/Elasticsearch access event is logged with IdP context, MFA status, and device information.

OnePAM creates a unified audit trail that satisfies SOC 2, ISO 27001, and HIPAA requirements for access to security monitoring tools.
Business Impact

Benefits of Securing Kibana with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Kibana.

Shield from Elastic Zero-Days

After Log4Shell, the risk is clear. OnePAM ensures no unauthenticated request reaches your Elastic stack, making remote exploitation impossible.

Log4Shell-proof architecture

Protect SIEM Data

Security logs, detection rules, and incident response data stay behind identity-verified access only.

Zero unauthorized data access

Simplify Elastic Security

Replace complex Elasticsearch realm configurations with simple proxy authentication. OnePAM handles the identity, Elasticsearch handles the authorization.

80% simpler security config

Enterprise SSO without X-Pack Platinum

OnePAM provides SAML/OIDC SSO for Kibana without requiring Elasticsearch Platinum licensing.

Save on Elastic licensing

Unified Access Logs

Kibana access events appear in OnePAM's audit trail alongside SSH, RDP, VNC, database, and other application access.

Single audit surface

Instant User Deprovisioning

Disable a user in your IdP and their Kibana/Elasticsearch access stops immediately — no manual Elasticsearch user cleanup.

Real-time revocation
SSO Features

Kibana SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Kibana.

SAML 2.0 & OIDC SSO for Kibana via proxy authentication
Elasticsearch proxy realm integration
Index-level access control via IdP group mapping
Kibana Space access policies from IdP attributes
Session recording for SOC/SIEM access auditing
IP and geo-restriction for log analytics access
Device trust verification before data access
API access policies for Elasticsearch endpoints
Concurrent session controls and idle timeouts
Multi-cluster Elasticsearch SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Kibana from exploitation.

Kibana and Elasticsearch isolated from direct access
End-to-end TLS with certificate pinning
Request-level identity verification on every API call
Protection against SSRF and request smuggling attacks
Elasticsearch API endpoint filtering and allow-listing
Automatic session termination on IdP sign-out
Real-World Scenarios

Kibana SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Kibana.

1
Security operations center (SOC) analysts accessing Elastic SIEM with SSO and session recording
2
DevOps teams viewing application logs with read-only access and MFA enforcement
3
Compliance officers accessing audit logs with time-limited, recorded sessions
4
Incident response teams accessing threat data with emergency break-glass procedures
5
Multi-tenant Kibana access for managed security service providers (MSSPs)
6
Protecting Elastic stack from internet-facing CVEs while enabling remote analyst access
Frequently Asked Questions

Kibana SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Kibana.

Does OnePAM work with Elasticsearch Basic (free) or only Platinum?

OnePAM provides SSO capabilities for any Elasticsearch edition. While native SAML in Elasticsearch requires Platinum, OnePAM's proxy authentication works with all editions, effectively giving you enterprise SSO features at no additional Elastic licensing cost.

How does proxy authentication work with Elasticsearch security?

OnePAM injects the authenticated username via HTTP headers. Elasticsearch's proxy realm (or PKI realm) validates these headers and maps the user to Elasticsearch roles. This is a fully supported authentication mechanism in the Elastic security framework.

Can we restrict access to specific Kibana Spaces?

Yes. OnePAM can enforce URL-based access policies that restrict users to specific Kibana Spaces. Combined with Elasticsearch RBAC, this provides fine-grained access control at both the UI and data level.

Does OnePAM protect Elasticsearch APIs as well?

Yes. OnePAM can proxy and authenticate access to Elasticsearch REST APIs (port 9200), not just Kibana. This protects direct API access to your data with the same SSO and policy enforcement.

What about Kibana Reporting and Alerting?

Kibana's server-side features (Reporting, Alerting) run within the Kibana process. OnePAM protects the user-facing access to configure and view these features. Server-side Kibana-to-Elasticsearch communication uses internal service credentials unaffected by OnePAM.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Kibana with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Kibana code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps