Business Intelligence

X-Forwarded-User

Zero-Day Shield

SSO + Zero-Day Protection for Metabase

by Metabase Inc.

Add SAML/OIDC SSO to Metabase — Protect Business Intelligence Data with Authenticated Proxy

Overview

Why Metabase Needs an Authenticated Proxy

Metabase is a popular open-source business intelligence tool that enables non-technical users to query databases, build dashboards, and share insights. Self-hosted Metabase instances have direct database connections to production systems — a compromised Metabase means direct access to your customer data, financial records, and business metrics. OnePAM adds enterprise SSO to Metabase by placing an authenticated proxy in front of it. Users authenticate through your corporate IdP, and only verified analysts can access dashboards and run queries.

HTTP Header Authentication

X-Forwarded-User

Metabase supports reverse proxy authentication. OnePAM injects the verified user identity, and Metabase auto-creates or maps the session to the corresponding user account.

Zero-Day Risk Profile

Metabase Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Metabase has direct SQL access to production databases

Custom SQL queries can exfiltrate sensitive customer data

Dashboard sharing links may expose business intelligence externally

Database connection strings stored in Metabase contain privileged credentials

The Challenge

Security Challenges with Metabase

These are the risks organizations face when Metabase is not behind an authenticated proxy.

Direct Database Access

Metabase connects directly to your production databases. A compromised instance means unrestricted access to all connected data sources.

SQL Query Exposure

Users can run custom SQL queries against production data. Without proper access controls, any Metabase user can query any connected database.

Credential Storage

Database connection strings with usernames and passwords are stored within Metabase. These credentials often have read access to entire databases.

Limited SSO in OSS

Metabase open-source edition has limited authentication options. Enterprise SSO requires the paid Metabase Enterprise edition.

Dashboard Sharing Risks

Shared dashboard links and public embeds can inadvertently expose business data outside the organization.

No Query Auditing

Tracking which user ran which SQL query against which database is difficult without external tooling.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Metabase

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Metabase.

Deploy OnePAM as Metabase Proxy

Place OnePAM in front of the Metabase web application.

Metabase is configured to accept connections only from OnePAM. Direct access is blocked at the network level.

Configure Your Identity Provider

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles SSO authentication, MFA enforcement, and group membership retrieval from your IdP.

Enable Proxy Authentication

OnePAM injects the authenticated identity via HTTP headers that Metabase trusts.

Metabase reads the verified user from OnePAM's headers and creates or maps the session automatically.

Define Data Access Policies

Control who can access Metabase dashboards and run SQL queries based on IdP groups.

Analysts get dashboard access; data engineers get SQL query access; executives get curated dashboards only.

Audit Query Activity

Every dashboard view and SQL query execution is logged with corporate identity.

Complete audit trail of who queried what data, when, and from which device — essential for data governance.

Business Impact

Benefits of Securing Metabase with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Metabase.

Protect Business Data

Only authenticated analysts can access Metabase dashboards and query production databases.

Zero unauthorized data access

Enterprise SSO for Free Metabase

Get SAML/OIDC SSO on Metabase OSS without upgrading to Metabase Enterprise.

Enterprise SSO for OSS

Shield Database Credentials

Database connection strings in Metabase are protected behind OnePAM's authentication layer.

Credentials protected

MFA for Data Access

Require MFA before analysts can access business intelligence dashboards or run SQL queries.

MFA-protected analytics

Instant Analyst Offboarding

Disable an analyst in your IdP and Metabase access stops immediately.

Real-time revocation

Complete Query Audit Trail

Every dashboard view and SQL query is logged with corporate identity for data governance.

Full analytics audit trail

SSO Features

Metabase SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Metabase.

SAML 2.0 & OIDC SSO for Metabase via proxy authentication

Dashboard-level access policies from IdP groups

SQL query access control by team

Session recording for compliance auditing

IP and geo-restriction for data access

Device trust verification before analytics access

Automatic user provisioning from IdP

Concurrent session management

API access control for embedded dashboards

Multi-Metabase instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Metabase from exploitation.

Metabase isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Database credential protection

Header injection prevention

Automatic session invalidation on IdP sign-out

Real-World Scenarios

Metabase SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Metabase.

Data analysts accessing dashboards with corporate SSO and MFA

Restricting SQL query access to data engineers with elevated permissions

Auditing dashboard access for GDPR and data governance compliance

Securing Metabase in healthcare environments with patient data access controls

Providing read-only dashboard access to external stakeholders with session recording

Protecting Metabase instances connected to financial databases

Frequently Asked Questions

Metabase SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Metabase.

Does OnePAM work with Metabase open-source?

Yes. OnePAM provides enterprise SSO at the proxy layer, giving Metabase OSS the same SSO capabilities as Metabase Enterprise — without the enterprise license cost.

Can we control who runs SQL queries vs views dashboards?

Yes. OnePAM policies can restrict URL paths, allowing dashboard-only access for some users and full SQL query access for data engineers.

Does OnePAM protect Metabase's embedding API?

Yes. OnePAM can protect all Metabase endpoints including the embedding API. Embedded dashboards can be configured with separate authentication policies.

Can we audit which databases users queried?

OnePAM logs all HTTP requests with the authenticated user identity. Combined with Metabase's query logs, you get complete data access auditing.

Does OnePAM affect Metabase query performance?

OnePAM adds minimal latency (typically <5ms). Database query execution time is unaffected as queries run directly from Metabase to the database.

Ready to Secure Metabase with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Metabase code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps