Object Storage

X-Forwarded-User / Authorization

Zero-Day Shield

SSO + Zero-Day Protection for MinIO

by MinIO, Inc.

Add SAML/OIDC SSO to MinIO Console — Protect Object Storage from Zero-Day Exploits

Overview

Why MinIO Needs an Authenticated Proxy

MinIO is a high-performance S3-compatible object storage system deployed on-premise and in private clouds by organizations worldwide. MinIO stores unstructured data — documents, images, backups, data lake files, ML training datasets, and application artifacts. The MinIO Console provides a web-based interface for bucket management, user administration, and storage monitoring. A compromised MinIO Console gives attackers the ability to read, modify, or delete any stored object, create new access keys, and exfiltrate sensitive data. OnePAM adds enterprise SSO to the MinIO Console by placing an authenticated reverse proxy in front of it. Users authenticate through your corporate IdP, and OnePAM ensures only verified users can access the storage management interface. MinIO's S3 API can be protected separately with policy-based controls.

HTTP Header Authentication

X-Forwarded-User / Authorization

MinIO Console can be deployed behind a reverse proxy that handles authentication. OnePAM authenticates users via SAML/OIDC and injects identity headers that MinIO Console accepts for session creation.

Zero-Day Risk Profile

MinIO Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

MinIO has had critical information disclosure and privilege escalation vulnerabilities

Object storage contains documents, backups, and sensitive business data

MinIO access keys created via Console provide direct S3 API access

Bucket policies and IAM configuration can be modified via Console

The Challenge

Security Challenges with MinIO

These are the risks organizations face when MinIO is not behind an authenticated proxy.

Sensitive Data Repository

MinIO stores business documents, database backups, ML datasets, and application data. Unauthorized access means bulk data exfiltration.

Access Key Management

MinIO Console allows creating access keys that provide direct S3 API access. Compromised Console access means unrestricted key generation.

Credential Sprawl

MinIO has its own user/group management separate from your corporate identity infrastructure.

Privilege Escalation Risk

MinIO has had CVEs allowing privilege escalation. Without a proxy, these are directly exploitable.

Backup Data Exposure

Organizations storing database backups in MinIO risk full data exposure if the Console is compromised.

No Native SAML/OIDC

MinIO Console's built-in OIDC support requires additional configuration and doesn't support SAML natively.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to MinIO

A step-by-step guide to deploying OnePAM's authenticated proxy in front of MinIO.

Deploy OnePAM as MinIO Console Proxy

Place OnePAM in front of the MinIO Console web interface.

MinIO Console is configured to accept connections only from OnePAM. Direct browser access to the Console login page is blocked.

Configure IdP Federation

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the complete authentication flow including MFA enforcement and group membership retrieval.

Enable Proxy Authentication

OnePAM injects the authenticated identity for MinIO Console session creation.

Users authenticate via your IdP and OnePAM handles the session lifecycle. No MinIO Console login page is shown.

Map Storage Policies

IdP groups map to MinIO policies controlling bucket access, user management, and admin operations.

Storage admins get full access, developers get read-only to their team's buckets, and data engineers get write access to data lake buckets.

Audit Storage Access

Every Console operation is logged with corporate identity context for compliance.

OnePAM's audit trail records bucket operations, access key creation, policy changes, and data access with full IdP context.

Business Impact

Benefits of Securing MinIO with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of MinIO.

Protect Object Storage Data

Only authenticated users can access the MinIO Console. Bulk data exfiltration via compromised Console is prevented.

Zero unauthorized storage access

Shield from MinIO CVEs

Privilege escalation and disclosure vulnerabilities cannot be exploited without passing OnePAM's identity verification.

CVEs blocked at proxy layer

Control Access Key Creation

Access key generation is restricted to authenticated, authorized users — no unauthorized S3 API credentials.

Key creation audited

Enterprise SSO for MinIO

Users authenticate with corporate credentials — no separate MinIO passwords or access management.

Single identity for storage

MFA for Storage Admin

Require multi-factor authentication before any storage administration operation.

MFA-protected storage admin

Complete Storage Audit

Every bucket operation and configuration change is logged with corporate identity.

Full audit visibility

SSO Features

MinIO SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for MinIO.

SAML 2.0 & OIDC SSO for MinIO Console

Bucket-level access policies from IdP groups

Access key creation auditing and controls

S3 API endpoint protection (optional)

Session recording for storage administration

IP and geo-restriction for Console access

Device trust verification

Admin operation access controls

Multi-tenant MinIO SSO support

Backup bucket access isolation

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield MinIO from exploitation.

MinIO Console isolated from direct access

End-to-end TLS encryption

Request-level identity verification

Protection against MinIO privilege escalation CVEs

Access key lifecycle management

Automatic session termination on IdP sign-out

Real-World Scenarios

MinIO SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of MinIO.

Storage administrators managing MinIO via corporate SSO with MFA

Developers accessing team-specific buckets with read-only Console access

Data engineers managing data lake storage with audited sessions

Backup administrators accessing restore operations with step-up authentication

Compliance-driven storage access auditing for GDPR and HIPAA

Protecting MinIO Console from network-based exploitation in hybrid deployments

Frequently Asked Questions

MinIO SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for MinIO.

Does OnePAM protect the MinIO S3 API as well?

OnePAM primarily protects the MinIO Console web interface. S3 API access can optionally be routed through OnePAM with token-based authentication for programmatic access.

Can we still use MinIO access keys for applications?

Yes. Application-level S3 access via access keys continues to work independently. OnePAM protects the Console where access keys are created and managed.

Does OnePAM work with MinIO in distributed mode?

Yes. OnePAM proxies to the MinIO Console endpoint regardless of whether MinIO runs in standalone or distributed mode.

Can different teams see different buckets?

Yes. OnePAM passes IdP group memberships that map to MinIO policies. Combined with MinIO's IAM policies, you can restrict Console visibility per team.

What about MinIO's built-in OIDC support?

OnePAM provides a simpler, more flexible alternative to MinIO's built-in OIDC. It also adds zero-day protection, session recording, and audit logging that MinIO's native auth doesn't provide.

Ready to Secure MinIO with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no MinIO code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps