Home / Secure Access / pgAdmin
Database Management
X-Forwarded-User / REMOTE_USER
Zero-Day Shield

SSO + Zero-Day Protection for pgAdmin

by pgAdmin Development Team

Secure pgAdmin with SAML/OIDC SSO — Authenticated Proxy Protection for Database Administration

Start Free Trial See How It Works
Overview

Why pgAdmin Needs an Authenticated Proxy

pgAdmin is the most popular open-source administration tool for PostgreSQL databases. It provides a web-based interface for database management, SQL query execution, schema design, and server monitoring. A compromised pgAdmin instance gives attackers direct access to production databases — the ability to read, modify, or delete business-critical data. Despite the severity of this risk, many pgAdmin deployments rely on basic username/password authentication with no MFA, no SSO, and no audit trail. OnePAM adds enterprise-grade security to pgAdmin by placing an authenticated reverse proxy in front of it. Users authenticate through your corporate IdP, and OnePAM handles the session injection. Only verified, authorized users can reach pgAdmin, and every database administration session is logged and optionally recorded.

HTTP Header Authentication
X-Forwarded-User / REMOTE_USER

pgAdmin supports external authentication via the REMOTE_USER header when deployed behind a trusted reverse proxy. OnePAM injects the authenticated user identity, and pgAdmin creates the session accordingly.

Zero-Day Risk Profile

pgAdmin Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

pgAdmin has had critical path traversal and code execution vulnerabilities
Direct access to production databases enables data exfiltration or destruction
SQL query execution capabilities can be used for privilege escalation
Server credentials stored in pgAdmin expose all managed PostgreSQL instances
The Challenge

Security Challenges with pgAdmin

These are the risks organizations face when pgAdmin is not behind an authenticated proxy.

Production Database Access

pgAdmin provides direct SQL execution against production databases. Unauthorized access means unrestricted ability to read, modify, or delete data.

Weak Default Authentication

pgAdmin's built-in authentication is basic username/password with no MFA support. Many deployments have no authentication at all on internal networks.

Stored Server Credentials

pgAdmin stores connection credentials for PostgreSQL servers. A compromised instance exposes passwords for all managed databases.

No Audit Trail

pgAdmin provides minimal logging of who executed which queries. Reconstructing database administration activities for compliance is nearly impossible.

No Native SSO

pgAdmin has no built-in SAML or OIDC support. Integrating with corporate identity infrastructure requires external solutions.

Multi-User Management

Managing individual pgAdmin accounts for database administrators creates credential overhead without centralized identity controls.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to pgAdmin

A step-by-step guide to deploying OnePAM's authenticated proxy in front of pgAdmin.

1

Deploy OnePAM in Front of pgAdmin

Place OnePAM as the reverse proxy handling all HTTPS traffic to your pgAdmin instance.

pgAdmin is configured to listen on localhost only. OnePAM becomes the sole network entry point, enforcing authentication on every request.
2

Connect Your Identity Provider

Configure your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles IdP federation, MFA enforcement, and session management.
3

Enable Proxy Authentication

Configure pgAdmin to trust the REMOTE_USER header from OnePAM for automatic session creation.

pgAdmin accepts the pre-authenticated identity from OnePAM's header injection and creates a user session without showing a login page.
4

Restrict Database Access

Define policies for who can access pgAdmin and which database servers they can manage.

DBAs get full access, developers get read-only access to staging, and analysts get access only to reporting databases — all controlled from your IdP groups.
5

Record and Audit

Every pgAdmin session is logged with IdP context. Session recording captures SQL queries and schema changes.

Compliance teams can review exactly who accessed which database, when, from where, and what queries they executed. Session recordings provide visual evidence for audits.
Business Impact

Benefits of Securing pgAdmin with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of pgAdmin.

Protect Production Databases

Only authenticated, authorized users can reach pgAdmin. No anonymous access to database administration tools.

Zero unauthorized database access

Enterprise SSO for pgAdmin

Database administrators authenticate with their corporate credentials — no separate pgAdmin passwords.

Single identity for DB admin

MFA for Database Administration

Require multi-factor authentication before any database administration session can begin.

100% MFA-protected DB access

Complete Query Audit Trail

Session recording captures every SQL query, schema change, and data export for compliance and forensics.

Full forensic visibility

Shield from pgAdmin CVEs

Path traversal and code execution vulnerabilities in pgAdmin are unexploitable without authenticated access.

CVEs blocked at proxy layer

Instant Access Revocation

When a DBA leaves, disable them in your IdP and pgAdmin access stops immediately.

Real-time deprovisioning
SSO Features

pgAdmin SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for pgAdmin.

SAML 2.0 & OIDC SSO via REMOTE_USER header
Automatic user provisioning from IdP
Role-based pgAdmin access from IdP groups
Session recording for SQL query auditing
IP and geo-restriction for database access
Device trust verification
Time-limited access windows for contractors
Concurrent session controls
Server credential isolation from end users
Emergency break-glass access procedures
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield pgAdmin from exploitation.

pgAdmin isolated from direct network access
End-to-end TLS encryption
Request-level identity verification
Protection against pgAdmin path traversal CVEs
Database connection credential protection
Automatic session termination on IdP sign-out
Real-World Scenarios

pgAdmin SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of pgAdmin.

1
Database administrators accessing production PostgreSQL via corporate SSO with MFA
2
Developers accessing staging databases with read-only pgAdmin access
3
Analysts running reports against data warehouses with time-limited, audited sessions
4
External DBAs providing support with recorded, time-limited access
5
Compliance-driven database administration auditing for SOX and HIPAA
6
Protecting pgAdmin from network-based exploitation in hybrid cloud environments
Frequently Asked Questions

pgAdmin SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for pgAdmin.

Does OnePAM require changes to pgAdmin configuration?

Minimal. You configure pgAdmin to use REMOTE_USER authentication (a one-time setting change) and ensure pgAdmin only listens on localhost. OnePAM handles the rest.

Can different users see different PostgreSQL servers?

Yes. OnePAM's identity-aware policies combined with pgAdmin's server group permissions allow you to control which database servers each user or group can access.

Does session recording capture SQL queries?

Yes. OnePAM's session recording captures the entire web interaction including SQL queries typed in pgAdmin's query editor, schema changes, and data exports.

Can we use OnePAM with pgAdmin in Desktop mode?

OnePAM protects pgAdmin in server (web) mode. For Desktop mode, consider deploying pgAdmin as a web application and routing access through OnePAM for consistent security.

What about automated database scripts and cron jobs?

Automated scripts should connect to PostgreSQL directly using service accounts, not through pgAdmin. OnePAM protects the interactive pgAdmin interface while automated processes use direct database connections.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure pgAdmin with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no pgAdmin code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps