Home / Secure Access / Prometheus
Metrics & Monitoring
X-Forwarded-User (proxy-level auth)
Zero-Day Shield

SSO + Zero-Day Protection for Prometheus

by CNCF (Cloud Native Computing Foundation)

Add Authentication to Prometheus with SAML/OIDC SSO — Shield Metrics Data from Unauthorized Access

Start Free Trial See How It Works
Overview

Why Prometheus Needs an Authenticated Proxy

Prometheus is the de facto standard for cloud-native metrics collection and alerting, deployed in hundreds of thousands of Kubernetes clusters and on-premise environments worldwide. Yet Prometheus ships with zero built-in authentication or authorization — by design, any network-reachable user can query metrics, view targets, inspect alert rules, and access the admin API. This is a critical gap: Prometheus metrics reveal infrastructure topology, application performance characteristics, resource utilization, and often business KPIs. Attackers who access Prometheus can map your entire infrastructure, identify underprovisioned services, and discover alert thresholds to stay below. OnePAM solves this by placing an authenticated reverse proxy in front of Prometheus. Every request must pass through IdP-verified authentication before reaching the Prometheus HTTP API. No code changes, no Prometheus configuration changes — just enterprise-grade security in front of an application that was never designed to have any.

HTTP Header Authentication
X-Forwarded-User (proxy-level auth)

Prometheus has no native authentication. OnePAM provides the entire auth layer as a reverse proxy — authenticating users via SAML/OIDC and only proxying verified requests to Prometheus. No Prometheus-side configuration is needed.

Zero-Day Risk Profile

Prometheus Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Prometheus has no authentication — all data is accessible to any network user
PromQL queries can extract sensitive business metrics and infrastructure topology
The /api/v1/admin endpoints allow TSDB manipulation and snapshot creation
Prometheus targets and service discovery reveal internal DNS and IP addressing
The Challenge

Security Challenges with Prometheus

These are the risks organizations face when Prometheus is not behind an authenticated proxy.

Zero Built-In Auth

Prometheus intentionally ships without authentication. Any user on the network can query all metrics, view targets, and access admin APIs.

Infrastructure Recon

Prometheus targets reveal your entire infrastructure: hostnames, IP addresses, ports, and service discovery configuration.

Metric Data Sensitivity

Metrics often contain business KPIs, error rates, latencies, and resource utilization that reveal operational details.

Admin API Exposure

The Prometheus admin API allows snapshot creation, TSDB compaction, and configuration reloads without any authentication.

Alert Rule Disclosure

Alert rules and recording rules expose your monitoring thresholds, helping attackers craft attacks that stay below detection.

Federation Risk

Prometheus federation endpoints expose aggregated metrics from multiple instances, amplifying data exposure.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Prometheus

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Prometheus.

1

Deploy OnePAM in Front of Prometheus

Place OnePAM as the reverse proxy handling all HTTP traffic to Prometheus.

Prometheus is configured to listen on localhost only (--web.listen-address=127.0.0.1:9090). OnePAM becomes the only entry point, enforcing authentication on every request.
2

Connect Your Identity Provider

Configure OnePAM with your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the full authentication flow: IdP redirect, MFA enforcement, assertion validation, and session management.
3

Authentication Enforced at Proxy

Every request to Prometheus must pass through OnePAM's identity verification layer.

Since Prometheus has no auth, OnePAM provides the entire authentication and authorization layer. Unauthenticated requests receive a 401, not Prometheus data.
4

Define Endpoint Policies

Control who can access query endpoints, admin APIs, and federation data separately.

SREs get full PromQL access, developers get read-only, and admin APIs are restricted to platform engineers with step-up MFA.
5

Audit All Metric Access

Every Prometheus query and API access is logged with corporate identity context.

OnePAM's audit trail records who ran which PromQL query, when, from where, and with what authentication method.
Business Impact

Benefits of Securing Prometheus with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Prometheus.

Add Auth Where None Exists

Prometheus has zero built-in authentication. OnePAM adds enterprise-grade SSO to an application that was designed without any security.

From zero auth to full SSO

Protect Infrastructure Data

Metrics, targets, and service discovery data are only accessible to authenticated, authorized users.

Zero unauthorized metric access

Lock Down Admin APIs

Snapshot, compaction, and config reload APIs are protected behind identity verification and MFA.

Admin APIs fully secured

MFA for Monitoring

Require multi-factor authentication before any Prometheus data can be queried.

MFA-gated monitoring access

Hide Alert Thresholds

Alert rules and recording rules are no longer visible to unauthorized users, preventing threshold discovery.

Detection rules protected

Complete Query Audit

Every PromQL query is logged with corporate identity, enabling forensic analysis of data access.

Full query audit trail
SSO Features

Prometheus SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Prometheus.

SAML 2.0 & OIDC SSO for Prometheus (adds auth where none exists)
PromQL query endpoint protection
Admin API access policies (/api/v1/admin/*)
Federation endpoint access controls
Target and service discovery data protection
Session recording for metric access auditing
IP and geo-restriction for monitoring access
Device trust verification
Path-based access policies (query vs. admin vs. federation)
Multi-Prometheus instance SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Prometheus from exploitation.

Prometheus isolated from direct network access
End-to-end TLS encryption (Prometheus runs plain HTTP by default)
Request-level identity verification on every API call
Admin API endpoint protection and restriction
Federation endpoint access controls
Automatic session termination on IdP sign-out
Real-World Scenarios

Prometheus SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Prometheus.

1
SRE teams querying Prometheus via corporate SSO with MFA enforcement
2
Restricting admin API access to platform engineers with step-up authentication
3
Providing read-only metric access to developers and business stakeholders
4
Protecting Prometheus federation endpoints in multi-cluster deployments
5
Compliance-driven monitoring access auditing for SOC 2 and ISO 27001
6
Securing Prometheus in environments where network segmentation is insufficient
Frequently Asked Questions

Prometheus SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Prometheus.

Prometheus has no authentication — how does OnePAM add SSO?

OnePAM provides the entire authentication layer as a reverse proxy. Since Prometheus has no built-in auth, OnePAM handles all authentication via SAML/OIDC before proxying requests. No Prometheus configuration changes are needed — just bind Prometheus to localhost and route all access through OnePAM.

Does OnePAM affect Prometheus scraping?

No. Prometheus scrapes targets independently via its own HTTP client. OnePAM only protects the Prometheus web UI and HTTP API that users access. Scraping continues to work normally.

Can Grafana still query Prometheus through OnePAM?

Yes. OnePAM supports service account authentication for server-to-server communication. Grafana can authenticate to OnePAM using a service token while interactive users require full SSO.

What about Prometheus remote write/read?

OnePAM can protect remote write and remote read endpoints with separate policies. Ingestion endpoints can use token-based auth while query endpoints require SSO.

Can we restrict who can access the admin API?

Yes. OnePAM supports path-based policies. Admin endpoints (/api/v1/admin/*) can require elevated privileges or step-up MFA while query endpoints use standard SSO.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Prometheus with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Prometheus code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps