Business Intelligence

REMOTE_USER

Zero-Day Shield

SSO + Zero-Day Protection for Apache Superset

by Apache Software Foundation

Add SAML/OIDC SSO to Apache Superset — Protect BI Dashboards and Data from Zero-Day Exploits

Overview

Why Apache Superset Needs an Authenticated Proxy

Apache Superset is a modern data exploration and visualization platform used for business intelligence, ad-hoc analytics, and dashboard creation. Superset connects to production databases, data warehouses, and data lakes, providing SQL access and visualization capabilities across your entire data estate. A compromised Superset instance gives attackers SQL Lab access to query production data, visibility into business dashboards and KPIs, and access to stored database credentials. OnePAM adds enterprise SSO to Superset using its REMOTE_USER authentication backend — the same proven approach used by major Superset deployments. Users authenticate through your corporate IdP, and only verified users can access BI dashboards, run SQL queries, or manage data connections.

HTTP Header Authentication

REMOTE_USER

Superset supports REMOTE_USER authentication via its AUTH_REMOTE_USER configuration. When enabled, Superset trusts the REMOTE_USER header from OnePAM and creates the user session automatically.

Zero-Day Risk Profile

Apache Superset Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Superset has had critical SQL injection and RCE vulnerabilities

SQL Lab enables direct SQL queries against production databases

Database connection strings contain credentials for data warehouses

Dashboards may expose confidential business metrics and customer data

The Challenge

Security Challenges with Apache Superset

These are the risks organizations face when Apache Superset is not behind an authenticated proxy.

Direct Database Access

Superset's SQL Lab enables arbitrary SQL queries against connected databases. Unauthorized access means unrestricted data extraction.

Business Data Exposure

Dashboards display revenue, customer metrics, operational data, and strategic KPIs. Exposure reveals competitive intelligence.

Connection Credential Storage

Superset stores database connection strings with credentials for data warehouses, production databases, and data lakes.

SQL Injection History

Superset has had SQL injection vulnerabilities. Without a proxy, these provide direct paths to query production data.

Complex Auth Configuration

Superset's Flask-AppBuilder authentication with external IdPs is complex and error-prone to configure.

Cross-Database Risk

A single Superset instance often connects to multiple databases. One compromise exposes all connected data sources.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Apache Superset

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Apache Superset.

Deploy OnePAM as Superset's Proxy

Place OnePAM in front of the Superset web application.

Superset is configured to accept connections only from OnePAM. The Superset login page is bypassed for authenticated users.

Configure Your IdP

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles authentication, MFA enforcement, and group membership retrieval.

Enable REMOTE_USER Auth

Configure Superset's AUTH_REMOTE_USER to trust OnePAM's REMOTE_USER header.

Set AUTH_TYPE = AUTH_REMOTE_USER in superset_config.py. Superset creates or maps user sessions from the trusted header.

Map Dashboard Access

IdP groups map to Superset roles controlling dashboard visibility, SQL Lab access, and database connections.

Executives see strategic dashboards, analysts get SQL Lab access, and marketing sees campaign metrics — all from your IdP.

Audit Data Access

Every dashboard view and SQL query is logged with corporate identity context.

Know exactly who queried which data, viewed which dashboards, and accessed which database connections.

Business Impact

Benefits of Securing Apache Superset with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Apache Superset.

Protect Business Intelligence

Only authenticated users can access dashboards, SQL Lab, and data connections. Business data stays confidential.

Zero unauthorized BI access

Secure SQL Lab Access

Direct SQL query access to production databases is restricted to authenticated, authorized users only.

SQL access identity-verified

Shield from Superset CVEs

SQL injection and RCE vulnerabilities are blocked when OnePAM prevents unauthenticated access.

CVEs blocked at proxy layer

Simplify Auth Setup

Replace complex Flask-AppBuilder OAuth/LDAP configuration with simple REMOTE_USER proxy authentication.

90% simpler auth config

MFA for Data Access

Require MFA before accessing sensitive dashboards or executing SQL queries.

MFA-gated data access

Complete Data Access Audit

Every dashboard view and SQL query is tied to a corporate identity for compliance.

Full data access audit trail

SSO Features

Apache Superset SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Apache Superset.

SAML 2.0 & OIDC SSO via Superset REMOTE_USER backend

Dashboard-level access policies from IdP groups

SQL Lab access controls

Database connection visibility policies

Session recording for data access auditing

IP and geo-restriction for BI access

Device trust verification

API access policies

Dataset and chart access controls

Multi-Superset instance SSO support

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Apache Superset from exploitation.

Superset isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against Superset SQL injection CVEs

Database credential access isolation

Automatic session termination on IdP sign-out

Real-World Scenarios

Apache Superset SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Apache Superset.

Business analysts accessing dashboards via corporate SSO

Data engineers using SQL Lab with audited query access

Executives viewing strategic KPI dashboards with read-only access

Restricting database connection management to data platform admins

Compliance-driven BI access auditing for SOX and GDPR

Protecting Superset from SQL injection exploitation while enabling data democratization

Frequently Asked Questions

Apache Superset SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Apache Superset.

Does OnePAM work with Superset's RBAC?

Yes. OnePAM handles authentication via REMOTE_USER. Superset's built-in role-based access control handles authorization. IdP groups can map to Superset roles (Admin, Alpha, Gamma, etc.) for centralized permissions.

Can we restrict SQL Lab access to specific users?

Yes. OnePAM passes IdP group memberships. Superset roles that include SQL Lab access can be assigned based on IdP groups, ensuring only authorized analysts can run queries.

Does OnePAM affect embedded dashboards?

OnePAM supports path-based policies. Embedded dashboard endpoints can be configured with different authentication requirements than the main Superset interface.

Which Superset versions are supported?

OnePAM works with any Superset version that supports AUTH_REMOTE_USER — Superset 1.x and 2.x+.

Can we audit which SQL queries were run?

Yes. OnePAM logs every HTTP request with corporate identity. Combined with Superset's query log and session recording, you get complete SQL query auditing.

Ready to Secure Apache Superset with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Apache Superset code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps