Modern Wiki Platform

X-Forwarded-User / Authorization

Zero-Day Shield

SSO + Zero-Day Protection for Wiki.js

by Requarks.io

Add Enterprise SSO to Wiki.js via Authenticated Proxy — Protect Internal Knowledge

Overview

Why Wiki.js Needs an Authenticated Proxy

Wiki.js is a modern, open-source wiki platform used by organizations to manage internal documentation, technical guides, onboarding materials, and operational procedures. While Wiki.js supports some authentication methods natively, deploying it behind OnePAM's authenticated proxy provides enterprise-grade security: centralized SSO via any IdP, MFA enforcement, session recording, and protection from web application vulnerabilities. OnePAM handles authentication at the proxy layer using HTTP header injection. Users authenticate through your corporate IdP, and Wiki.js receives the verified identity via trusted headers. Your internal knowledge base gains enterprise SSO, zero-day protection, and complete access auditing without modifying Wiki.js configuration.

HTTP Header Authentication

X-Forwarded-User / Authorization

Wiki.js supports header-based authentication strategy where a trusted reverse proxy provides the authenticated username via configurable HTTP headers. OnePAM injects the pre-authenticated identity, and Wiki.js creates the session automatically.

Zero-Day Risk Profile

Wiki.js Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Web applications are susceptible to XSS, CSRF, and injection attacks

Internal documentation reveals architecture, procedures, and security controls

Wiki content may contain credentials, API keys, or sensitive configuration details

Wiki.js runs on Node.js, which has its own vulnerability landscape

The Challenge

Security Challenges with Wiki.js

These are the risks organizations face when Wiki.js is not behind an authenticated proxy.

Documentation Exposure

Internal wikis contain architecture diagrams, security procedures, onboarding guides, and operational details that reveal your attack surface.

Credential Leakage

Wiki pages often contain embedded credentials, API keys, and configuration snippets that should be restricted to authorized viewers.

Access Control Granularity

Managing page-level and namespace-level permissions for different teams is complex without centralized identity integration.

Authentication Fragmentation

Wiki.js has its own user management, creating another credential silo outside your corporate identity infrastructure.

Compliance Requirements

Regulated industries require audit trails for access to internal documentation. Wiki.js's built-in logging may not meet compliance standards.

Public vs Private Content

Managing which wiki content is public and which requires authentication is error-prone without a proxy-level enforcement mechanism.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Wiki.js

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Wiki.js.

Deploy OnePAM as Wiki.js Proxy

Place OnePAM in front of Wiki.js, making it the sole network entry point.

Wiki.js is configured to listen on localhost. OnePAM handles TLS termination and enforces authentication before any request reaches the wiki.

Configure Your IdP

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the full authentication lifecycle including MFA enforcement and group sync.

Enable Header Authentication

Configure Wiki.js's header authentication strategy to trust OnePAM's identity headers.

Wiki.js reads the authenticated username from OnePAM's header and creates the session. No Wiki.js login page is shown to authenticated users.

Map Groups to Permissions

IdP groups map to Wiki.js groups and page-level permissions for centralized access control.

Engineering sees technical docs, HR sees people docs, and everyone sees company announcements — managed from your IdP.

Audit Documentation Access

Track who accessed which documentation, when, and with what authentication method.

OnePAM's audit trail records every wiki page access with IdP context. Session recording provides evidence for compliance audits.

Business Impact

Benefits of Securing Wiki.js with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Wiki.js.

Protect Internal Knowledge

Only authenticated users can access internal documentation. Sensitive content stays behind identity verification.

Zero unauthorized doc access

Enterprise SSO for Wiki.js

Users access the wiki with their corporate credentials — no separate wiki passwords or accounts.

Single identity for all docs

MFA for Sensitive Docs

Require multi-factor authentication before accessing security procedures, architecture docs, or operational runbooks.

MFA-protected documentation

Shield from Web Exploits

XSS, CSRF, and injection attacks against Wiki.js are blocked for unauthenticated users.

Web attacks blocked at proxy

Complete Access Audit

Every document access is logged with corporate identity for compliance requirements.

Full documentation audit trail

Centralized Permission Management

Manage wiki access from your IdP. Team changes automatically update documentation permissions.

IdP-driven access control

SSO Features

Wiki.js SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Wiki.js.

SAML 2.0 & OIDC SSO via header authentication

IdP group to Wiki.js group mapping

Page-level and namespace-level access policies

Session recording for compliance

IP and geo-restriction for wiki access

Device trust verification

Content export access controls

Concurrent session management

Auto-provisioning users from IdP

Public/private content enforcement at proxy level

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Wiki.js from exploitation.

Wiki.js isolated from direct network access

End-to-end TLS encryption

Request-level identity verification

Protection against web application vulnerabilities

Content download/export controls

Automatic session termination on IdP sign-out

Real-World Scenarios

Wiki.js SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Wiki.js.

Engineering teams accessing technical documentation via corporate SSO

HR teams managing onboarding materials with restricted access

Security teams protecting incident response procedures with MFA and session recording

All-hands company knowledge base with team-specific private sections

External partner documentation access with time-limited, audited sessions

Compliance-driven documentation access auditing for regulated industries

Frequently Asked Questions

Wiki.js SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Wiki.js.

Does OnePAM work with Wiki.js 2.x and 3.x?

Yes. OnePAM's proxy-based authentication works with all Wiki.js versions that support header-based authentication strategies.

Can some wiki pages be public while others require SSO?

Yes. OnePAM supports path-based policies. You can configure specific wiki namespaces for public access while requiring SSO for internal documentation sections.

How are Wiki.js permissions managed with OnePAM?

OnePAM passes IdP group memberships via HTTP headers. Wiki.js maps these groups to its internal permission system, providing centralized access control from your IdP.

Can we use Wiki.js's built-in authentication alongside OnePAM?

We recommend using OnePAM as the sole authentication method for consistency. However, Wiki.js can be configured with multiple authentication strategies as a fallback.

Does OnePAM affect Wiki.js search and rendering performance?

OnePAM adds minimal latency (typically <5ms). Wiki.js search and rendering performance is unaffected for authenticated users.

Ready to Secure Wiki.js with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Wiki.js code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps