Home / Secure Access / Zabbix
Infrastructure Monitoring
X-Forwarded-User / PHP_AUTH_USER
Zero-Day Shield

SSO + Zero-Day Protection for Zabbix

by Zabbix LLC

Add SAML/OIDC SSO to Zabbix via Authenticated Proxy — Protect Monitoring Data from Zero-Day Exploits

Start Free Trial See How It Works
Overview

Why Zabbix Needs an Authenticated Proxy

Zabbix is a widely deployed open-source infrastructure monitoring platform, tracking the health and performance of servers, networks, applications, and cloud resources. Zabbix instances contain a detailed map of your entire infrastructure — server inventories, network topology, performance baselines, and alert thresholds. This information is invaluable for attackers planning lateral movement or targeting specific systems. Additionally, Zabbix agents on monitored hosts can execute commands, making Zabbix a high-value target for infrastructure compromise. OnePAM adds enterprise SSO and zero-day protection by placing an authenticated reverse proxy in front of the Zabbix web frontend. Users authenticate through your corporate IdP, and OnePAM handles identity injection. Only verified users can access monitoring data or manage Zabbix configuration.

HTTP Header Authentication
X-Forwarded-User / PHP_AUTH_USER

Zabbix frontend supports HTTP authentication where the web server provides the authenticated username. OnePAM injects the pre-authenticated identity, and Zabbix creates the session based on the trusted header.

Zero-Day Risk Profile

Zabbix Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Zabbix has had critical SQL injection and RCE vulnerabilities
Infrastructure monitoring data reveals complete network topology and server inventory
Zabbix agent command execution enables remote code execution on monitored hosts
Alert and notification data can expose incident response procedures
The Challenge

Security Challenges with Zabbix

These are the risks organizations face when Zabbix is not behind an authenticated proxy.

Infrastructure Map Exposure

Zabbix contains a complete map of your infrastructure — every server, network device, and application. This is a reconnaissance goldmine for attackers.

Agent Command Execution

Zabbix agents on monitored hosts can execute commands. Compromised Zabbix server access enables remote code execution across your infrastructure.

SQL Injection History

Zabbix has had critical SQL injection vulnerabilities. Without a proxy layer, these provide direct access to the monitoring database.

Weak Default Auth

Zabbix's built-in authentication is basic and lacks enterprise SSO integration in the community edition.

Alert Data Sensitivity

Zabbix alert and notification configurations reveal incident response procedures, escalation paths, and on-call contacts.

User Management Overhead

Managing Zabbix user groups and permissions for multiple teams without IdP integration is operationally intensive.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Zabbix

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Zabbix.

1

Deploy OnePAM as Zabbix's Gateway

Place OnePAM in front of the Zabbix web frontend, intercepting all HTTP/HTTPS traffic.

The Zabbix PHP frontend is configured to accept connections only from OnePAM. Direct browser access to the Zabbix login page is blocked.
2

Configure IdP Federation

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider.

OnePAM handles the complete authentication flow including MFA enforcement and group membership retrieval.
3

Enable HTTP Authentication

Configure Zabbix's HTTP authentication to trust the pre-authenticated username from OnePAM.

In Zabbix frontend settings, enable HTTP authentication. Zabbix reads the authenticated username from the web server environment and creates the session.
4

Map IdP Groups to Zabbix Roles

OnePAM passes group memberships that map to Zabbix user groups and host group permissions.

Network admins see network devices, server admins see compute infrastructure, and executives see high-level dashboards — all driven by IdP groups.
5

Monitor the Monitor

Audit who accesses your monitoring platform, when, and what configuration changes they make.

OnePAM logs every Zabbix access event. Session recording captures configuration changes, alert modifications, and dashboard access for compliance.
Business Impact

Benefits of Securing Zabbix with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Zabbix.

Protect Infrastructure Intelligence

Only authenticated users can access your infrastructure monitoring data. Attackers cannot use Zabbix for reconnaissance.

Zero unauthorized recon access

Shield from Zabbix CVEs

SQL injection and RCE vulnerabilities in Zabbix are unexploitable when OnePAM blocks unauthenticated traffic.

CVEs blocked at proxy layer

Enterprise SSO for Zabbix

All Zabbix users authenticate with corporate credentials via SSO. No separate Zabbix passwords to manage.

Single identity for monitoring

MFA for Monitoring Access

Require multi-factor authentication before any monitoring data or infrastructure map can be viewed.

MFA-protected monitoring

Centralized Access Control

Manage Zabbix permissions from your IdP. Team changes automatically update monitoring access.

IdP-driven permissions

Complete Access Audit

Every monitoring access event is logged with corporate identity, device, location, and MFA status.

Full audit visibility
SSO Features

Zabbix SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Zabbix.

SAML 2.0 & OIDC SSO via Zabbix HTTP authentication
IdP group to Zabbix user group mapping
Host group access policies from IdP attributes
Dashboard-level access controls
Session recording for configuration change auditing
IP and geo-restriction for monitoring access
Device trust verification
API access policies and auditing
Concurrent session controls
Multi-Zabbix-instance SSO support
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Zabbix from exploitation.

Zabbix frontend isolated from direct access
End-to-end TLS encryption
Request-level identity verification
Protection against Zabbix SQL injection CVEs
API endpoint filtering and rate limiting
Automatic session termination on IdP sign-out
Real-World Scenarios

Zabbix SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Zabbix.

1
Infrastructure teams accessing monitoring dashboards via corporate SSO with MFA
2
NOC teams viewing alerts with role-appropriate access and session recording
3
Executives viewing high-level infrastructure KPIs with read-only access
4
Third-party MSPs monitoring customer infrastructure with audited, time-limited access
5
Compliance-driven monitoring access auditing for SOC 2 and ISO 27001
6
Protecting Zabbix from internet-facing exploitation in distributed monitoring setups
Frequently Asked Questions

Zabbix SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Zabbix.

Does OnePAM work with Zabbix community (open source)?

Yes. Zabbix's HTTP authentication feature is available in all editions. OnePAM provides enterprise SSO capabilities without requiring Zabbix commercial licensing.

How does Zabbix HTTP authentication work with OnePAM?

OnePAM authenticates users via your IdP and passes the verified username to Zabbix through the web server environment. Zabbix's HTTP authentication setting trusts this username and creates the session automatically.

Can we restrict access to specific host groups?

Yes. OnePAM passes IdP group memberships that can be mapped to Zabbix user groups. Each Zabbix user group has specific host group permissions, providing granular access control.

Does OnePAM protect the Zabbix API?

Yes. OnePAM can enforce authentication on Zabbix API endpoints. Automated integrations can use API tokens while interactive sessions require full SSO.

What about Zabbix agent communication?

Zabbix agent communication (port 10050/10051) is separate from the web frontend that OnePAM protects. Agent communication uses its own encryption and authentication mechanisms.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Zabbix with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Zabbix code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps