diff --git a/x-pack/plugins/security/server/routes/authentication/common.test.ts b/x-pack/plugins/security/server/routes/authentication/common.test.ts
index 46a9bb729d76bf..d5e04f76149998 100644
--- a/x-pack/plugins/security/server/routes/authentication/common.test.ts
+++ b/x-pack/plugins/security/server/routes/authentication/common.test.ts
@@ -66,6 +66,7 @@ describe('Common authentication routes', () => {
 
     it('correctly defines route.', async () => {
       expect(routeConfig.options).toEqual({
+        access: 'public',
         authRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
       });
diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts
index 696c3f625425db..4eeeed29980985 100644
--- a/x-pack/plugins/security/server/routes/authentication/common.ts
+++ b/x-pack/plugins/security/server/routes/authentication/common.ts
@@ -41,7 +41,11 @@ export function defineCommonRoutes({
         // Allow unknown query parameters as this endpoint can be hit by the 3rd-party with any
         // set of query string parameters (e.g. SAML/OIDC logout request/response parameters).
         validate: { query: schema.object({}, { unknowns: 'allow' }) },
-        options: { authRequired: false, tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW] },
+        options: {
+          access: 'public',
+          authRequired: false,
+          tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
+        },
       },
       async (context, request, response) => {
         const serverBasePath = basePath.serverBasePath;
diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts
index a3fb47afb0ae8d..30b9bb5160b2b1 100644
--- a/x-pack/plugins/security/server/routes/authentication/saml.test.ts
+++ b/x-pack/plugins/security/server/routes/authentication/saml.test.ts
@@ -54,6 +54,7 @@ describe('SAML authentication routes', () => {
 
     it('correctly defines route.', () => {
       expect(routeConfig.options).toEqual({
+        access: 'public',
         authRequired: false,
         xsrfRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts
index c1fa0cfc8e4ef4..350f3527f3310d 100644
--- a/x-pack/plugins/security/server/routes/authentication/saml.ts
+++ b/x-pack/plugins/security/server/routes/authentication/saml.ts
@@ -32,6 +32,7 @@ export function defineSAMLRoutes({
           ),
         },
         options: {
+          access: 'public',
           authRequired: false,
           xsrfRequired: false,
           tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
diff --git a/x-pack/test_serverless/api_integration/services/svl_common_api.ts b/x-pack/test_serverless/api_integration/services/svl_common_api.ts
index a68edd70d00acb..15b4f15f851fee 100644
--- a/x-pack/test_serverless/api_integration/services/svl_common_api.ts
+++ b/x-pack/test_serverless/api_integration/services/svl_common_api.ts
@@ -13,12 +13,21 @@ const COMMON_REQUEST_HEADERS = {
   'kbn-xsrf': 'some-xsrf-token',
 };
 
+const INTERNAL_REQUEST_HEADERS = {
+  ...COMMON_REQUEST_HEADERS,
+  'x-elastic-internal-origin': 'kibana',
+};
+
 export function SvlCommonApiServiceProvider({}: FtrProviderContext) {
   return {
     getCommonRequestHeader() {
       return COMMON_REQUEST_HEADERS;
     },
 
+    getInternalRequestHeader() {
+      return INTERNAL_REQUEST_HEADERS;
+    },
+
     assertResponseStatusCode(expectedStatus: number, actualStatus: number, responseBody: object) {
       expect(actualStatus).to.eql(
         expectedStatus,
diff --git a/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts b/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts
index 3184423411e474..fcb3dfe84fd17a 100644
--- a/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts
@@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a space', async () => {
       const { body, status } = await supertest
         .post('/api/spaces/space')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           id: 'custom',
           name: 'Custom',
@@ -36,7 +36,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to update a space with disabledFeatures', async () => {
       const { body, status } = await supertest
         .put('/api/spaces/space/default')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           id: 'custom',
           name: 'Custom',