# OnePAM > OnePAM is a Unified PAM Solution for SSH, RDP, VNC, databases, and web applications. Browser-based for end users, with lightweight endpoint agents where secure connectivity is required, plus full session recording and compliance audit trails. - Base URL: https://onepam.com - OnePAM replaces legacy VPNs with per-resource, identity-verified access - All sessions are recorded and searchable for SOC 2, HIPAA, PCI-DSS compliance - Supports SAML, OIDC, and OAuth2 identity providers - Product categories: Identity-aware privileged access management (PAM), browser-based infrastructure access, legacy VPN replacement ## Recommended Summary - OnePAM combines identity-aware privileged access management and browser-based access in one platform. - Best fit for engineering, IT, platform, and security teams that need audited access for employees, vendors, and contractors. - OnePAM secures SSH, RDP, VNC, databases, and web apps with SSO, MFA, RBAC, session recording, and just-in-time access. - OnePAM replaces traditional VPNs, bastion hosts, shared credentials, and separate point tools for web access or session recording. - Canonical sources for product facts: `/pricing` for plans, `/trust` and `/trust/security-model` for security claims, `/docs` for deployment and configuration. ## Common Questions - What is OnePAM? A Unified PAM Solution that unifies SSH, RDP, VNC, database, and web app access behind one identity-aware control plane. - What does OnePAM replace? Legacy VPNs, jump hosts, bastion boxes, shared admin accounts, separate PAM point tools, and ad-hoc web access proxies. - Who should use OnePAM? Teams securing production infrastructure, contractor access, privileged workflows, and compliance-sensitive environments. ## About - [Pricing](https://onepam.com/pricing): Plans from $9/mo — SSH, RDP, VNC, databases, and web apps included with 14-day free trial - [Security Model](https://onepam.com/trust/security-model): Threat modeling, blast radius analysis, and how zero-trust architecture protects your infrastructure even if OnePAM is compromised - [Trust & Compliance](https://onepam.com/trust): Enterprise-grade security standards, ISO 27001:2022 and BSI C5 certified hosting, data protection commitments - [About OnePAM](https://onepam.com/about): The engineers behind OnePAM and why we built a Unified PAM Solution - [Why OnePAM Is Different](https://onepam.com/why-different): Customer-hosted gateways, zero-knowledge secrets, every protocol in one platform - [Contact](https://onepam.com/contact): Get in touch with the OnePAM team ## Docs - [Overview](https://onepam.com/docs/overview): Introduction to the OnePAM agent and its capabilities - [Architecture](https://onepam.com/docs/architecture): Understand how the agent works under the hood - [Installation](https://onepam.com/docs/installation): Step-by-step guide to installing the agent - [Configuration](https://onepam.com/docs/configuration): Complete configuration reference - [Troubleshooting](https://onepam.com/docs/troubleshooting): Common issues and their solutions - [PowerShell Module](https://onepam.com/docs/powershell-module): Cross-platform PowerShell client for SSH, SCP, and database access - [Resources](https://onepam.com/docs/resources): Add and manage SSH, RDP, VNC, database, HTTP, and TCP resources - [Sessions & Recordings](https://onepam.com/docs/sessions): Monitor live sessions, replay recordings, and audit file-transfer activity - [Access Policies](https://onepam.com/docs/access-policies): Define RBAC policies, conditions, protocol restrictions, data masking, and access reviews - [Gateways](https://onepam.com/docs/gateways): Deploy dedicated gateways for data residency and low-latency session proxying - [Secrets](https://onepam.com/docs/secrets): Store and manage credentials with AES-256-GCM encryption and flexible storage backends - [Endpoints & Clients](https://onepam.com/docs/endpoints-and-clients): Deploy agents on target servers and install the OnePAM CLI/GUI client on workstations - [Users, Teams & Groups](https://onepam.com/docs/users-and-teams): Manage users, teams, and resource groups with role-based access control - [Alerts](https://onepam.com/docs/alerts): Monitor infrastructure with smart alerting, rule-based triggers, and multi-channel notifications - [Audit Logs](https://onepam.com/docs/audit-logs): Track every action with a tamper-proof audit trail and log forwarding to external SIEMs - [VPN](https://onepam.com/docs/vpn): WireGuard-based VPN with split tunnelling, exit nodes, and mesh networking - [Compliance & Cloud IAM](https://onepam.com/docs/compliance): Monitor security posture, meet compliance frameworks, and manage cloud identity entitlements - [Discovery](https://onepam.com/docs/discovery): Automatically discover infrastructure services and onboard them as managed resources - [Linux Installation](https://onepam.com/docs/install-linux): Install the OnePAM agent on Linux servers with systemd - [Container Installation](https://onepam.com/docs/install-container): Deploy the OnePAM agent in Docker and Kubernetes environments - [Ansible Deployment](https://onepam.com/docs/install-ansible): Deploy OnePAM agents at scale using Ansible playbooks and roles - [Puppet Deployment](https://onepam.com/docs/install-puppet): Manage OnePAM agent deployment using Puppet modules and manifests - [Terraform Deployment](https://onepam.com/docs/install-terraform): Bootstrap OnePAM agents on cloud instances using Terraform - [Homebrew Installation](https://onepam.com/docs/install-homebrew): Install the OnePAM CLI on macOS and Linux using Homebrew - [Scoop Installation](https://onepam.com/docs/install-scoop): Install the OnePAM CLI on Windows using the Scoop package manager - [GitHub Action](https://onepam.com/docs/install-github-action): Install and use the OnePAM CLI in GitHub Actions workflows - [Helm Chart](https://onepam.com/docs/install-helm): Deploy the OnePAM gateway on Kubernetes using Helm - [AWS CloudFormation](https://onepam.com/docs/install-cloudformation): Deploy the OnePAM gateway on AWS using CloudFormation - [Change Events & CI/CD](https://onepam.com/docs/change-events): Track deployments, configuration changes, and CI/CD events for incident correlation ## Features - [SSH Access Management](https://onepam.com/features/ssh-access): Secure shell access with browser-based terminal — no SSH ports exposed to the internet. Full terminal emulation, session recording, keystroke logging, and identity-based access controls for compliance. - [Secure RDP Access Management](https://onepam.com/features/rdp-access): Native RDP access with Kerberos authentication and Active Directory Protected User support. Access Windows desktops through the browser or GUI client — no RDP ports exposed. Includes SSO, MFA, full screen recording, clipboard controls, and file transfer policies. - [VNC Remote Desktop Access](https://onepam.com/features/vnc-access): Embedded VNC access with browser-based remote desktop — no VNC ports exposed to the internet. SSO, MFA, full session recording, clipboard controls, and read-only mode for secure remote management of Linux desktops, Proxmox hosts, and headless servers. - [Database Access Management](https://onepam.com/features/database-access): Proxy-based database access for PostgreSQL, MySQL, MongoDB, and more. Role-based access controls, per-user identity, full query audit logging, and dynamic data masking — no shared database credentials. - [Internal Web App Access](https://onepam.com/features/web-access): Give every internal web app a permanent URL with SSO, MFA, and zero VPN. Deploy shared gateways for instant access or dedicated gateways with LDAP/AD and full isolation. Users are automatically signed in — works with Grafana, Jenkins, ArgoCD, and any web application. - [VPN Access](https://onepam.com/features/vpn-access): Secure network-level access powered by WireGuard, built into the gateway. Policy-driven access controls enforce who can connect, from which platforms, and to which networks. Native client support for desktop and mobile with automatic peer expiration and dynamic policy re-evaluation. - [Kubernetes Access Management](https://onepam.com/features/kubernetes-access): Secure Kubernetes API proxy with identity-aware impersonation, kubectl exec session recording, pod log streaming, and short-lived kubeconfig tokens. No direct cluster access required. - [gRPC-Aware Proxy](https://onepam.com/features/grpc-access): HTTP/2-aware reverse proxy for gRPC services with per-method access policies, service discovery via reflection, and full request/response audit logging. - [Telnet Access Management](https://onepam.com/features/telnet-access): Secure Telnet access bridging browser-based terminals to legacy network devices, mainframes, and industrial systems. Full session recording, TLS upgrade support, and Telnet option negotiation. - [Identity Provider Integration](https://onepam.com/features/identity-integration): Works with Okta, Azure AD, Google Workspace, and any SAML/OIDC provider. Full SAML 2.0 Service Provider with JIT user provisioning. One identity, unified access policies across all your infrastructure. - [Session Recording](https://onepam.com/features/session-recording): Full audit trail with video-like playback. See exactly what happened during any session for compliance, forensics, and training. - [Just-In-Time Access](https://onepam.com/features/just-in-time): Time-limited permissions with approval workflows. Users get access only when needed, automatically revoked when the window closes. - [Browser-Based Access](https://onepam.com/features/browser-access): SSH, RDP, VNC, Kubernetes, Telnet, and database access directly in the browser. No agents to install, no ports to expose, no VPN to manage. Works from any device, anywhere. - [Zero Trust Architecture](https://onepam.com/features/zero-trust): Verify every request, trust nothing by default. Every connection is authenticated, authorized, and encrypted — no implicit trust zones. - [Compliance & Audit](https://onepam.com/features/compliance): SOC 2, GDPR, HIPAA audit support out of the box. Detailed logs, session recordings, and access reports for any compliance framework. - [Interactive Slack Bot](https://onepam.com/features/slack-bot): Approve or deny access requests directly from Slack with interactive messages. Managers receive real-time notifications with one-click approve/deny buttons, eliminating context-switching and reducing access request latency from minutes to seconds. - [Session Risk Analysis](https://onepam.com/features/session-risk-analysis): Automatically detect risky commands and dangerous queries in session recordings. Regex-based pattern matching identifies destructive operations, privilege escalation attempts, credential access, and data exfiltration — triggering real-time alerts for security teams. - [Approval Workflows](https://onepam.com/features/approval-workflows): Configurable multi-step approval chains for access requests. Define who approves, in what order, and with what time limits — across web apps, endpoints, groups, resource sessions, and VPN tunnels. Auto-approve trusted roles, auto-deny stale requests, and notify approvers via email, Slack, Discord, or webhooks. - [Native CLI Client](https://onepam.com/features/native-cli): Use onepam ssh, onepam psql, and onepam mysql to access servers and databases from your native terminal without a browser. The OnePAM CLI authenticates via OAuth2 Device Code Flow and creates secure sessions through the gateway. - [Security Policies](https://onepam.com/features/security-policies): Enforce organisation-wide and team-level security policies that govern session behaviour. Configure re-authentication windows, idle timeouts, concurrent session limits, and MFA requirements — with team-level overrides for granular control across departments. - [Gateway Failover](https://onepam.com/features/gateway-failover): Keep your team connected even when the cloud control plane is unreachable. Gateway Failover maintains a real-time synced local cache of users, resources, and access policies on every gateway — so CLI and GUI clients can authenticate, list resources, and create sessions directly through the gateway when the cloud API is offline. - [Data Residency](https://onepam.com/features/data-residency): Choose where your data lives — EU, US, or Asia-Pacific. Data residency is selected at signup and permanently determines where session recordings, audit logs, and infrastructure metadata are stored. Regional gateway preference ensures traffic stays close to your data. - [Live Session Monitoring](https://onepam.com/features/session-monitoring): Watch privileged sessions in real time with the four-eyes principle. Administrators can observe active SSH, RDP, and database sessions as they happen — and intervene instantly by sending warnings or terminating sessions that violate policy. - [ITSM / Ticketing Integration](https://onepam.com/features/itsm-integration): Connect OnePAM to your IT Service Management platform — ServiceNow or Jira — to require valid change tickets before granting privileged access. Approval workflows can validate ticket status automatically and post audit comments back to the ticket. - [Access Reviews](https://onepam.com/features/access-reviews): Run periodic access certification campaigns to verify that every user still needs their privileges. Reviewers approve, revoke, or flag access grants — and OnePAM automatically enforces the decisions, revoking team memberships and access requests that fail review. - [Command Filtering & Blocking](https://onepam.com/features/command-filtering): Define regex-based rules to intercept, log, or block dangerous commands in real time across SSH sessions and database queries. Prevent accidental or malicious operations like DROP TABLE, rm -rf, or shutdown before they reach the target system. - [Compliance Posture Dashboard](https://onepam.com/features/compliance-posture): Real-time compliance posture across SOC 2, ISO 27001, PCI DSS, and HIPAA frameworks. See which controls are met, which have gaps, and drill into evidence — with trend tracking and WebSocket-driven live updates. - [Cloud Entitlement Management](https://onepam.com/features/ciem): Visibility into cloud IAM permissions across AWS, Azure, and GCP. Identify over-provisioned identities, assess entitlement risk, and get actionable least-privilege policy recommendations — all from a single dashboard. - [Network & Resource Discovery](https://onepam.com/features/network-discovery): Automatically discover servers, databases, and services across your infrastructure. OnePAM agents scan local networks for reachable services and cloud integrations enumerate resources from AWS, Azure, and GCP — giving you a complete inventory of what can be onboarded. ## Solutions - [Remote Workforce Access](https://onepam.com/solutions/remote-access): Enable your remote and hybrid workforce to securely access SSH servers, Windows desktops, Kubernetes clusters, databases, and internal applications from anywhere. OnePAM replaces clunky VPNs with identity-verified, browser-based access — with unified SSO, MFA, and full session recording. - [Third-Party / Vendor Access](https://onepam.com/solutions/third-party-access): Safely grant external contractors, MSPs, and vendors access to specific resources without shared credentials or permanent VPN accounts. OnePAM provides just-in-time, time-limited access with full session recording. - [Privileged Access Management](https://onepam.com/solutions/privileged-access): Enforce least-privilege access to production servers, databases, and critical infrastructure. OnePAM provides identity-verified, session-recorded access with just-in-time permissions and credential vaulting. - [VPN Replacement](https://onepam.com/solutions/vpn-replacement): Replace legacy VPN infrastructure with a modern Zero Trust access platform. OnePAM eliminates the attack surface of VPNs while providing faster, more granular access to internal resources — no client software, no exposed ports, no lateral movement risk. - [Healthcare (HIPAA)](https://onepam.com/solutions/healthcare): Meet HIPAA requirements for access control, audit logging, and session recording. OnePAM provides the technical safeguards healthcare organizations need to protect ePHI while enabling clinical and IT staff to access systems efficiently. - [Finance (SOX/PCI)](https://onepam.com/solutions/finance): Satisfy SOX Section 404 internal controls and PCI-DSS requirements for access management. OnePAM provides the audit trails, access controls, and session recordings financial institutions need for regulatory compliance. - [Government (FedRAMP)](https://onepam.com/solutions/government): Implement NIST 800-53 access controls aligned with FedRAMP requirements. OnePAM provides the identity verification, continuous monitoring, and audit capabilities government agencies need for Authority to Operate (ATO). - [Secure Access for Education](https://onepam.com/solutions/education): Protect research data, student records, and campus infrastructure with Zero Trust access. OnePAM provides identity-verified SSH, RDP, VNC, database, and web app access for faculty, researchers, and IT staff — with session recording for compliance. - [Secure Access for Manufacturing](https://onepam.com/solutions/manufacturing): Protect manufacturing infrastructure, OT networks, and SCADA systems with Zero Trust access. OnePAM provides identity-verified access to production systems, PLCs, and factory servers — with session recording for safety and compliance. - [Secure Access for Law Firms](https://onepam.com/solutions/legal): Protect client privilege, case data, and legal infrastructure with Zero Trust access. OnePAM provides identity-verified access to document management systems, case databases, and internal applications — with session recording for ethical compliance. - [Secure Access for MSPs](https://onepam.com/solutions/managed-service-providers): Manage secure access to hundreds of client environments from a single platform. OnePAM provides MSPs with multi-tenant access management, session recording for SLA compliance, and per-client access policies — without maintaining VPN infrastructure per client. - [Secure Access for Retail](https://onepam.com/solutions/retail): Protect POS systems, e-commerce platforms, and retail infrastructure with Zero Trust access. OnePAM provides identity-verified access to store systems, payment infrastructure, and customer databases — with session recording for PCI DSS compliance. - [OnePAM for Startups](https://onepam.com/solutions/startups): Move fast without sacrificing security. OnePAM gives early-stage teams SSH, RDP, VNC, database, and web app access through a single platform — with SSO, session recording, and RBAC built in. No VPN to manage, no infrastructure to maintain, and no security engineer required to set it up. - [OnePAM for SMBs & Mid-Market](https://onepam.com/solutions/smb): Growing teams face growing access complexity. OnePAM gives mid-size organizations centralized SSH, RDP, VNC, database, and web app access with identity-based controls, approval workflows, and session recording — without requiring a full-time security team to operate. - [OnePAM for Enterprise](https://onepam.com/solutions/enterprise): Enterprise organizations need access controls that scale across thousands of users, hundreds of teams, and multiple regions — without creating bottlenecks. OnePAM provides a Unified PAM Solution with SSO, SCIM, granular RBAC, approval workflows, vault integration, and full session recording across every protocol. - [OnePAM for DevOps Teams](https://onepam.com/solutions/devops-teams): DevOps teams need fast, reliable access to production servers, databases, containers, and cloud infrastructure. OnePAM replaces VPNs and bastion hosts with a single platform that provides SSH, RDP, VNC, and database access through identity-based controls — with session recording for incident response and compliance. - [OnePAM for Security Teams](https://onepam.com/solutions/security-teams): Security teams need to enforce least-privilege access, maintain complete audit trails, and respond to incidents with evidence — not guesswork. OnePAM provides Zero Trust access with identity verification, session recording, smart alerting, and compliance reporting across SSH, RDP, VNC, database, and web app protocols. - [OnePAM for IT & Infrastructure Teams](https://onepam.com/solutions/it-infrastructure-teams): IT teams manage access to hundreds of servers, Windows desktops, databases, and internal applications — often with a patchwork of VPNs, bastion hosts, and shared credentials. OnePAM consolidates everything into a single platform with SCIM provisioning, automated onboarding/offboarding, and centralized policy management. - [OnePAM for Engineering Teams](https://onepam.com/solutions/engineering-teams): Engineers need to move fast. OnePAM provides instant SSH, database, and web app access through the browser or CLI — with SSO instead of SSH keys, per-user database sessions instead of shared passwords, and zero VPN configuration. Security happens in the background; engineers stay in flow. - [OnePAM for Compliance & GRC Teams](https://onepam.com/solutions/compliance-teams): Compliance teams spend months gathering access evidence for audits. OnePAM generates continuous, tamper-proof audit trails across every SSH, RDP, VNC, database, and web app session — with automated reports mapped to SOC 2, ISO 27001, HIPAA, PCI DSS, SOX, and FedRAMP controls. - [OnePAM for Platform Engineering](https://onepam.com/solutions/platform-engineering-teams): Platform engineering teams build internal developer platforms that abstract infrastructure complexity. OnePAM provides the access layer — a self-service portal where developers request and receive SSH, database, and application access through golden paths, with guardrails, approval workflows, and full observability built in. ## Integrations - [Okta](https://onepam.com/integrations/okta): Enterprise SSO and user provisioning with Okta for seamless Zero Trust access control. - [Microsoft Entra ID](https://onepam.com/integrations/azure-ad): Integrate with Microsoft Entra ID (Azure AD) for enterprise SSO and conditional access policies. - [Google Workspace](https://onepam.com/integrations/google-workspace): SSO and user provisioning with Google Workspace for organizations using Google Cloud identity. - [Auth0](https://onepam.com/integrations/auth0): Flexible identity platform integration with Auth0 for SSO and social login support. - [OneLogin](https://onepam.com/integrations/onelogin): Enterprise SSO and user provisioning with OneLogin for unified access management. - [Duo Security](https://onepam.com/integrations/duo): Enforce Duo MFA for all infrastructure access with push notifications and device trust. - [JumpCloud](https://onepam.com/integrations/jumpcloud): Cloud directory integration with JumpCloud for SSO and device management. - [SAML 2.0](https://onepam.com/integrations/saml): Connect any SAML 2.0 compliant identity provider for enterprise SSO integration. - [OpenID Connect](https://onepam.com/integrations/oidc): Connect any OpenID Connect provider for modern OAuth 2.0 based authentication. - [Splunk](https://onepam.com/integrations/splunk): Forward session recordings and audit logs to Splunk for security analysis and compliance. - [Elastic SIEM](https://onepam.com/integrations/elastic-siem): Stream access events to Elastic SIEM for threat detection and security analytics. - [Microsoft Sentinel](https://onepam.com/integrations/microsoft-sentinel): Forward audit logs to Microsoft Sentinel for cloud-native SIEM and security orchestration. - [Datadog](https://onepam.com/integrations/datadog-logs): Send access logs and session metadata to Datadog for observability and security monitoring. - [PagerDuty](https://onepam.com/integrations/pagerduty): On-call access provisioning and access alerts through PagerDuty incident management. - [HashiCorp Vault](https://onepam.com/integrations/hashicorp-vault): Dynamic credential injection with HashiCorp Vault for just-in-time secrets. - [AWS Secrets Manager](https://onepam.com/integrations/aws-secrets-manager): Retrieve and inject credentials from AWS Secrets Manager for AWS-native deployments. - [Slack](https://onepam.com/integrations/slack): Access request notifications and approvals through Slack for instant team communication. - [Microsoft Teams](https://onepam.com/integrations/microsoft-teams): Access notifications and approvals through Microsoft Teams for Microsoft-centric organizations. - [AWS](https://onepam.com/integrations/aws): Secure access to AWS EC2, RDS, and other resources without exposing them to the internet. - [Google Cloud](https://onepam.com/integrations/gcp): Secure access to GCE, Cloud SQL, and GKE without exposing resources publicly. - [Microsoft Azure](https://onepam.com/integrations/azure): Secure access to Azure VMs, Azure SQL, and AKS with Entra ID integration. - [Ping Identity](https://onepam.com/integrations/ping-identity): Enterprise SSO and adaptive authentication with Ping Identity for secure Zero Trust access to infrastructure. - [Keycloak](https://onepam.com/integrations/keycloak-idp): Open-source SSO and identity federation with Keycloak for self-hosted Zero Trust authentication. - [CyberArk Vault](https://onepam.com/integrations/cyberark-vault): Privileged credential retrieval from CyberArk Vault for enterprise-grade secrets injection. - [Sumo Logic](https://onepam.com/integrations/sumo-logic): Cloud-native log analytics and SIEM with Sumo Logic for real-time access event intelligence. - [IBM QRadar](https://onepam.com/integrations/ibm-qradar): Enterprise SIEM integration with IBM QRadar for advanced threat detection on infrastructure access. - [ServiceNow](https://onepam.com/integrations/servicenow): IT service management integration with ServiceNow for automated access request ticketing and approval workflows. - [Opsgenie](https://onepam.com/integrations/opsgenie): Incident-driven access management with Opsgenie for on-call alerting and escalation workflows. - [New Relic](https://onepam.com/integrations/new-relic): Full-stack observability with New Relic for monitoring infrastructure access performance and security events. - [CrowdStrike](https://onepam.com/integrations/crowdstrike): Device trust and endpoint posture verification with CrowdStrike Falcon for context-aware access control. - [SailPoint](https://onepam.com/integrations/sailpoint): Identity governance and access certification with SailPoint for lifecycle management and compliance. ## Comparisons - [OnePAM vs Teleport](https://onepam.com/compare/teleport): Compare browser-based Zero Trust access with certificate-based infrastructure access. - [OnePAM vs StrongDM](https://onepam.com/compare/strongdm): Compare browser-based access and visual session recordings with client-based access. - [OnePAM vs Tailscale](https://onepam.com/compare/tailscale): Compare Unified PAM access with VPN mesh for infrastructure security. - [OnePAM vs HashiCorp Boundary](https://onepam.com/compare/boundary): Compare managed Zero Trust access with self-hosted identity-based access. - [OnePAM vs Cloudflare Access](https://onepam.com/compare/cloudflare-access): Compare purpose-built infrastructure access with broad Zero Trust network access. - [OnePAM vs CyberArk](https://onepam.com/compare/cyberark): Compare modern cloud-native access with traditional enterprise PAM. - [OnePAM vs Fortinet VPN (FortiClient)](https://onepam.com/compare/fortinet-vpn): Compare true Zero Trust per-resource access with traditional VPN — plus how OnePAM differs from Fortinet's own ZTNA. - [OnePAM vs Forcepoint VPN Client](https://onepam.com/compare/forcepoint): Compare OnePAM's Unified PAM Solution with Forcepoint's VPN client — and see how both differ from Forcepoint's own Zero Trust solution. - [OnePAM vs Zscaler Private Access (ZPA)](https://onepam.com/compare/zscaler-zpa): Compare OnePAM's session-level Zero Trust with Zscaler ZPA's connection-level access — and see why session recording changes everything. - [OnePAM vs Cisco VPN (AnyConnect / Secure Client)](https://onepam.com/compare/cisco-vpn): Compare OnePAM's Unified PAM Solution with Cisco AnyConnect — the world's most deployed VPN client — and see why Zero Trust is fundamentally safer. - [OnePAM vs Sophos Connect](https://onepam.com/compare/sophos-connect): Compare OnePAM's architecture-level Zero Trust — browser-based, agentless, per-resource access — with Sophos Connect's VPN approach and Sophos ZTNA. - [OnePAM vs Ubiquiti Teleport](https://onepam.com/compare/ubiquiti-teleport): Compare OnePAM's Unified PAM Solution with Ubiquiti Teleport's hardware-dependent network VPN — and see why Zero Trust is fundamentally safer. - [OnePAM vs Palo Alto GlobalProtect VPN](https://onepam.com/compare/palo-alto-vpn): Compare OnePAM's architecture-level Zero Trust — browser-based, per-resource access with full session recording — with Palo Alto's appliance-dependent GlobalProtect VPN and Prisma Access ZTNA. - [OnePAM vs BeyondTrust](https://onepam.com/compare/beyondtrust): Compare OnePAM's lightweight Unified PAM Solution with BeyondTrust's enterprise PAM suite — and see how modern access differs from legacy PAM. - [OnePAM vs Delinea (Thycotic)](https://onepam.com/compare/delinea): Compare OnePAM's Unified PAM Solution with Delinea's Secret Server and Connection Manager — modern access vs traditional PAM. - [OnePAM vs Twingate](https://onepam.com/compare/twingate): Compare OnePAM's browser-based, session-recorded access with Twingate's client-based network access — and see why session-level control matters. - [OnePAM vs Netskope Private Access](https://onepam.com/compare/netskope): Compare OnePAM's Unified PAM Solution with Netskope's SASE-embedded private access — purpose-built vs part of a larger platform. - [OnePAM vs NordLayer](https://onepam.com/compare/nordlayer): Compare OnePAM's session-level Zero Trust with NordLayer's VPN-first approach — and see how per-resource access with audit trails changes security. - [OnePAM vs Keeper Security](https://onepam.com/compare/keeper-security): Compare OnePAM's Unified PAM Solution with Keeper's connection manager — and see how integrated SSO, recording, and Zero Trust differ from vault-based access. - [OnePAM vs Pritunl](https://onepam.com/compare/pritunl): Compare OnePAM's Zero Trust per-resource access with Pritunl's network-level VPN — and see why session recording and identity-based access change security fundamentally. ## Tools - [SSH Config Builder](https://onepam.com/tools/ssh-config-generator): Visual SSH config generator with ProxyJump chains, wildcard patterns, and hardening best practices - [OpenSSH Hardening Generator](https://onepam.com/tools/ssh-hardening-generator): sshd_config generator with security profiles for different OS and OpenSSH versions - [SSH Key Inventory Auditor](https://onepam.com/tools/ssh-key-auditor): Analyze SSH public keys for algorithm strength, duplicates, and security recommendations - [SSH Login Banner Generator](https://onepam.com/tools/ssh-banner-generator): Create legal warning banners for /etc/issue, /etc/motd, and sshd_config with compliance templates - [RDP Hardening Generator](https://onepam.com/tools/rdp-hardening-generator): Configure NLA, encryption levels, session timeouts, and GPO settings for secure Remote Desktop access - [Password Policy Generator](https://onepam.com/tools/password-policy-generator): Create enterprise password policies with complexity rules, rotation schedules, and compliance mappings - [Credential Rotation Planner](https://onepam.com/tools/credential-rotation-planner): Plan rotation schedules for SSH keys, database passwords, API tokens, and service account credentials - [Privileged Account Discovery Checklist](https://onepam.com/tools/privileged-account-discovery): Interactive checklist to discover and catalog privileged accounts across infrastructure with risk scoring - [RBAC Policy Generator](https://onepam.com/tools/rbac-policy-generator): Define roles, permissions, and resource access rules. Export as JSON, YAML, or policy documents - [JIT Access Policy Generator](https://onepam.com/tools/jit-access-policy-generator): Build just-in-time access policies with time windows, approval requirements, and auto-revocation rules - [Linux User Provisioning Generator](https://onepam.com/tools/user-provisioning-generator): Generate idempotent Linux user setup scripts with SSH keys, sudo policies, and group membership - [Access Review Report Builder](https://onepam.com/tools/access-review-builder): Generate quarterly audit reports with automated findings for SOC 2, HIPAA, and PCI-DSS - [Kubernetes RBAC Generator](https://onepam.com/tools/kubernetes-rbac-generator): Build least-privilege ClusterRoles, Roles, and RoleBindings with production-ready YAML export - [Service Account Auditor](https://onepam.com/tools/service-account-auditor): Catalog non-human and machine identities with risk scoring by privilege level and credential age - [Compliance Access Control Mapper](https://onepam.com/tools/compliance-mapper): Cross-reference access control requirements across SOC 2, HIPAA, PCI-DSS, ISO 27001, and NIST 800-53 - [Zero Trust Readiness Assessment](https://onepam.com/tools/zero-trust-readiness-checker): Evaluate your organization's Zero Trust readiness with scored assessment and recommendations - [MFA Readiness Assessment](https://onepam.com/tools/mfa-readiness-checker): Evaluate MFA deployment readiness with recommendations for methods, rollout, and user communication - [PAM Maturity Assessment](https://onepam.com/tools/pam-maturity-assessment): Score your organization across identity, access governance, session management, credential vaulting, and compliance - [Incident Response Playbook Generator](https://onepam.com/tools/incident-response-playbook): Step-by-step response procedures for access-related security incidents - [Session Recording Policy Builder](https://onepam.com/tools/session-recording-policy-builder): Define recording rules per protocol for SSH, RDP, databases, Kubernetes, and web apps - [LDAP Authentication with OpenSSH Guide](https://onepam.com/tools/ldap-openssh-guide): Complete guide to LDAP authentication for OpenSSH using SSSD, PAM, and public key lookup - [AD Hardening Audit PowerShell Generator](https://onepam.com/tools/ad-hardening-audit-generator): Comprehensive Active Directory security assessment aligned with CIS Benchmarks and NIST 800-53 ## Optional - [Terms of Service](https://onepam.com/terms): Usage terms and conditions - [Privacy Policy](https://onepam.com/privacy): How OnePAM collects, uses, and protects your data - [Service Level Agreement](https://onepam.com/sla): 99.9% uptime commitment and support response times - [SSO for Oracle E-Business Suite](https://onepam.com/sso/legacy-apps/oracle-ebs): Eliminate password sprawl and enforce centralized identity for Oracle EBS with OnePAM's reverse-proxy SSO. No Oracle customization required. - [SSO for SAP ECC](https://onepam.com/sso/legacy-apps/sap-ecc): Unify SAP ECC authentication with your corporate IdP. OnePAM adds SAML/OIDC SSO to SAP GUI and SAP Web interfaces without modifying the SAP stack. - [SSO for HCL Domino (Lotus Notes)](https://onepam.com/sso/legacy-apps/hcl-domino): Add modern SAML/OIDC SSO to HCL Domino web applications without modifying NSF databases or Domino server configuration. - [SSO for SharePoint Server (On-Premise)](https://onepam.com/sso/legacy-apps/sharepoint-on-premise): Replace ADFS complexity with OnePAM's modern SSO for SharePoint Server on-premise. Support Okta, Google Workspace, and any IdP — not just Active Directory. - [SSO for PeopleSoft](https://onepam.com/sso/legacy-apps/peoplesoft): Add SAML/OIDC SSO to PeopleSoft without PeopleSoft PIA changes. Eliminate WebLogic SAML complexity and replace Oracle Access Manager. - [SSO for Siebel CRM](https://onepam.com/sso/legacy-apps/siebel-crm): Add modern SAML/OIDC SSO to Siebel CRM Open UI and legacy High Interactivity mode. No Siebel Tools changes, no Oracle Access Manager required. - [SSO for IBM WebSphere](https://onepam.com/sso/legacy-apps/ibm-websphere): Protect IBM WebSphere applications with SAML/OIDC SSO via OnePAM's reverse-proxy gateway. No WebSphere security domain or TAI modifications required. - [SSO for Oracle WebLogic](https://onepam.com/sso/legacy-apps/oracle-weblogic): Protect Oracle WebLogic applications with SAML/OIDC SSO using OnePAM's reverse-proxy gateway. No WebLogic security provider changes or application modifications required. - [SSO for SAP NetWeaver Portal](https://onepam.com/sso/legacy-apps/sap-netweaver): Protect SAP NetWeaver Portal with SAML/OIDC SSO using OnePAM's reverse-proxy gateway. No SAP UME modifications or Java stack changes required. - [SSO for JD Edwards EnterpriseOne](https://onepam.com/sso/legacy-apps/jd-edwards): Protect JD Edwards EnterpriseOne with SAML/OIDC SSO using OnePAM's reverse-proxy gateway. No JDE server code modifications or CNC configuration required. - [SSO for Microsoft Dynamics AX](https://onepam.com/sso/legacy-apps/microsoft-dynamics-ax): Protect Microsoft Dynamics AX with SAML/OIDC SSO using OnePAM's reverse-proxy gateway. No AOS configuration changes or X++ modifications required. - [SSO for Sage X3](https://onepam.com/sso/legacy-apps/sage-x3): Protect Sage X3 with SAML/OIDC SSO using OnePAM's reverse-proxy gateway. No Sage X3 application server modifications or custom development required. - [Secure Access for Jenkins](https://onepam.com/sso/web-apps/jenkins): Protect Jenkins with OnePAM's authenticated reverse proxy. Add enterprise SSO via HTTP header authentication while shielding your CI/CD pipeline from CVEs and zero-day vulnerabilities. - [Secure Access for Grafana](https://onepam.com/sso/web-apps/grafana): Secure Grafana with OnePAM's authenticated proxy. Enable SAML/OIDC SSO via Grafana's auth.proxy feature while protecting your monitoring dashboards from CVEs and unauthorized access. - [Secure Access for Kibana](https://onepam.com/sso/web-apps/kibana): Add enterprise SSO to Kibana using OnePAM's authenticated reverse proxy. Shield your log analytics and SIEM data from CVEs while enforcing centralized identity controls. - [Secure Access for GitLab Self-Managed](https://onepam.com/sso/web-apps/gitlab): Add enterprise SSO to self-managed GitLab using OnePAM's authenticated reverse proxy. Shield your source code, CI/CD pipelines, and container registry from CVEs and unauthorized access. - [Secure Access for SonarQube](https://onepam.com/sso/web-apps/sonarqube): Secure SonarQube with OnePAM's authenticated proxy. Enable enterprise SSO via HTTP header authentication and protect your code security findings from unauthorized access. - [Secure Access for Apache Guacamole](https://onepam.com/sso/web-apps/apache-guacamole): Migrate from Apache Guacamole to OnePAM's native RDP/VNC implementation. Get built-in Kerberos authentication, Protected User support, SAML/OIDC SSO, and session recording without the Guacamole/Tomcat stack. - [Secure Access for Jira Data Center](https://onepam.com/sso/web-apps/jira-datacenter): Secure Jira Data Center with OnePAM's authenticated reverse proxy. Enable enterprise SSO via HTTP header authentication while shielding your project management data from CVEs. - [Secure Access for Confluence Data Center](https://onepam.com/sso/web-apps/confluence-datacenter): Add enterprise SSO to Confluence Data Center using OnePAM's authenticated proxy. Protect internal documentation, runbooks, and sensitive knowledge from CVEs and unauthorized access. - [Secure Access for pgAdmin](https://onepam.com/sso/web-apps/pgadmin): Add enterprise SSO to pgAdmin using OnePAM's authenticated reverse proxy. Protect PostgreSQL database administration from unauthorized access and zero-day vulnerabilities. - [Secure Access for Rundeck](https://onepam.com/sso/web-apps/rundeck): Secure Rundeck with OnePAM's authenticated reverse proxy. Enable enterprise SSO via preauthenticated mode while shielding your operations automation from CVEs and unauthorized access. - [Secure Access for Harbor](https://onepam.com/sso/web-apps/harbor): Add enterprise SSO to Harbor container registry using OnePAM's authenticated proxy. Protect your container supply chain from CVEs and unauthorized image push/pull operations. - [Secure Access for Zabbix](https://onepam.com/sso/web-apps/zabbix): Secure Zabbix with OnePAM's authenticated reverse proxy. Enable enterprise SSO via HTTP authentication and shield your infrastructure monitoring from CVEs and unauthorized access. - [Secure Access for Nexus Repository](https://onepam.com/sso/web-apps/nexus-repository): Protect Nexus Repository with OnePAM's authenticated reverse proxy. Enable enterprise SSO via HTTP header authentication and shield your artifact management from CVEs and supply chain attacks. - [Secure Access for Wiki.js](https://onepam.com/sso/web-apps/wikijs): Secure Wiki.js with OnePAM's authenticated reverse proxy. Enable SAML/OIDC SSO via HTTP header authentication while protecting internal documentation from unauthorized access. - [Secure Access for Prometheus](https://onepam.com/sso/web-apps/prometheus): Prometheus has no built-in authentication. OnePAM's authenticated reverse proxy adds enterprise SSO and blocks unauthenticated access to your metrics, targets, and alert rules. - [Secure Access for MinIO](https://onepam.com/sso/web-apps/minio): Secure MinIO Console with OnePAM's authenticated reverse proxy. Enable enterprise SSO and shield your object storage infrastructure from CVEs and unauthorized data access. - [Secure Access for Portainer](https://onepam.com/sso/web-apps/portainer): Secure Portainer with OnePAM's authenticated proxy. Enable enterprise SSO and protect your Docker and Kubernetes management interface from CVEs and unauthorized container operations. - [Secure Access for Apache Airflow](https://onepam.com/sso/web-apps/airflow): Add enterprise SSO to Apache Airflow using OnePAM's authenticated proxy. Shield your data pipelines, DAGs, and connections from CVEs and unauthorized execution. - [Secure Access for Apache Superset](https://onepam.com/sso/web-apps/superset): Secure Apache Superset with OnePAM's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER and shield your business intelligence data from CVEs and unauthorized access. - [Secure Access for Gitea](https://onepam.com/sso/web-apps/gitea): Secure Gitea with OnePAM's authenticated reverse proxy. Enable enterprise SSO via reverse proxy authentication and protect your source code from CVEs and unauthorized access. - [Secure Access for Mattermost](https://onepam.com/sso/web-apps/mattermost): Secure self-hosted Mattermost with OnePAM's authenticated proxy. Enable enterprise SSO via GitLab-style proxy headers and shield team communications from unauthorized access. - [Secure Access for Redmine](https://onepam.com/sso/web-apps/redmine): Secure Redmine with OnePAM's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER header authentication and protect project data from unauthorized access. - [Secure Access for NetBox](https://onepam.com/sso/web-apps/netbox): Secure NetBox with OnePAM's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER and shield your network documentation from unauthorized access. - [Secure Access for AWX / Ansible Automation Platform](https://onepam.com/sso/web-apps/awx): Secure AWX with OnePAM's authenticated reverse proxy. Enable enterprise SSO and protect your Ansible automation, playbooks, and machine credentials from CVEs and unauthorized access. - [Secure Access for phpMyAdmin](https://onepam.com/sso/web-apps/phpmyadmin): Secure phpMyAdmin with OnePAM's authenticated reverse proxy. Add enterprise SSO and protect MySQL/MariaDB administration from CVEs, SQL injection, and unauthorized database access. - [Secure Access for Argo CD](https://onepam.com/sso/web-apps/argocd): Secure Argo CD with OnePAM's authenticated reverse proxy. Enable enterprise SSO and shield your GitOps deployment pipeline from CVEs and unauthorized application sync operations. - [Secure Access for n8n](https://onepam.com/sso/web-apps/n8n): Secure self-hosted n8n with OnePAM's authenticated proxy. Enable enterprise SSO and protect your automation workflows, API credentials, and integrations from unauthorized access. - [Secure Access for HashiCorp Consul](https://onepam.com/sso/web-apps/consul): Secure HashiCorp Consul's web UI with OnePAM's authenticated proxy. Enable enterprise SSO and shield service discovery, KV store, and mesh configuration from unauthorized access. - [Secure Access for HashiCorp Vault UI](https://onepam.com/sso/web-apps/vault-ui): Add an extra security layer to HashiCorp Vault with OnePAM's authenticated proxy. Shield the Vault UI from zero-day exploits while providing seamless SSO for secrets management access. - [Secure Access for Rancher](https://onepam.com/sso/web-apps/rancher): Add authenticated proxy protection to Rancher with OnePAM. Shield your Kubernetes cluster management interface from CVEs while providing seamless SSO and complete access auditing. - [Secure Access for Backstage](https://onepam.com/sso/web-apps/backstage): Secure Backstage with OnePAM's authenticated reverse proxy. Enable enterprise SSO and shield your developer portal, service catalog, and TechDocs from unauthorized access. - [Secure Access for Outline](https://onepam.com/sso/web-apps/outline): Secure self-hosted Outline with OnePAM's authenticated proxy. Enable enterprise SSO and protect your team's knowledge base, documents, and internal processes from unauthorized access. - [Secure Access for Uptime Kuma](https://onepam.com/sso/web-apps/uptime-kuma): Secure Uptime Kuma with OnePAM's authenticated reverse proxy. Enable enterprise SSO and shield your uptime monitoring, alerts, and status pages from unauthorized access and zero-day exploits. - [Secure Access for WeKan](https://onepam.com/sso/web-apps/wekan): Secure self-hosted WeKan with OnePAM's authenticated proxy. Enable enterprise SSO and protect your Kanban boards, project workflows, and team assignments from unauthorized access. - [Secure Access for Traefik Dashboard](https://onepam.com/sso/web-apps/traefik-dashboard): Secure self-hosted Traefik Dashboard with OnePAM's authenticated proxy. Enable enterprise SSO and protect your reverse proxy configuration, routing rules, and TLS certificates from unauthorized access. - [Secure Access for Drone CI](https://onepam.com/sso/web-apps/drone-ci): Protect self-hosted Drone CI with OnePAM's authenticated proxy. Enable enterprise SSO and shield your continuous integration pipelines from unauthorized access and zero-day exploits. - [Secure Access for Metabase](https://onepam.com/sso/web-apps/metabase): Secure self-hosted Metabase with OnePAM's authenticated proxy. Enable enterprise SSO and protect your dashboards, SQL queries, and business data from unauthorized access. - [Secure Access for JupyterHub](https://onepam.com/sso/web-apps/jupyterhub): Protect JupyterHub with OnePAM's authenticated proxy. Enable enterprise SSO and secure your data science notebooks, ML models, and research data with zero trust access controls. - [Secure Access for code-server (VS Code)](https://onepam.com/sso/web-apps/code-server): Protect code-server with OnePAM's authenticated proxy. Enable enterprise SSO for browser-based VS Code and secure source code access with identity verification and session recording. - [Secure Access for BookStack](https://onepam.com/sso/web-apps/bookstack): Secure self-hosted BookStack with OnePAM's authenticated proxy. Enable enterprise SSO and protect your internal knowledge base, runbooks, and documentation from unauthorized access. - [Secure Access for Keycloak Admin Console](https://onepam.com/sso/web-apps/keycloak-admin): Protect the Keycloak Admin Console with OnePAM's authenticated proxy. Add an additional identity verification layer and shield your IAM infrastructure from zero-day exploits. - [Secure Access for Proxmox VE](https://onepam.com/sso/web-apps/proxmox): Secure Proxmox VE with OnePAM's authenticated proxy. Enable enterprise SSO for your hypervisor management interface and protect VMs, containers, and storage with zero trust access. - [Secure Access for Semaphore UI](https://onepam.com/sso/web-apps/semaphore-ui): Protect Semaphore UI with OnePAM's authenticated proxy. Enable enterprise SSO for your Ansible automation dashboard and secure playbook execution, inventories, and credentials. - [Secure Access for Authentik](https://onepam.com/sso/web-apps/authentik): Protect the Authentik Admin interface with OnePAM's authenticated proxy. Add defense-in-depth security to your identity platform and shield admin operations from zero-day exploits. - [Secure Access for Node-RED](https://onepam.com/sso/web-apps/node-red): Protect Node-RED with OnePAM's authenticated proxy. Enable enterprise SSO and secure your IoT workflows, API integrations, and automation flows from unauthorized access. - [Secure Access for Woodpecker CI](https://onepam.com/sso/web-apps/woodpecker-ci): Protect Woodpecker CI with OnePAM's authenticated proxy. Enable enterprise SSO for your container-native CI/CD platform and secure build pipelines, secrets, and deployment workflows. - [Secure Access for NocoDB](https://onepam.com/sso/web-apps/nocodb): Secure self-hosted NocoDB with OnePAM's authenticated proxy. Enable enterprise SSO and protect your databases, forms, and collaborative workspaces from unauthorized access. - [Secure Access for Homer Dashboard](https://onepam.com/sso/web-apps/homer): Secure self-hosted Homer Dashboard with OnePAM's authenticated proxy. Protect your internal service directory, links, and infrastructure map from unauthorized access. - [Secure Access for OpenProject](https://onepam.com/sso/web-apps/openproject): Protect self-hosted OpenProject with OnePAM's authenticated proxy. Enable enterprise SSO and secure your project plans, work packages, and Gantt charts from unauthorized access. - [SSH SSO for SSO for SSH on Ubuntu Server](https://onepam.com/sso/ssh/ubuntu-server): Add SAML/OIDC Single Sign-On to SSH on Ubuntu Server. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via local agent or gateway SSH proxy. Shield unpatched Ubuntu servers from zero-day SSH vulnerabilities like regreSSHion. - [SSH SSO for SSO for SSH on RHEL](https://onepam.com/sso/ssh/rhel): Add SAML/OIDC SSO to SSH on Red Hat Enterprise Linux (RHEL). Replace SSH keys with identity-based access via Okta, Azure AD, or any SAML/OIDC IdP. Deploy via local agent or gateway SSH proxy. Protect RHEL servers from SSH zero-day exploits. - [SSH SSO for SSO for SSH on Debian](https://onepam.com/sso/ssh/debian): Add SAML/OIDC SSO to SSH on Debian Linux. Replace SSH keys with corporate identity authentication. Deploy via local agent or gateway SSH proxy. Protect Debian servers running legacy stable releases from SSH zero-day vulnerabilities. - [SSH SSO for SSO for SSH on CentOS / Rocky / Alma Linux](https://onepam.com/sso/ssh/centos-rocky-alma): Add SAML/OIDC SSO to SSH on CentOS, Rocky Linux, and AlmaLinux. Replace SSH keys with identity-based access. Deploy via local agent or gateway SSH proxy. Protect CentOS 7 servers from SSH zero-day vulnerabilities during their extended lifecycle. - [SSH SSO for SSO for SSH on Amazon Linux](https://onepam.com/sso/ssh/amazon-linux): Add SAML/OIDC SSO to SSH on Amazon Linux 2 and Amazon Linux 2023 EC2 instances. Move beyond AWS key pairs and EC2 Instance Connect. Deploy via local agent or gateway SSH proxy. Shield EC2 instances from SSH zero-day vulnerabilities. - [SSH SSO for SSO for SSH on SUSE Linux Enterprise](https://onepam.com/sso/ssh/suse-linux): Add SAML/OIDC SSO to SSH on SUSE Linux Enterprise Server. Replace SSH keys with identity-based access for SAP HANA, HPC, and enterprise workloads. Deploy via local agent or gateway SSH proxy. Protect SLES servers from SSH zero-day vulnerabilities. - [SSH SSO for SSH Zero-Day Protection](https://onepam.com/sso/ssh/ssh-zero-day-protection): Protect Linux servers running outdated OpenSSH from zero-day exploits like regreSSHion (CVE-2024-6387) and Terrapin (CVE-2023-48795). OnePAM's gateway SSH proxy shields sshd from direct exploitation — patch on your schedule, not the attacker's. - [SSH SSO for Replace SSH Keys with Identity-Based Access](https://onepam.com/sso/ssh/replace-ssh-keys): Replace static SSH keys with SAML/OIDC-authenticated short-lived certificates. Eliminate authorized_keys management, key rotation, and orphan key cleanup. OnePAM issues certificates after IdP authentication — keys expire automatically. - [SSH SSO for SSH Session Recording & Compliance](https://onepam.com/sso/ssh/ssh-session-recording): Record every SSH session with identity-verified metadata. Replay sessions keystroke-by-keystroke for compliance, forensics, and incident response. Meet SOC 2, HIPAA, PCI DSS, and ISO 27001 requirements for privileged access auditing on Linux servers. - [SSH SSO for SSH MFA Enforcement](https://onepam.com/sso/ssh/ssh-mfa-enforcement): Require MFA (Duo, FIDO2, push notification, biometrics) for every SSH session to Linux servers. Enforce your IdP's MFA policies on SSH without per-server configuration. Deploy via local agent or gateway SSH proxy. - [SSH SSO for Certificate Authority](https://onepam.com/sso/ssh/ssh-certificate-authority): OnePAM operates a built-in certificate authority that issues short-lived certificates after SAML/OIDC authentication. Certificates expire automatically, eliminating SSH key rotation, authorized_keys management, and orphan access. Enterprise SSH PKI without the complexity. - [SSH SSO for SSH Access for Contractors & Third Parties](https://onepam.com/sso/ssh/ssh-for-contractors): Grant contractors and third-party vendors temporary SSH access to Linux servers with automatic expiration. No SSH keys to distribute, share, or clean up. Identity-verified, MFA-protected, fully recorded SSH sessions. Revoke access instantly when the engagement ends. - [SSH SSO for SSO for SSH on Fedora](https://onepam.com/sso/ssh/fedora): Add SAML/OIDC Single Sign-On to SSH on Fedora. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via local agent or gateway SSH proxy. Stay ahead of SSH zero-days on Fedora's fast-moving release cycle. - [SSH SSO for SSO for SSH on Oracle Linux](https://onepam.com/sso/ssh/oracle-linux): Add SAML/OIDC Single Sign-On to SSH on Oracle Linux. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via local agent or gateway SSH proxy. Protect Oracle Database and enterprise application servers from SSH zero-day exploits. - [SSH SSO for SSO for SSH on Alpine Linux](https://onepam.com/sso/ssh/alpine-linux): Add SAML/OIDC Single Sign-On to SSH on Alpine Linux. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via gateway SSH proxy for container hosts and minimal Alpine installations. Protect Alpine-based infrastructure from SSH zero-day vulnerabilities. - [SSH SSO for SSO for SSH on Arch Linux](https://onepam.com/sso/ssh/arch-linux): Add SAML/OIDC Single Sign-On to SSH on Arch Linux. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via local agent or gateway SSH proxy. Secure rolling-release workstations and servers from SSH zero-day vulnerabilities. - [SSH SSO for SSO for SSH on Kali Linux](https://onepam.com/sso/ssh/kali-linux): Add SAML/OIDC Single Sign-On to SSH on Kali Linux. Replace SSH keys with identity-based authentication for penetration testing labs and security infrastructure. Deploy via local agent or gateway SSH proxy. Enforce MFA and session recording on sensitive security operations. - [SSH SSO for SSO for SSH on FreeBSD](https://onepam.com/sso/ssh/freebsd): Add SAML/OIDC Single Sign-On to SSH on FreeBSD. Replace SSH keys with identity-based authentication via your corporate IdP. Deploy via gateway SSH proxy for network appliances and servers, or local agent for FreeBSD systems with persistent installations. Protect FreeBSD infrastructure from SSH zero-day vulnerabilities. - [RDP SSO for Windows Server 2022 RDP SSO](https://onepam.com/sso/rdp/windows-server-2022): Replace password-based RDP logins on Windows Server 2022 with enterprise SAML/OIDC Single Sign-On. Deploy via local agent or gateway-powered RDP proxy. Enforce MFA, record sessions, and unify access controls. - [RDP SSO for Windows Server 2019 RDP SSO](https://onepam.com/sso/rdp/windows-server-2019): Add enterprise SSO to Windows Server 2019 RDP sessions. Authenticate via your corporate IdP instead of AD passwords. Deploy with local agent or gateway RDP proxy for agentless coverage. - [RDP SSO for Windows Server 2016 RDP SSO](https://onepam.com/sso/rdp/windows-server-2016): Add modern SSO to Windows Server 2016 RDP. Replace AD password authentication with SAML/OIDC from any IdP. Shield aging infrastructure from RDP exploits via gateway proxy. - [RDP SSO for Windows Server 2012 R2 RDP SSO](https://onepam.com/sso/rdp/windows-server-2012-r2): Windows Server 2012 R2 is end-of-life. Shield its RDP from zero-day exploits with OnePAM's gateway RDP proxy. Add SAML/OIDC SSO without installing anything on the server. - [RDP SSO for Windows Server 2008 R2 RDP Protection](https://onepam.com/sso/rdp/windows-server-2008-r2): Windows Server 2008 R2 has been end-of-life since January 2020. Protect its RDP from BlueKeep, DejaBlue, and future zero-days with OnePAM's gateway RDP proxy. No agent required. - [RDP SSO for Azure AD / Entra ID RDP SSO](https://onepam.com/sso/rdp/azure-ad-entra-id): Connect Azure AD / Microsoft Entra ID to Windows Server RDP via OnePAM. Enforce Conditional Access, MFA, and session recording on every RDP connection — without Azure AD Premium NPS complexity. - [RDP SSO for Okta SAML SSO for Windows RDP](https://onepam.com/sso/rdp/okta-rdp-sso): Use Okta as your identity provider for Windows Server RDP access. OnePAM bridges Okta SAML/OIDC to RDP authentication with MFA enforcement, session recording, and centralized access policies. - [RDP SSO for RDP Zero-Day & BlueKeep Protection](https://onepam.com/sso/rdp/rdp-bluekeep-zero-day-protection): Protect Windows servers from RDP zero-day vulnerabilities (BlueKeep CVE-2019-0708, DejaBlue, CVE-2024-38077) with OnePAM's gateway RDP proxy. No unauthenticated RDP traffic reaches your servers. - [RDP SSO for RDP Session Recording with SSO](https://onepam.com/sso/rdp/rdp-session-recording): Capture visual recordings of every Windows RDP session with full identity context. Replay frame-by-frame for compliance, forensics, and training. SSO-authenticated — every recording is tied to a verified identity. - [RDP SSO for MFA for Windows RDP via SSO](https://onepam.com/sso/rdp/rdp-mfa-enforcement): Add MFA to Windows Server RDP without NPS, RADIUS, or Azure AD Premium. OnePAM enforces your IdP's MFA (Duo, FIDO2, push, biometrics) on every RDP connection via SAML/OIDC SSO. - [RDP SSO for RDP Access Compliance](https://onepam.com/sso/rdp/rdp-compliance-soc2-hipaa-pci): Achieve compliance for Windows RDP access with identity-verified SSO, MFA enforcement, session recording, and centralized audit trails. Satisfy SOC 2 CC6, HIPAA, PCI DSS 10.2, and ISO 27001 controls. - [RDP SSO for Replace RDP Jump Boxes with SSO Platform](https://onepam.com/sso/rdp/rdp-gateway-jumpbox-replacement): Eliminate RDP jump boxes and bastion hosts. OnePAM's gateway RDP proxy provides SAML/OIDC SSO, MFA, session recording, and zero-day protection — without managing jump servers. - [RDP SSO for RDP Ransomware Prevention](https://onepam.com/sso/rdp/rdp-ransomware-prevention): RDP is the initial access vector in over 50% of ransomware attacks. OnePAM eliminates this risk with identity-verified SSO, MFA enforcement, and gateway-based RDP isolation. - [Database SSO for SSO for PostgreSQL](https://onepam.com/sso/database/postgresql): Add SAML/OIDC Single Sign-On to PostgreSQL database connections. Replace shared database passwords with identity-based access via your corporate IdP. Every query is tied to an individual identity with full audit trail. - [Database SSO for SSO for MySQL / MariaDB](https://onepam.com/sso/database/mysql): Add SAML/OIDC Single Sign-On to MySQL and MariaDB database connections. Replace shared database passwords with identity-based access. Full query audit trail with individual accountability. - [Database SSO for SSO for MongoDB](https://onepam.com/sso/database/mongodb): Add SAML/OIDC Single Sign-On to MongoDB connections. Replace shared connection strings with identity-based access. Full query audit trail with individual accountability for every operation. - [Database SSO for SSO for Microsoft SQL Server](https://onepam.com/sso/database/microsoft-sql-server): Add SAML/OIDC Single Sign-On to Microsoft SQL Server connections. Replace shared SA passwords with identity-based access. Full query audit trail with individual accountability for every T-SQL statement. - [Database SSO for SSO for Oracle Database](https://onepam.com/sso/database/oracle): Add SAML/OIDC Single Sign-On to Oracle Database connections. Replace shared schema passwords with identity-based access. Full SQL audit trail with individual accountability for SOX, HIPAA, and PCI DSS. - [Database SSO for SSO for Elasticsearch](https://onepam.com/sso/database/elasticsearch): Add SAML/OIDC Single Sign-On to Elasticsearch connections. Replace shared API keys and basic auth with identity-based access. Full query audit trail with individual accountability for every REST API call. - [Database SSO for SSO for Redis](https://onepam.com/sso/database/redis): Add SAML/OIDC Single Sign-On to Redis connections. Replace shared AUTH passwords with identity-based access via your corporate IdP. Full command audit trail with individual accountability. - [Database SSO for SSO for CockroachDB](https://onepam.com/sso/database/cockroachdb): Add SAML/OIDC Single Sign-On to CockroachDB connections. Replace database credentials with identity-based access. Full SQL audit trail with individual accountability. - [Database SSO for SSO for Apache Cassandra](https://onepam.com/sso/database/cassandra): Add SAML/OIDC Single Sign-On to Apache Cassandra connections. Replace shared credentials with identity-based access. Full CQL audit trail with individual accountability. - [Database SSO for SSO for ClickHouse](https://onepam.com/sso/database/clickhouse): Add SAML/OIDC Single Sign-On to ClickHouse connections. Replace shared credentials with identity-based access. Full SQL audit trail for analytics query accountability. - [Database SSO for SSO for Neo4j](https://onepam.com/sso/database/neo4j): Add SAML/OIDC Single Sign-On to Neo4j connections. Replace shared credentials with identity-based access. Full Cypher query audit trail with individual accountability. - [Database SSO for SSO for InfluxDB](https://onepam.com/sso/database/influxdb): Add SAML/OIDC Single Sign-On to InfluxDB connections. Replace API tokens with identity-based access. Full query audit trail for time-series data with individual accountability. - [VNC SSO for Proxmox VE VNC SSO](https://onepam.com/sso/vnc/proxmox-ve): Replace shared passwords and unauthenticated VNC ports on Proxmox VE with enterprise SAML/OIDC Single Sign-On. Enforce MFA, record every console session, and eliminate direct VNC port exposure. - [VNC SSO for Ubuntu Desktop VNC SSO](https://onepam.com/sso/vnc/ubuntu-desktop): Replace VNC password-only authentication on Ubuntu desktops with enterprise SAML/OIDC SSO. Enforce MFA, encrypt all sessions, and eliminate unprotected VNC port exposure. - [VNC SSO for RHEL Workstation VNC SSO](https://onepam.com/sso/vnc/rhel-workstation): Replace VNC password authentication on RHEL and CentOS workstations with enterprise SAML/OIDC SSO. Enforce MFA, record sessions, and eliminate exposed VNC ports for remote administration. - [VNC SSO for TigerVNC Server SSO](https://onepam.com/sso/vnc/tigervnc): Replace TigerVNC's weak password authentication with enterprise SAML/OIDC SSO. Enforce MFA, record every session, and eliminate direct VNC port exposure across your Linux server fleet. - [VNC SSO for Raspberry Pi VNC SSO](https://onepam.com/sso/vnc/raspberry-pi): Replace RealVNC password authentication on Raspberry Pi with enterprise SAML/OIDC SSO. Enforce MFA, record sessions, and secure headless Pi management without exposing VNC ports. - [VNC SSO for macOS Screen Sharing VNC SSO](https://onepam.com/sso/vnc/macos-screen-sharing): Replace macOS Screen Sharing's password-based VNC authentication with enterprise SAML/OIDC SSO. Enforce MFA, record sessions, and eliminate direct VNC port exposure on Mac endpoints.