Home / Database SSO / SSO for Microsoft SQL Server
Relational Database
TDS (Tabular Data Stream) protocol
Query Audit

SAML/OIDC SSO for Microsoft SQL Server Access

Microsoft SQL Server is a trademark of Microsoft Corporation.

Add SAML/OIDC Single Sign-On to Microsoft SQL Server connections. Replace shared SA passwords with identity-based access. Full query audit trail with individual accountability for every T-SQL statement.

How It Works
Overview

Why SQL Server Needs Modern Identity-Based Access

Microsoft SQL Server is the backbone of enterprise applications, powering ERP systems, financial platforms, healthcare records, and business intelligence workloads. SQL Server access typically relies on SQL Authentication (sa password, shared logins) or Windows Authentication (Active Directory). While Windows Auth provides some identity context, organizations migrating to cloud IdPs (Okta, Azure AD as SAML/OIDC) need modern authentication for SQL Server that works across hybrid and multi-cloud environments. OnePAM's database proxy adds SAML/OIDC SSO to SQL Server without changing database configuration. The proxy speaks the TDS (Tabular Data Stream) protocol, works with SSMS, Azure Data Studio, sqlcmd, and application connection strings. Every T-SQL query is logged with the authenticated corporate identity, providing compliance-ready audit trails for SOX, HIPAA, and PCI DSS.

Database Security Risks

SQL Server Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 1433 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

SA Password Sharing

The SQL Server 'sa' account password is shared among DBAs and embedded in legacy applications. Rotating it risks breaking critical business systems.

Windows Auth Limitations

Windows Authentication ties SQL Server access to Active Directory — but organizations migrating to Okta or Azure AD SAML/OIDC need modern auth that works across cloud and on-premises.

SQL Login Sprawl

SQL Server logins proliferate across instances. Each developer, application, and service has separate credentials that must be managed, rotated, and eventually deprovisioned.

No SAML/OIDC Support

SQL Server does not natively support SAML or OIDC authentication. Azure SQL supports Azure AD, but on-premises and AWS RDS SQL Server have no modern SSO option.

Audit Gaps for SOX

SOX compliance requires individual accountability for financial database access. Shared SQL logins and the sa account make it impossible to prove who accessed what.

Hybrid Environment Complexity

Organizations running SQL Server on-premises, on Azure SQL, and on AWS RDS face inconsistent access controls across environments.

Setup Guide

How OnePAM Adds SSO to SQL Server

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point SSMS, Azure Data Studio, sqlcmd, or your application to the OnePAM database proxy. The proxy speaks native TDS protocol.

Connection string changes from Server=sql-host,1433 to Server=proxy-host,1433 — no application code changes required.
2

Authenticate via Corporate IdP

OnePAM authenticates users via SAML/OIDC with your corporate IdP. MFA is enforced on every connection.

Works with Okta, Azure AD, Google Workspace, and any SAML/OIDC provider — even for on-premises SQL Server instances.
3

Credential Injection

OnePAM retrieves SQL Server credentials from its vault and establishes the TDS session. Users never see or handle database passwords.

Access is scoped based on IdP groups — different groups map to different SQL Server roles and database permissions.
4

T-SQL Query Logging

Every T-SQL statement is logged with the corporate identity, providing individual accountability for SOX, HIPAA, and PCI DSS compliance.

Logs show '[email protected] executed UPDATE Accounts SET Balance = ...' with full identity context.
Key Benefits

Benefits of SSO for SQL Server

What changes when you deploy identity-based database access.

Individual Accountability

Every T-SQL query is tied to a corporate identity. No more shared sa or SQL login accounts.

100% identity attribution

Modern Auth for On-Premises

Bring SAML/OIDC SSO to on-premises SQL Server — not just Azure SQL. Works across all environments.

Any environment

SOX Compliance

Identity-verified query logs provide the audit evidence SOX requires for financial database access controls.

SOX-ready

MFA Enforcement

Enforce MFA on every SQL Server connection via your IdP. No SQL Server-specific auth configuration.

MFA enforced

Instant Deprovisioning

Disable a user in your IdP and SQL Server access stops immediately across all instances.

Instant revocation

Unified Hybrid Access

One authentication layer for SQL Server on-premises, Azure SQL, and AWS RDS. Consistent policies everywhere.

Unified access
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication
Native TDS protocol support
Works with SSMS, Azure Data Studio, sqlcmd
SQL Server 2016+, Azure SQL, AWS RDS support
Role-based access via IdP groups
Database-level access policies
Read-only vs read-write enforcement
Time-limited database sessions
Cross-environment unified access
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic SA and SQL login rotation
T-SQL query-level audit logging
Sensitive data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct TDS port exposure
Session timeout enforcement
DDL change detection and alerting
SIEM integration for SOX evidence
Real-World Scenarios

SQL Server SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Finance teams accessing SQL Server with individual identity for SOX-compliant audit trails
2
Healthcare organizations requiring HIPAA-compliant access to SQL Server patient databases
3
Hybrid environments with SQL Server on-premises and Azure SQL needing unified access controls
4
Legacy ERP systems (SAP, Dynamics) on SQL Server needing modern authentication without application changes
5
PCI DSS compliance for e-commerce platforms storing cardholder data in SQL Server
6
Contractor access to staging SQL Server instances with time-limited, audited sessions
7
Database migration from on-premises SQL Server to Azure SQL with consistent identity-based access
8
Business intelligence teams querying production SQL Server with read-only, MFA-protected access
Frequently Asked Questions

SSO for Microsoft SQL Server FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with Azure SQL Database?

Yes. OnePAM works with Azure SQL Database, Azure SQL Managed Instance, SQL Server on-premises, and AWS RDS for SQL Server. The proxy connects via the standard TDS protocol used by all SQL Server variants.

Can OnePAM replace Windows Authentication?

OnePAM can complement or replace Windows Auth. For organizations migrating from Active Directory to cloud IdPs (Okta, Azure AD), OnePAM provides SAML/OIDC auth for SQL Server without requiring AD domain membership.

How does OnePAM handle SQL Server named instances?

OnePAM supports SQL Server named instances and custom ports. The proxy can be configured to route to specific instances based on the connection parameters.

Does OnePAM work with SSMS (SQL Server Management Studio)?

Yes. SSMS connects to OnePAM's proxy just like it would connect to SQL Server directly. The authentication flow is handled by OnePAM before the SSMS session is established.

Can I keep existing SQL logins during migration?

Yes. OnePAM can run alongside existing SQL logins during migration. Deploy in audit-only mode first to log access, then gradually migrate users to SSO-based authentication.

What about Always On Availability Groups?

OnePAM supports SQL Server Always On Availability Groups. The proxy can be configured with the availability group listener endpoint for automatic failover support.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine
SSO for Redis
In-Memory Data Store

Add SSO to SQL Server Access

Deploy OnePAM database proxy in minutes. Works with SQL Server on-premises, Azure SQL, and AWS RDS.

Get Started All Database SSO Guides