Home / Database SSO / SSO for MySQL / MariaDB
Relational Database
MySQL wire protocol
Query Audit

SAML/OIDC SSO for MySQL and MariaDB Database Access

MySQL is a trademark of Oracle Corporation. MariaDB is a trademark of MariaDB Corporation Ab.

Add SAML/OIDC Single Sign-On to MySQL and MariaDB database connections. Replace shared database passwords with identity-based access. Full query audit trail with individual accountability.

How It Works
Overview

Why MySQL Needs Identity-Based Database Access

MySQL and MariaDB power the majority of web applications worldwide — from WordPress and Magento to custom enterprise applications. Database access typically relies on shared credentials embedded in application configuration files, .my.cnf files, and environment variables. OnePAM's database proxy adds SAML/OIDC authentication to MySQL and MariaDB without changing database configuration. The proxy speaks native MySQL wire protocol, works with any MySQL client (mysql CLI, MySQL Workbench, DBeaver, HeidiSQL), and provides identity-verified query logging for compliance. Credentials are stored in OnePAM's encrypted vault and injected at session time — developers never handle database passwords directly. The proxy supports MySQL 5.7+, MySQL 8.x, MariaDB 10.x, and all major managed services including AWS RDS, Azure Database for MySQL, GCP Cloud SQL, and PlanetScale.

Database Security Risks

MySQL Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 3306 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Root Password Sharing

MySQL root credentials are shared among DBAs and stored in plaintext configuration files. Password rotation requires updating every application and script that uses the credential.

No Native SAML/OIDC

MySQL's authentication plugins support password, LDAP, and PAM — but not SAML or OIDC. Modern SSO integration requires external proxy infrastructure.

Credential Exposure

MySQL passwords in .my.cnf, environment variables, Docker secrets, and CI/CD pipelines create multiple attack vectors. A single leaked credential compromises the database.

No Individual Accountability

When multiple developers share the same MySQL user, the general query log shows the database user — not the human who ran the query. Forensics becomes guesswork.

Compliance Failures

Shared MySQL credentials fail SOC 2, HIPAA, and PCI DSS requirements for individual access accountability. Auditors flag shared database accounts every time.

Slow Deprovisioning

When an employee leaves, every MySQL credential they had access to must be rotated. Missing even one leaves a backdoor open indefinitely.

Setup Guide

How OnePAM Adds SSO to MySQL

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your MySQL client to the OnePAM database proxy. The proxy speaks native MySQL wire protocol — works with mysql CLI, MySQL Workbench, DBeaver, and application drivers.

Connection string changes to use the proxy host. No application code changes required beyond updating the connection endpoint.
2

Authenticate via Corporate IdP

OnePAM redirects to your IdP (Okta, Azure AD, Google Workspace) for SAML/OIDC authentication with MFA enforcement.

Browser-based auth flow for interactive sessions. Service accounts use pre-authenticated tokens with identity context.
3

Credential Injection

After authentication, OnePAM retrieves MySQL credentials from its encrypted vault and establishes the database session. Users never see database passwords.

Credentials are scoped per user and per database. Read-only vs. read-write access is enforced based on IdP group membership.
4

Identity-Verified Query Logging

Every SQL query is logged with the authenticated user's corporate identity, providing individual accountability for compliance and forensics.

Logs show '[email protected] executed DROP TABLE orders' instead of 'app_user executed DROP TABLE orders'.
Key Benefits

Benefits of SSO for MySQL

What changes when you deploy identity-based database access.

Individual Accountability

Every MySQL query is attributed to a specific corporate identity. No more shared credentials hiding who did what.

100% identity attribution

Zero Password Exposure

Database passwords stay in the vault. Developers and DBAs never see or handle MySQL credentials directly.

Zero credential exposure

Automatic Rotation

OnePAM rotates MySQL passwords automatically without disrupting applications or users.

Automated rotation

MFA Enforcement

Enforce IdP MFA policies on every MySQL connection. No MySQL-specific auth plugin configuration.

MFA on every session

Instant Deprovisioning

Disable a user in your IdP and MySQL access stops immediately. No password rotation cascade.

Instant revocation

Compliance-Ready Logs

Identity-verified query logs satisfy SOC 2, HIPAA, PCI DSS, and SOX requirements out of the box.

Audit-ready
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication
Native MySQL wire protocol support
Works with mysql CLI, Workbench, DBeaver, HeidiSQL
MySQL 5.7+, 8.x, and MariaDB 10.x support
Connection pooling with identity context
Role-based access control via IdP groups
Read-only vs read-write access policies
Database-level and table-level access control
Time-limited database sessions
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic password rotation
Query-level audit logging
Sensitive data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct database port exposure
Session timeout enforcement
Destructive query detection and alerting
SIEM integration for alerts
Real-World Scenarios

MySQL SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Web development teams accessing shared MySQL databases with individual identity instead of shared credentials
2
E-commerce platforms requiring PCI DSS compliance for database access to cardholder data
3
WordPress and CMS platforms needing identity-verified database access for content management
4
Instant revocation of MySQL access when employees leave — no password rotation needed
5
Contractor access to staging MySQL databases with time-limited, audited sessions
6
SOC 2 audits requiring proof of individual database access controls
7
Database migration projects with temporary, identity-verified access to MySQL instances
8
Multi-tenant SaaS platforms managing MySQL access across development, staging, and production
Frequently Asked Questions

SSO for MySQL / MariaDB FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with MySQL on AWS RDS and Azure?

Yes. OnePAM's database proxy works with any MySQL-compatible endpoint — self-hosted MySQL, MariaDB, AWS RDS, Azure Database for MySQL, GCP Cloud SQL, PlanetScale, and Vitess clusters.

Do I need to modify my MySQL server configuration?

No. OnePAM sits in front of MySQL as a proxy. Your MySQL configuration (users, grants, my.cnf) remains unchanged. Only connection endpoints need to point to the proxy.

Does OnePAM support MariaDB-specific features?

Yes. OnePAM's proxy supports the MySQL wire protocol used by both MySQL and MariaDB. MariaDB-specific extensions like sequences and system-versioned tables work transparently through the proxy.

How does OnePAM handle MySQL connection pooling?

OnePAM maintains its own connection pool to MySQL and maps authenticated user sessions to pooled connections. Identity context is preserved through the pool, ensuring every query is attributed to the correct corporate identity.

Can I enforce read-only access for specific users?

Yes. OnePAM can enforce read-only access based on IdP group membership. Users in a 'db-readers' IdP group get SELECT-only access, while 'db-admins' get full read-write permissions.

What happens during a failover or replica promotion?

OnePAM can be configured with multiple MySQL endpoints (primary + replicas). During failover, the proxy redirects connections to the promoted replica without requiring client reconfiguration.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine
SSO for Redis
In-Memory Data Store

Add SSO to MySQL Access

Deploy OnePAM database proxy in minutes. Works with MySQL, MariaDB, and all managed services.

Get Started All Database SSO Guides