SSO for Windows RDP. Native Kerberos & Protected User. Shield Servers from Zero-Day Exploits.
Replace password-based RDP with SAML/OIDC Single Sign-On and native Kerberos authentication. OnePAM speaks the RDP protocol natively. Authenticate via your corporate IdP (Okta, Azure AD, Google Workspace) or Kerberos with Active Directory Protected User group enforcement. Deploy via local agent or dedicated gateway RDP proxy.
Local Agent or Gateway RDP Proxy — Your Choice
OnePAM gives you two deployment models for SSO-protected RDP. Choose based on your infrastructure, compliance requirements, and operational preferences.
OnePAM Agent on Each Windows Server
Install the lightweight OnePAM agent directly on your Windows servers. The agent integrates with Windows Credential Provider and RDP to authenticate Remote Desktop sessions via your corporate IdP — no gateway required. Users connect via standard RDP clients; the agent handles SAML/OIDC authentication transparently.
- Direct RDP connection — no network hop through a proxy
- Windows Credential Provider integration for native RDP auth
- Short-lived session tokens issued after IdP authentication
- Kerberos authentication with NLA and Protected User support
- Works with any RDP client (mstsc, Royal TS, Remmina, etc.)
- Full session recording on the server itself
Dedicated Gateway RDP Proxy
Run a dedicated OnePAM gateway that proxies RDP connections to your Windows servers using a native RDP protocol implementation. Users authenticate via SAML/OIDC at the gateway, which establishes the RDP session via Kerberos or NLA on their behalf. No agent installation needed on target servers.
- Native RDP protocol implementation
- Kerberos authentication to AD with Protected User enforcement
- Zero agent installation on target Windows servers
- Centralized session recording at the gateway
- Network-level isolation — RDP ports never directly exposed
- RDP protocol inspection and clipboard/drive control
Your Windows Servers Are One RDP CVE Away from Compromise
Windows RDP has had critical zero-day vulnerabilities — BlueKeep (CVE-2019-0708), DejaBlue (CVE-2019-1181/1182), and the Windows RRAS RCE (CVE-2024-38077). If your servers run unpatched RDP, attackers don't need credentials — they need one exploit. OnePAM shields them.
BlueKeep (CVE-2019-0708)
Remote unauthenticated code execution via RDP. Wormable vulnerability that affected millions of Windows servers. Full system compromise without any credentials.
DejaBlue (CVE-2019-1181/1182)
A follow-up to BlueKeep affecting newer Windows versions including Windows 10 and Server 2019. Pre-authentication RCE via RDP — no user interaction required.
CVE-2024-38077 (RRAS RCE)
Critical remote code execution in Windows Routing and Remote Access Service. Affects Windows Server 2008 through 2022. Exploited in the wild for ransomware delivery.
Password Spraying & Brute Force
RDP exposed to the internet is the #1 ransomware entry point. Attackers brute-force weak passwords or use credential stuffing from data breaches to gain access.
How OnePAM Protects RDP from Zero-Day Exploitation
No Direct RDP Exposure
With gateway mode, RDP ports (3389) are only reachable via OnePAM. Attackers cannot send exploit payloads directly to your RDP service.
Identity-First RDP
Every RDP session requires a valid IdP-verified identity. No anonymous connections. No password-only authentication. Identity is always verified first.
Short-Lived Session Tokens
Replace static passwords with short-lived session tokens issued after IdP authentication. Tokens expire automatically — no credentials to steal or reuse.
Patch Safely
Take time to test Windows patches. OnePAM's gateway shields servers from exploitation during the patch window. No rush patching under pressure.
SSO for Windows RDP — By Windows Version & Use Case
Click any guide for version-specific setup instructions, deployment architecture, zero-day protection details, and FAQ.
Why Teams Replace RDP Passwords with Identity-Based Access
OnePAM eliminates password-based RDP attacks, enforces corporate identity on every connection, and shields Windows servers from RDP zero-day exploits — all without changing how administrators work.
Block Ransomware via RDP
RDP is the #1 ransomware entry vector. Gateway mode prevents attackers from reaching your RDP services directly. Exploits like BlueKeep (CVE-2019-0708) become unexploitable — even on unpatched servers.
Eliminate Password Attacks
No more brute-force, credential stuffing, or password spraying on RDP. Users authenticate with their corporate identity via SAML/OIDC. Passwords are no longer the access method.
MFA on Every RDP Session
Enforce multi-factor authentication (Duo, FIDO2, push) on every RDP connection using your IdP's MFA policies. No Windows NPS/RADIUS configuration required.
Instant Deprovisioning
Disable a user in your IdP and RDP access to every Windows server stops immediately. No more manual Active Directory cleanup or stale local accounts on remote servers.
RDP Session Recording
Record every RDP session as video for compliance, forensics, and training. Replay sessions with full visual fidelity including mouse movements and keystrokes.
Compliance-Ready Audit Trail
SOC 2, HIPAA, PCI DSS, ISO 27001 — all require access controls and audit trails for remote access. OnePAM provides identity-verified logs for every RDP session.
OnePAM RDP SSO vs. Traditional RDP Access
See what changes when you replace password-based RDP with identity-verified access.
| Capability | With OnePAM | Traditional RDP Access |
|---|---|---|
| Authentication | SAML/OIDC via corporate IdP + Kerberos NLA | Static passwords or local accounts |
| Kerberos & Protected User | Native Kerberos with Protected User group enforcement | NTLM fallback, no Protected User awareness |
| Zero-Day Protection | Gateway shields RDP from exploits | Port 3389 directly exposed to network |
| MFA Enforcement | IdP MFA (Duo, FIDO2, push) | None or complex NPS/RADIUS config |
| Credential Management | Short-lived tokens, auto-expired | Static passwords, manual rotation |
| User Deprovisioning | Instant via IdP disable | Manual AD/local account cleanup |
| Session Recording | Built-in video recording with replay | Requires third-party tools |
| Audit Trail | Identity-verified, centralized | Windows Event Logs only, fragmented |
| Compliance (SOC2/HIPAA/PCI) | Built-in controls and evidence | Manual evidence collection |
We had over 300 Windows servers with RDP exposed for admin access — shared passwords, no MFA, and no session recording. When BlueKeep hit, we scrambled to patch everything overnight. After deploying OnePAM's gateway RDP proxy, our RDP ports are no longer directly reachable. Every session is identity-verified through Azure AD. When CVE-2024-38077 dropped, we patched on our schedule. No panic, no weekend firefighting.
Replace RDP Passwords with Identity. Shield Windows Servers from Zero-Day. Deploy in Minutes.
Add SAML/OIDC SSO to Windows RDP on any Windows Server version — via local agent or gateway RDP proxy. Start your 14-day free trial today.
SSO for Windows RDP - SAML, OIDC, and Kerberos Authentication for Remote Desktop
OnePAM adds SAML 2.0, OpenID Connect (OIDC), and native Kerberos authentication to Windows Remote Desktop Protocol (RDP). OnePAM implements the RDP protocol natively. Supported Windows Server versions include Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. OnePAM replaces static RDP passwords with identity-based access tied to your corporate Identity Provider (Okta, Azure AD, Google Workspace, OneLogin, Ping Identity) and supports Kerberos authentication with Active Directory Protected User group enforcement.
Native RDP with Kerberos and Protected User Support
OnePAM's native RDP implementation supports Kerberos authentication with Network Level Authentication (NLA), enabling secure authentication to Active Directory-joined Windows servers. Protected User group enforcement ensures that credentials are never exposed to NTLM downgrade attacks, pass-the-hash, or credential theft techniques.
Two Deployment Models for RDP SSO
OnePAM offers two deployment modes: a local agent installed on each Windows server that integrates with Windows Credential Provider for direct RDP access with SAML/OIDC and Kerberos authentication, or a dedicated gateway RDP proxy that authenticates users and proxies RDP connections using a native RDP implementation without requiring any agent installation on target servers. The gateway mode is ideal for legacy Windows servers, unmanaged environments, and networks where you cannot install additional software.
Zero-Day RDP Protection for Outdated Windows Servers
OnePAM's gateway RDP proxy shields unpatched Windows servers from RDP zero-day vulnerabilities. Exploits like BlueKeep (CVE-2019-0708), DejaBlue (CVE-2019-1181/1182), and the Windows RRAS RCE (CVE-2024-38077) require direct access to the RDP service on port 3389. With OnePAM's gateway, the RDP port is only reachable through the authenticated proxy, making these exploits unexploitable. Organizations can test and deploy Windows patches on their schedule rather than rushing emergency updates under pressure.
Replace RDP Passwords with Identity-Verified Access
OnePAM eliminates password-based RDP access by requiring SAML/OIDC or Kerberos authentication before establishing any RDP session. Short-lived session tokens replace static passwords, expiring automatically (configurable from 1 hour to 24 hours). When a user is disabled in the IdP, their RDP access to all Windows servers is immediately revoked. No more shared admin passwords, no more stale local accounts, and no more brute-force or credential stuffing attacks on exposed RDP ports. OnePAM is the native RDP gateway that brings modern identity-based security to Windows Remote Desktop access.