Home / Windows RDP SSO / Windows Server 2022 RDP SSO
Windows Server
Local Agent
Gateway RDP Proxy
Zero-Day Shield

Add SAML/OIDC SSO to RDP on Windows Server 2022 — Via Agent or Gateway RDP Proxy

Microsoft

Replace password-based RDP logins on Windows Server 2022 with enterprise SAML/OIDC Single Sign-On. Deploy via local agent or gateway-powered RDP proxy. Enforce MFA, record sessions, and unify access controls.

Start Free Trial See How It Works
Overview

Enterprise SSO for Windows Server 2022 Remote Desktop

Windows Server 2022 is the latest long-term servicing channel (LTSC) release of Microsoft's server operating system, widely deployed for Active Directory, file services, IIS, SQL Server, and application hosting. While Server 2022 supports modern security features like Secured-core and TLS 1.3, its RDP authentication still relies on Active Directory passwords or NLA (Network Level Authentication) tied to Windows credentials. This leaves organizations without SAML/OIDC SSO for RDP, without centralized MFA enforcement that works with non-Microsoft IdPs, and without session recording for compliance. OnePAM bridges this gap with two deployment options: a local agent installed on each Windows Server 2022 instance that intercepts the RDP authentication flow and enforces SAML/OIDC verification, or a dedicated gateway RDP proxy that authenticates users via your corporate IdP and brokers the RDP connection — without installing anything on the target server. Both modes provide identity-verified access, session recording, and unified audit trails.

Local Agent

Install the OnePAM agent on each Windows server. The agent intercepts RDP authentication and enforces SAML/OIDC SSO with Kerberos and Protected User support before granting desktop access — no gateway required.

Gateway RDP Proxy

Run a dedicated OnePAM gateway with native RDP protocol support. Users authenticate via SAML/OIDC at the gateway, which brokers the RDP session using Kerberos NLA. No agent needed on target servers.

RDP Security Risks

RDP Security Risks on Windows Server 2022

Without identity-based RDP access, these risks threaten your Windows servers every day.

RDP remains the #1 initial access vector for ransomware attacks targeting Windows servers
Password-only RDP authentication is trivially brute-forced with tools like Hydra and NLBrute
RDP sessions using compromised AD credentials bypass all network-level defenses
Windows Server 2022 RDP zero-days (CVE-2024-38077 RCE) are actively exploited in the wild
The Challenge

RDP Security Challenges

These are the risks organizations face with traditional RDP authentication.

No Native SAML/OIDC for RDP

Windows Server 2022 RDP uses NLA with Kerberos/NTLM authentication. There is no built-in way to authenticate RDP sessions via SAML 2.0 or OpenID Connect from non-Microsoft IdPs. OnePAM bridges this gap with native Kerberos support for AD authentication combined with SAML/OIDC SSO.

NTLM Downgrade Risk

Without Kerberos enforcement, RDP connections can fall back to NTLM authentication, exposing credentials to relay and pass-the-hash attacks. OnePAM enforces Kerberos NLA with Protected User group support to prevent NTLM fallback.

MFA Gaps

Native Windows MFA (via Azure AD / NPS) requires Azure AD Premium licensing and complex NPS RADIUS configuration. Non-Microsoft IdPs (Okta, Google) have no native RDP MFA path.

No Session Recording

Windows Server 2022 does not provide native RDP session recording. Third-party tools are expensive and complex to deploy at scale.

Credential Theft Risk

RDP sessions can be hijacked via pass-the-hash, RDP session shadowing, or credential extraction from LSASS memory. Kerberos with Protected User enforcement and identity-based access eliminates static credential exposure.

Compliance Blind Spots

SOC 2, HIPAA, and PCI DSS require access controls and audit trails for RDP. AD event logs alone are insufficient for compliance evidence.

The OnePAM Solution

How OnePAM Adds SSO to Windows Server 2022 RDP

Step-by-step guide to deploying identity-based Windows RDP access.

1

Choose Your Deployment Mode

Install the OnePAM agent on Windows Server 2022 for direct SSO, or deploy a gateway RDP proxy for agentless protection.

Agent mode integrates with the Windows credential provider to intercept RDP logon. Gateway mode runs a dedicated OnePAM instance that brokers RDP connections — the server only accepts connections from the gateway.
2

Connect Your Identity Provider

Configure your corporate IdP — Okta, Azure AD, Google Workspace, Ping Identity, or any SAML 2.0 / OIDC provider.

OnePAM handles the full federation handshake. Users are redirected to your IdP, authenticate with MFA, and receive a signed assertion that OnePAM validates before granting RDP access.
3

Map Identities to Windows Accounts

Define how IdP user attributes (email, UPN, employee ID) map to Windows user accounts for RDP session creation.

OnePAM supports attribute-based mapping, AD group synchronization, and just-in-time local account provisioning. Users authenticate via IdP but land in their Windows desktop with the correct account.
4

Enforce Access Policies

Set granular RDP access rules based on IdP groups, IP ranges, device posture, time windows, and MFA requirements.

Policies control who can RDP into which servers, from where, at what times, and with what authentication strength. Contractors get time-limited access; admins require step-up MFA.
5

Record, Audit, Comply

Every RDP session is logged with full IdP context. Enable video-like session recording for compliance and forensics.

Compliance teams get identity-verified audit trails: who connected via RDP, which IdP authenticated them, what MFA was used, from which device and location, and a full visual recording of the session.
Business Impact

Business Impact of SSO for Windows Server 2022 RDP

Measurable security and operational outcomes from deploying OnePAM Windows RDP SSO.

Native Kerberos with Protected User

OnePAM authenticates to RDP targets via Kerberos NLA with Active Directory Protected User group enforcement. NTLM downgrade, pass-the-hash, and credential theft attacks are blocked at the protocol level.

Kerberos + Protected User

Eliminate RDP Password Attacks

Users authenticate via SAML/OIDC — no RDP passwords exposed to brute-force. Credential stuffing, password spraying, and pass-the-hash attacks become impossible.

100% password attacks eliminated

MFA on Every RDP Session

Enforce multi-factor authentication (Duo, FIDO2, push, biometrics) on every RDP connection using your IdP's existing MFA policies.

100% MFA-protected sessions

Visual RDP Session Recording

Record every RDP session as a video-like playback with full metadata. Replay sessions frame-by-frame for compliance, forensics, and training.

Full visual audit trail

Instant Deprovisioning

Disable a user in your IdP and RDP access to all Windows servers stops immediately. No orphan AD accounts, no lingering sessions.

Real-time access revocation

Works with Any IdP

Use Okta, Azure AD, Google Workspace, Ping Identity, OneLogin, or any SAML 2.0/OIDC provider — not locked to Microsoft's ecosystem.

Any SAML/OIDC IdP supported
RDP SSO Features

Windows RDP SSO Capabilities

Every feature needed for enterprise-grade Windows RDP authentication.

Native RDP protocol implementation
Kerberos authentication with NLA and Protected User enforcement
SAML 2.0 & OIDC SSO for Windows Server 2022 RDP
Two deployment modes: local agent or gateway RDP proxy
MFA enforcement via any IdP (Okta, Azure AD, Google, Duo)
Visual RDP session recording with frame-by-frame playback
IdP group-to-Windows group mapping
Just-in-time local account provisioning
Time-limited RDP access for contractors and vendors
Concurrent session controls and idle timeout policies
Security

Zero-Day Protection Features

Enterprise-grade security controls for RDP access.

Kerberos NLA prevents NTLM downgrade attacks
Protected User group enforcement blocks credential theft
Identity-verified RDP — no anonymous connections possible
TLS encryption between gateway and target server
RDP protocol inspection at the gateway layer
Automatic session termination on IdP sign-out
Real-World Scenarios

Windows Server 2022 RDP SSO Use Cases

Common scenarios where organizations deploy OnePAM Windows RDP SSO.

1
System administrators accessing Windows Server 2022 via corporate SSO with MFA enforcement
2
Remote contractors given time-limited, recorded RDP access to specific servers
3
SOC 2 and HIPAA compliance with identity-verified RDP audit trails and session recordings
4
Securing Windows Server 2022 IIS and SQL Server hosts from RDP-based lateral movement
5
IT teams managing hybrid cloud Windows servers across Azure and on-premise data centers
6
MSPs providing multi-tenant RDP access to customer Windows servers with per-tenant IdP integration
Frequently Asked Questions

Windows Server 2022 RDP SSO FAQ

Common questions about Windows RDP SSO and zero-day protection.

Does OnePAM replace Windows Remote Desktop Gateway?

OnePAM can replace or augment RD Gateway. In gateway mode, OnePAM serves as the RDP entry point with SAML/OIDC authentication, session recording, and policy enforcement — capabilities RD Gateway does not provide natively.

Can I use Okta or Google Workspace instead of Azure AD for RDP SSO?

Yes. OnePAM supports any SAML 2.0 or OIDC provider. Unlike Microsoft's native MFA for RDP (which requires Azure AD Premium + NPS), OnePAM works with Okta, Google Workspace, Ping Identity, OneLogin, and any standards-compliant IdP.

Does the gateway mode require installing anything on Windows Server 2022?

No. Gateway mode is completely agentless. The OnePAM gateway brokers the RDP connection and handles authentication externally. The Windows server only receives connections from the gateway.

How does session recording work for RDP?

OnePAM captures the RDP session as a visual recording at the gateway or agent level. Sessions can be replayed frame-by-frame in the OnePAM dashboard with full metadata (who, when, where, which server, MFA method).

What happens when a user is disabled in our IdP?

RDP access stops immediately. OnePAM validates the IdP session before every new RDP connection, so a disabled IdP account cannot establish new sessions. Active sessions can be configured to terminate within a defined timeout.

Can OnePAM enforce different policies for different servers?

Yes. Policies are defined per server or server group. You can require step-up MFA for production servers, allow time-limited access for contractors, restrict access by IP/geo, and enforce session recording selectively.
Also Available

Windows RDP SSO for Other Editions & Use Cases

OnePAM adds identity-based RDP access to any Windows edition — same approach, same security.

Windows Server 2019 RDP SSO
Windows Server
Windows Server 2016 RDP SSO
Windows Server
Windows Server 2012 R2 RDP SSO
End-of-Life Server
Windows Server 2008 R2 RDP Protection
End-of-Life Server
Azure AD / Entra ID RDP SSO
Identity Provider
Okta SAML SSO for Windows RDP
Identity Provider
RDP Zero-Day & BlueKeep Protection
Zero-Day Protection
RDP Session Recording with SSO
Compliance & Audit
MFA for Windows RDP via SSO
Authentication
RDP Access Compliance
Compliance & Audit
Replace RDP Jump Boxes with SSO Platform
Architecture
RDP Ransomware Prevention
Threat Prevention

Add SSO to Windows Server 2022 RDP. Deploy in Minutes.

Replace password-based RDP with identity-verified access. Enforce MFA, record sessions, and unify your audit trail — via local agent or gateway RDP proxy.

Start Free Trial View All RDP SSO Guides