Home / SSH SSO / SSO for SSH on RHEL
Linux Distribution
Local Agent
Gateway SSH Proxy
Zero-Day Shield

SAML/OIDC SSO for SSH on Red Hat Enterprise Linux

Red Hat Enterprise Linux is a trademark of Red Hat, Inc.

Add SAML/OIDC SSO to SSH on Red Hat Enterprise Linux (RHEL). Replace SSH keys with identity-based access via Okta, Azure AD, or any SAML/OIDC IdP. Deploy via local agent or gateway SSH proxy. Protect RHEL servers from SSH zero-day exploits.

Quick Start Guide How It Works
Quick Start

Get Started in Minutes

Install the OnePAM agent with a single command. No packages to download, no repositories to configure.

Step 1 — Install
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Step 2 — Verify
systemctl status onepam-agent
The installer auto-registers the endpoint. Confirm the service is active.
Before OnePAM
Manage SSH keys via Satellite or Ansible
# Distribute keys across RHEL fleet ansible all -m authorized_key -a "user=deploy key='ssh-ed25519 AAAA...'" # Or manage via Satellite host groups
Keys proliferate across RHEL servers with no unified view
SSSD/IPA doesn't cover SSH SSO
# SSSD provides LDAP/Kerberos — not SAML/OIDC # Adding cloud IdP auth requires complex bridging # No native MFA for SSH sessions
RHEL's identity stack lacks modern SSO integration for SSH
Compliance gaps for privileged access
# SSH logs scattered in /var/log/secure per server # No session recording for SOX/FedRAMP audits # No centralized view of who accessed what
FedRAMP, DISA STIG, NIST 800-53 require more
After OnePAM
Install OnePAM agent
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Works on RHEL 7, 8, and 9, SELinux-compatible
Verify service and registration
systemctl status onepam-agent
The installer auto-registers this endpoint with your organization
SSH with corporate identity
onepam ssh rhel-server.corp.com # → Redirected to Okta/Azure AD/Ping Identity # → MFA verified, short-lived certificate issued # → Session recorded for compliance
Use 'onepam ssh' — works alongside existing SSSD/IPA configurations
Overview

Why RHEL Servers Need Identity-Based SSH Access

Red Hat Enterprise Linux is the standard for mission-critical enterprise workloads — SAP HANA, Oracle Database, financial systems, healthcare platforms, and government infrastructure. RHEL servers often run for years without major updates, making them prime targets for SSH zero-day exploits. SSH access to RHEL servers typically relies on static keys managed through Satellite, Ansible, or manual processes. OnePAM adds SAML/OIDC SSO to SSH on RHEL without disrupting SSSD, IPA, or existing Red Hat identity integrations. The local agent is SELinux-compatible and installs with a single command. The gateway SSH proxy protects RHEL servers (including RHEL 7 and 8 in extended lifecycle) without any agent installation — shielding outdated OpenSSH versions from exploitation. OnePAM maps IdP groups to RHEL user groups and sudo privileges, enforces MFA via your IdP, and provides the audit trails required by FedRAMP, NIST 800-53, and DISA STIG compliance.

Local Agent

Install the OnePAM agent on RHEL with a single command. SELinux-compatible. Supports RHEL 7 and later. Compatible with Red Hat Satellite-managed environments.

Gateway SSH Proxy

Deploy a OnePAM gateway to proxy SSH connections to RHEL servers. No agent required. Ideal for segmented environments, Satellite-managed fleets, deprecated RHEL 6 and earlier releases without systemd, and servers where agent installation is not permitted.

SSH Security Risks

SSH Security Risks on Red Hat Enterprise Linux

Without identity-based SSH access, these risks threaten your servers every day.

RHEL servers in production often run OpenSSH versions that lag behind upstream security patches by weeks or months
RHEL 7 extended lifecycle support has limited security patches — SSH zero-days may remain unpatched
Enterprise change control processes delay SSH security patches on RHEL production systems
SSH key sprawl across RHEL servers managed by Satellite creates an unauditable access landscape
Privileged SSH access to RHEL servers running SAP, Oracle, or financial systems is a high-value target for attackers
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

Long-Lived RHEL Servers

RHEL servers run mission-critical workloads for years. They accumulate SSH keys and local accounts that outlive the employees who created them.

SSSD/IPA Complexity

RHEL's SSSD and IPA integrations provide LDAP/Kerberos but not modern SAML/OIDC for SSH. Adding cloud IdP authentication requires complex bridging.

FedRAMP/STIG Compliance

Government and defense environments require DISA STIG-compliant SSH access with identity verification, session recording, and centralized audit trails.

Satellite-Managed Fleets

Red Hat Satellite manages SSH keys at scale but doesn't provide identity-based access, MFA enforcement, or session recording.

SELinux Compatibility

SSH authentication changes must work within RHEL's SELinux policies. Poorly integrated authentication modules trigger SELinux denials and break SSH.

SAP/Oracle Privileged Access

RHEL servers running SAP HANA and Oracle Database require privileged SSH access for DBAs — with strong identity verification and session auditing.

Setup Guide

How OnePAM Adds SSO to SSH on RHEL

Step-by-step guide to deploying identity-based SSH access.

1

Choose Agent or Gateway Deployment

Install the OnePAM agent on RHEL, or deploy a gateway SSH proxy for agentless protection.

Agent: Run 'curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash' on RHEL 7+. The agent is SELinux-compatible. Gateway: Deploy OnePAM gateway as a RHEL VM or container. Configure RHEL servers to accept SSH only from the gateway.
2

Connect Your Identity Provider

Configure Okta, Azure AD, Ping Identity, or any SAML 2.0/OIDC provider for SSH authentication.

OnePAM handles SAML/OIDC authentication and maps IdP attributes to RHEL users and groups. Compatible with existing SSSD/IPA deployments — OnePAM can coexist with or replace LDAP-based authentication.
3

Map IdP Groups to RHEL Access

Define which IdP groups can SSH to which RHEL servers, with what sudo privileges, and under what conditions.

Example: IdP group 'sap-admins' gets root access to SAP RHEL servers with MFA step-up. 'developers' get user-level access to dev servers. 'contractors' get time-limited access that expires automatically.
4

Authenticate SSH via Corporate Identity

Users SSH to RHEL servers using their corporate credentials. Short-lived certificates replace static SSH keys.

'onepam ssh rhel-server.corp.com' triggers IdP authentication. After MFA, OnePAM issues a certificate valid for the session. RHEL's sshd trusts the OnePAM CA and accepts the certificate. No local password, no SSH key.
5

Audit and Comply

Every SSH session is logged with IdP identity, MFA status, device info, and optional keystroke recording.

Meets FedRAMP, NIST 800-53, DISA STIG, SOC 2, and HIPAA requirements for privileged access management. Export logs to Splunk, Elastic, or your SIEM.
Key Benefits

Benefits of SSH SSO on RHEL

What changes when you deploy identity-based SSH access.

Enterprise Identity for Enterprise Linux

RHEL servers authenticate SSH via the same IdP used for SaaS apps. One identity, one MFA policy, one audit trail across all systems.

Unified identity across all RHEL servers

Protect Long-Lived RHEL Systems

Gateway mode shields RHEL 7 and 8 servers from SSH zero-days without requiring OpenSSH upgrades. Patch on your schedule.

Zero-day protection for legacy RHEL

SELinux-Compatible Agent

OnePAM's agent is designed for RHEL's security model. No SELinux policy modifications required. Works within existing security contexts.

Zero SELinux denials

FedRAMP/STIG Ready

OnePAM provides the identity verification, session recording, and audit trail controls required by FedRAMP and DISA STIG for SSH access.

Compliance-ready from day one

Satellite-Compatible

OnePAM works alongside Red Hat Satellite. Use Satellite for system management and OnePAM for identity-based SSH access.

Works with existing RHEL tooling

Privileged Session Management

Record and audit privileged SSH sessions on RHEL servers running SAP, Oracle, and other critical workloads.

Full session recording and replay
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

SAML 2.0 & OIDC authentication for SSH on RHEL
SELinux-compatible agent
Compatible with RHEL 7 and later
SSSD/IPA coexistence mode
IdP group-to-RHEL-group and sudo mapping
Short-lived certificates (1-24 hour TTL)
Automatic user provisioning from IdP attributes
Just-in-time sudo elevation with MFA step-up
Red Hat Satellite compatibility
Quick install via single command on RHEL 7+
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Gateway shields sshd from network-based SSH exploits
Zero-day protection for RHEL 7/8 extended lifecycle servers
SSH protocol inspection and command filtering
Session recording with tamper-proof storage
Real-time session monitoring and forced termination
FedRAMP, NIST 800-53, DISA STIG controls
FIPS 140-2 compatible cryptographic operations
SIEM integration (Splunk, Elastic, Datadog)
Real-World Scenarios

RHEL SSH SSO Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
Government agency enforcing DISA STIG-compliant SSH access to RHEL servers running classified workloads with full session recording
2
Enterprise SAP team requiring MFA-protected SSH access to RHEL servers running SAP HANA with sudo elevation auditing
3
Financial institution replacing SSH keys with short-lived certificates on 500+ RHEL servers to meet PCI DSS and SOX requirements
4
Healthcare organization enforcing HIPAA-compliant SSH access to RHEL servers with identity verification and session recording
5
MSP managing RHEL servers across multiple clients with time-limited, identity-verified SSH access for support engineers
6
Defense contractor using gateway SSH proxy to protect RHEL 7 servers in extended lifecycle from SSH zero-day vulnerabilities
Frequently Asked Questions

SSO for SSH on RHEL FAQ

Common questions about SSH SSO and zero-day protection.

Does OnePAM work with RHEL's SSSD and IPA?

Yes. OnePAM can coexist with SSSD and Red Hat Identity Management (IdM/IPA). You can use OnePAM for SAML/OIDC-based SSH authentication while keeping SSSD for other system authentication. OnePAM does not conflict with existing LDAP or Kerberos configurations.

Is the OnePAM agent SELinux-compatible?

Yes. The OnePAM agent is designed and tested for RHEL's SELinux enforcing mode. It includes SELinux policy modules that integrate with RHEL's security contexts. No manual policy modifications are required.

Can OnePAM protect RHEL 7 servers in extended lifecycle?

Yes. The gateway SSH proxy requires no agent installation on the RHEL server. It proxies SSH connections through the gateway, shielding RHEL 7 servers from SSH exploits without requiring OpenSSH upgrades. This is ideal for systems that cannot be upgraded but must remain accessible.

Does OnePAM meet FedRAMP and DISA STIG requirements?

OnePAM provides the identity verification, multi-factor authentication, session recording, and centralized audit trail controls specified in FedRAMP, NIST 800-53, and DISA STIG for privileged access management of Linux systems.

How does OnePAM integrate with Red Hat Satellite?

OnePAM works alongside Satellite. Use Satellite for system management, patching, and configuration management. Use OnePAM for identity-based SSH authentication, MFA enforcement, and session recording. The OnePAM agent can be deployed via Satellite using the quick install command.

Can OnePAM manage sudo access based on IdP groups?

Yes. OnePAM maps IdP groups to Linux groups and sudo privileges. For example, the IdP group 'dba-team' can be mapped to the 'dba' Linux group with sudo access to Oracle-specific commands. Sudo elevation can require MFA step-up for sensitive operations.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSO for SSH on SUSE Linux Enterprise
Linux Distribution
SSH Zero-Day Protection
SSH Security

Add SSO to SSH on Red Hat Enterprise Linux

Deploy identity-based SSH access on RHEL in minutes.

Quick Start Guide All SSH SSO Guides