Home / SSH SSO / SSO for SSH on SUSE Linux Enterprise
Linux Distribution
Local Agent
Gateway SSH Proxy
Zero-Day Shield

SAML/OIDC SSO for SSH on SUSE Linux Enterprise Server (SLES)

SUSE Linux Enterprise is a trademark of SUSE LLC.

Add SAML/OIDC SSO to SSH on SUSE Linux Enterprise Server. Replace SSH keys with identity-based access for SAP HANA, HPC, and enterprise workloads. Deploy via local agent or gateway SSH proxy. Protect SLES servers from SSH zero-day vulnerabilities.

Quick Start Guide How It Works
Quick Start

Get Started in Minutes

Install the OnePAM agent with a single command. No packages to download, no repositories to configure.

Step 1 — Install
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Step 2 — Verify
systemctl status onepam-agent
The installer auto-registers the endpoint. Confirm the service is active.
Before OnePAM
SSH keys managed via SUSE Manager
# SUSE Manager distributes keys across fleet # No SAML/OIDC integration for SSH # No MFA enforcement on SSH sessions # No session recording
SUSE Manager manages systems, not SSH identity
SAP HANA servers need privileged access
# DBAs share SSH keys or root passwords # No individual accountability for SAP admin actions # SOX auditors ask: who accessed the HANA server?
Privileged SSH access to SAP must be auditable
SLES 12 LTSS — limited SSH patches
# SLES 12 in LTSS: limited security updates # OpenSSH may have unpatched vulnerabilities # SAP change control delays patching further
Legacy SLES servers can't be patched quickly
After OnePAM
Install OnePAM agent
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Works on SLES 12 and later, AppArmor-compatible
Verify service and registration
systemctl status onepam-agent
The installer auto-registers this endpoint with your organization
SSH with corporate identity
onepam ssh sap-hana-prod.corp.com # → Redirected to Okta/Azure AD/SAP Cloud Identity # → MFA verified, short-lived certificate issued # → Session recorded for SOX/GDPR compliance
Use 'onepam ssh' — individual accountability for every SAP admin session
Overview

Why SLES Servers Need Identity-Based SSH Access

SUSE Linux Enterprise Server (SLES) is the platform of choice for SAP HANA, high-performance computing, and enterprise workloads in regulated industries. SLES servers run mission-critical systems that require the highest levels of access control, audit compliance, and security. SSH access to SLES servers typically relies on SSH keys managed through SUSE Manager or manual distribution. OnePAM adds SAML/OIDC SSO to SSH on SLES without disrupting existing SUSE Manager workflows. The local agent installs with a single command. The gateway SSH proxy protects SLES servers (including SLES 12 in LTSS) without requiring any software installation. OnePAM is particularly valuable for SAP environments where privileged SSH access to HANA database servers must be identity-verified, MFA-protected, and fully audited for SOX, GDPR, and industry-specific compliance.

Local Agent

Install with a single command on SLES 12 and later. AppArmor-compatible. Compatible with SUSE Manager. Designed for SAP HANA and enterprise workloads.

Gateway SSH Proxy

Proxy SSH connections to SLES servers without agent installation. Gateway shields outdated OpenSSH from exploitation. Ideal for SAP environments, deprecated SLES 11 and earlier releases without systemd, and servers where agent installation is not permitted.

SSH Security Risks

SSH Security Risks on SUSE Linux Enterprise

Without identity-based SSH access, these risks threaten your servers every day.

SLES servers running SAP HANA have strict change control — SSH patches take weeks to deploy
SLES 12 in LTSS receives limited security patches and may have unpatched OpenSSH vulnerabilities
Privileged SSH access to SAP HANA database servers is a high-value target for attackers
SUSE Manager distributes SSH keys but doesn't provide identity-based authentication or MFA
HPC clusters running SLES have hundreds of nodes with SSH access managed by static keys
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

SAP Change Control

SLES servers running SAP HANA have rigid change control processes. SSH security patches take weeks to test and deploy. During the gap, servers are vulnerable.

Privileged SAP Access

DBAs and SAP Basis administrators need SSH access to HANA servers. This access must be identity-verified and audited for SOX and GDPR compliance.

SUSE Manager Limitations

SUSE Manager distributes SSH keys and manages configurations but lacks SAML/OIDC integration, MFA enforcement, and session recording.

HPC Cluster Scale

SLES-based HPC clusters have hundreds or thousands of nodes. SSH key management at this scale is operationally prohibitive.

SLES 12 LTSS Security

SLES 12 LTSS servers receive limited security patches. SSH zero-day vulnerabilities may remain unpatched in production environments.

Multi-Tier SAP Landscapes

SAP landscapes span dev, QA, and production tiers. SSH access policies must differ by tier with escalating security requirements.

Setup Guide

How OnePAM Adds SSO to SSH on SLES

Step-by-step guide to deploying identity-based SSH access.

1

Deploy Agent or Gateway

Install the agent on SLES 12+, or use gateway for agentless protection in SAP-critical environments.

Agent: Run 'curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash' on SLES 12+. AppArmor-compatible. Gateway: Deploy OnePAM as a SLES VM or container. Configure firewall rules to restrict SSH access to gateway only.
2

Connect Corporate IdP

Integrate Okta, Azure AD, SAP Cloud Identity, or any SAML/OIDC provider.

OnePAM supports SAP Cloud Identity Services as an IdP, enabling SAP-native identity integration. Also compatible with enterprise IdPs used alongside SAP.
3

Map SAP Roles to SSH Access

Define SSH access policies based on SAP roles and IdP groups. Different access for Basis, DBA, and developer roles.

SAP Basis admins get sudo access to HANA servers. Developers get read-only access to dev tier. Contractors get time-limited access. All with MFA enforcement.
4

SSH with Corporate Identity

SAP administrators SSH to SLES servers authenticated by their corporate IdP. Short-lived certificates replace static keys.

'onepam ssh sap-hana-prod.corp.com' triggers IdP authentication with MFA. OnePAM issues a certificate. No SSH keys on admin laptops.
5

Audit for SOX and GDPR

Every SSH session to SAP/SLES servers is logged with identity, MFA method, and optional full session recording.

SOX auditors get evidence of who accessed SAP systems, when, with what authentication. GDPR requirements for access logging are met automatically.
Key Benefits

Benefits of SSH SSO on SLES

What changes when you deploy identity-based SSH access.

SAP-Grade Security

Identity-verified, MFA-protected SSH access to SLES servers running SAP HANA. Meets SAP security best practices and audit requirements.

Enterprise SAP security controls

Protect SLES 12 LTSS

Gateway mode shields SLES 12 servers in LTSS from SSH exploits without requiring OS upgrades that would disrupt SAP systems.

Zero-day protection for SLES 12

SUSE Manager Compatible

OnePAM works alongside SUSE Manager. Use Manager for system management, OnePAM for identity-based SSH access.

Complements existing SUSE tooling

HPC Scale

Manage SSH access to hundreds of HPC compute nodes with IdP-based policies. Scale to thousands of SLES nodes.

Scale to 1000+ nodes

SOX/GDPR Compliance

Identity-verified access logs, session recordings, and access reviews satisfy SOX and GDPR requirements for SAP system access.

Regulatory compliance built-in

Multi-Tier SAP Policies

Different access policies for dev, QA, and production SAP tiers. Escalating MFA and recording requirements by environment.

Tier-based access control
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

SAML 2.0 & OIDC authentication for SSH on SLES
Quick install via single command on SLES 12+
AppArmor-compatible security integration
SUSE Manager coexistence
SAP Cloud Identity Services integration
Short-lived certificates
SAP role-to-SSH-access mapping
Just-in-time sudo for SAP administration
HPC cluster SSH management at scale
Multi-tier access policies (dev/QA/prod)
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Gateway shields SLES sshd from network exploits
Protects SLES 12 LTSS from unpatched SSH CVEs
SSH protocol inspection for SAP environments
Command filtering for SAP system protection
Session recording for SOX/GDPR compliance
Real-time monitoring of privileged SAP access
Certificate revocation for immediate access removal
SIEM integration (SAP Enterprise Threat Detection, Splunk)
Real-World Scenarios

SLES SSH SSO Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
Enterprise SAP team requiring identity-verified SSH access to SLES servers running SAP HANA with full session recording for SOX audits
2
Manufacturing company protecting SLES-based MES and ERP servers from SSH zero-days using gateway proxy during patching windows
3
HPC research center managing SSH access for 500+ researchers across 2000 SLES compute nodes with institutional identity
4
Financial institution enforcing MFA-protected SSH to SLES servers running core banking applications for PCI DSS compliance
5
Automotive OEM securing SSH access to SLES servers running PLM and engineering design applications with contractor access controls
6
Government agency adding FedRAMP-compliant SSH access to SLES servers with session recording and centralized audit trails
Frequently Asked Questions

SSO for SSH on SUSE Linux Enterprise FAQ

Common questions about SSH SSO and zero-day protection.

Does OnePAM support SAP Cloud Identity Services as an IdP?

Yes. OnePAM integrates with SAP Cloud Identity Services (formerly SAP IAS) via SAML 2.0. This provides SAP-native identity integration for SSH access to SLES servers running SAP workloads.

Is the OnePAM agent compatible with SLES AppArmor?

Yes. The OnePAM agent is designed for SLES and includes AppArmor profiles. It operates within SLES's security framework without requiring AppArmor policy modifications.

Can OnePAM protect SLES 12 servers in LTSS?

Yes. The gateway SSH proxy requires no agent installation on SLES 12 servers. It proxies SSH connections through the gateway, shielding SLES 12's potentially unpatched OpenSSH from exploitation.

How does OnePAM integrate with SUSE Manager?

OnePAM complements SUSE Manager. Use Manager for patching, configuration, and system lifecycle management. Use OnePAM for identity-based SSH authentication, MFA enforcement, and session recording. The agent can be deployed via SUSE Manager.

Can OnePAM manage SSH access to SAP HANA servers with different privilege levels?

Yes. OnePAM maps IdP groups to Linux groups and sudo privileges. SAP Basis admins can get full sudo access with MFA step-up, developers can get restricted access, and contractors can get time-limited read-only access.

Does OnePAM support SLES on IBM Power (ppc64le)?

The gateway SSH proxy works with SLES on any architecture including IBM Power (ppc64le) and IBM Z (s390x) because it requires no agent on the target server. Agent support for these architectures is available on request.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on Amazon Linux
Cloud Platform
SSH Zero-Day Protection
SSH Security

Add SSO to SSH on SUSE Linux Enterprise

Identity-based SSH for SAP, HPC, and enterprise SLES workloads.

Quick Start Guide All SSH SSO Guides