Technologies are shown for session centric access control of a remote connection that involve receiving a connection request, redirecting the request to a trusted authority, and receiving a redirection of the request along with a profile or role determined for the client. A container is created for a remote connection with a certificate and a public key along with an identifier for each endpoint authorized in association with the profile or role determined for the client. Single use credentials are created and a secure shell initialized for the remote connection using the credentials, certificate and public key. The secure shell is presented to the client and the credentials expired. When an access request for an endpoint is received via the shell, it is determined whether an identifier corresponding to the requested endpoint is stored in the container for the shell and, if so, access is allowed to the requested endpoint.