Identity Federation

Enhanced Advanced

Note

This is an Early Access feature. See the Early Access documentation for more information.

Identity federation allows a Posit Connect server to map external OpenID Connect (OIDC) identity tokens to existing Connect users. The most common case of this is when Connect and another service share the same single sign-on provider and end users.

In particular, identity federation can allow Posit Workbench users to publish content to Connect without requiring separate Connect credentials. Posit-provided client libraries support this flow automatically when available.

Identity federation with Posit Workbench

Prerequisites

  • The EarlyAccess.IdentityFederation setting must be enabled in Connect.
  • Workbench must be configured with OIDC authentication.
  • The Connect administrator must know the OIDC issuer and client ID for Workbench.

Create the integration

The Posit Connect administrator creates a Posit Workbench Federation integration through the dashboard’s System > Integrations settings. Once the integration has been created in Connect, it is available for use by all publishers.

Create a Posit Workbench federation integration.

Generic identity federation

For custom identity federation cases, there is also a generic OIDC integration template.

Prerequisites

  • The EarlyAccess.IdentityFederation setting must be enabled in Connect.

Create the integration

The Posit Connect administrator creates an OpenID Connect Federation integration through the dashboard’s System > Integrations settings. Once the integration has been created in Connect, it is available for use by all users.

Create a generic identity federation integration.

Troubleshooting

  • Verify that the issuer in the integration configuration matches the iss claim in the identity tokens exactly.
  • Check that Connect can reach the OIDC provider’s discovery endpoint at <issuer>/.well-known/openid-configuration.
  • The user must already exist on Connect; identity federation does not provision new users automatically.
  • Verify that the sub claim in the identity tokens (or the configured match_claim) matches the value of the user’s OAuth2.UniqueIdClaim in Connect.
  • For Workbench identity federation, ensure that the rserver.conf configuration includes auth-openid-scopes=offline_access. Without this setting, identity tokens will expire approximately one hour after user sign-in, causing further identity federation requests to Conect to fail.