Authenticating Users
Authentication is one of three core concepts for managing Posit Workbench user access. For a broader picture of how authentication, user provisioning, and PAM sessions work together to grant users access to Workbench, see Managing user access to Workbench.
Overview
You must provision local system accounts and map authenticated users to these accounts. You can create these system accounts through SCIM or JIT provisioning, LDAP or Active Directory, or manually.
Workbench requires local system accounts because it spawns a separate operating system process for each user session. Linux requires every process to be owned by a system user account. Posit Connect and Posit Package Manager do not have this requirement in general.
Authentication methods
Workbench supports several authentication methods. PAM-based methods (local accounts, LDAP via SSSD, Kerberos) authenticate users through Linux Pluggable Authentication Module (PAM). Single Sign-On (SSO) and proxied authentication delegate the authentication check to an external system and do not invoke PAM during sign-in. Once authenticated, every user must map to a Linux account on the server.
Choosing an authentication method
| Your situation | Recommended method |
|---|---|
| Organization uses Microsoft Entra ID, Okta, or another OIDC provider | OIDC |
| Organization uses SAML SSO | SAML |
| Authentication handled by a reverse proxy (Shibboleth, SPNEGO/Kerberos SSO) | Proxied authentication |
| Users have LDAP or Active Directory accounts | PAM authentication via pam_sss (or pam_ldap on older systems) |
| Users have local accounts on the server | PAM authentication via pam_unix |
| Users authenticate via Kerberos | PAM authentication via pam_sss (or pam_krb5 on older systems) |
| Client-server protocols (RADIUS, smart cards) | Supported through PAM modules |