Just-in-Time Provisioning
Posit Workbench can be configured to use Just-in-Time Provisioning (JIT) to automatically create users upon their first successful login attempt. JIT can be used as an alternative to configuring your Identity Provider (IdP) with System for Cross-domain Identity Management (SCIM) provisioning.
When using JIT provisioning, SCIM provisioning does not need to be configured within your IdP. However, JIT provisioning does not support the full user lifecycle management capabilities of SCIM provisioning. If you need to manage user lifecycle events through your IdP, such as user unassignment and deactivation, you should use SCIM provisioning.
For end-to-end walkthroughs covering authentication and user provisioning setup, see the quick starts: Configure Entra ID with OpenID Connect and Configure Okta with OpenID Connect.
Supported authentication mechanisms
JIT provisioning is supported only for the following authentication mechanisms:
Prerequisites
- A supported authentication mechanism must be configured in Workbench.
- User provisioning must be enabled and configured. Reference the Configuration section of this guide for more information.
Configuration
JIT provisioning is disabled by default in Workbench. To enable JIT provisioning, set the user-provisioning-register-on-first-login configuration option:
/etc/rstudio/rserver.conf
user-provisioning-register-on-first-login=1User provisioning
Users provisioned with JIT follow the same process as users provisioned with SCIM. See the How it works section of this guide for more information on how users are provisioned and the user attributes that are stored by Workbench.
Group provisioning
Groups provisioned with JIT follow the same process as groups provisioned with SCIM. See the How it works for more information.
On every login, Workbench reconciles the user’s group memberships against the groups present in the authentication claim or proxy header:
- If the user does not already belong to a group in the claim, Workbench creates the group (if necessary) and adds the user.
- Workbench de-assigns the user from any group they belong to that is not in the claim.
- JIT provisioning never removes groups.
- Workbench treats any group reconciliation failure as a login failure, to prevent users from retaining elevated privileges granted through group membership.
Workbench matches group names case-insensitively, avoiding incorrect removals when an IdP sends a group name in a different case from the one originally used.
Absent vs. empty group claim
The behavior differs depending on whether the groups claim or header is absent or present but empty:
| Situation | Effect on group membership |
|---|---|
| Groups claim or header absent | Workbench leaves existing memberships unchanged. |
| Groups claim or header present but empty | Workbench removes the user from all current group memberships. |
When using proxied authentication, if the configured groups header (e.g., X-RStudio-Groups) is not sent at all, Workbench treats the user’s group set as unknown and makes no membership changes. If the header is sent with an empty value, Workbench interprets this as the user belonging to zero groups and removes the user from any groups they belong to.
Proxied Authentication
When using Proxied Authentication with JIT, Workbench will create a new user account for the authenticated user based on the user’s username header. See the Proxied Authentication section of this guide for more information on how to forward the user’s username to Workbench.
OpenID Connect Authentication
When using OpenID Connect Authentication with JIT, Workbench creates and updates user accounts based on the incoming claims from the OpenID Provider. New and existing users are matched on the basis of the auth-openid-username-claim setting. See the OpenID Claims section of this guide for more information on configuring the username claim for OpenID Connect authentication.
If a user with the specified claim already exists in Workbench, the existing user account is used and updated if any user information has changed. If no user with the specified claim exists, a new user account is created.
Workbench supports the following settings in /etc/rstudio/rserver.conf to control how OpenID Connect claims are translated to user attributes:
| Configuration Option | Default Value | Description |
|---|---|---|
auth-openid-username-claim |
preferred_username |
The claim that contains the username. |
auth-openid-email-claim |
email |
The claim that contains the user’s email address. |
auth-openid-name-claim |
name |
The claim that contains the user’s full name. |
auth-openid-posix-id-claim |
None | The claim that contains the user’s POSIX ID. |
auth-openid-groups-claim |
groups |
The claim that contains the user’s groups. |
auth-openid-posix-name-claim |
None | The claim that contains the user’s POSIX username. |
auth-openid-homedir-claim |
None | The claim that contains the user’s home directory path. |
The user’s POSIX ID, POSIX username, and home directory are set by Workbench automatically when a user is provisioned. If these configuration options are specified, they override the default values set by Workbench.
SAML Authentication
When using SAML authentication with JIT, Workbench creates and updates user accounts based on the attributes in the SAML assertion received from the IdP. New and existing users are matched on the basis of the auth-saml-sp-attribute-username setting. See the Configure Workbench with IdP metadata section of this guide for more information on configuring the username attribute for SAML authentication.
If a user with the specified attribute already exists in Workbench, the existing user account is used and updated if any user information has changed. If no user with the specified attribute exists, a new user account is created.
Workbench supports the following settings in /etc/rstudio/rserver.conf to control how SAML assertion attributes are translated to user attributes:
| Configuration Option | Default Value | Description |
|---|---|---|
auth-saml-sp-attribute-username |
Username |
The attribute that contains the username. |
auth-saml-sp-attribute-email |
None | The attribute that contains the user’s email address. |
auth-saml-sp-attribute-name |
None | The attribute that contains the user’s full name. |
auth-saml-sp-attribute-posix-id |
None | The attribute that contains the user’s POSIX ID. |
auth-saml-sp-attribute-groups |
None | The attribute that contains the user’s groups. |
auth-saml-sp-attribute-posix-name |
None | The attribute that contains the user’s POSIX username. |
auth-saml-sp-attribute-homedir |
None | The attribute that contains the user’s home directory path. |
The user’s POSIX ID, POSIX username, and home directory are set by Workbench automatically when a user is provisioned. If these configuration options are specified, they override the default values set by Workbench.
Managing Users
Users provisioned with JIT can be managed through rstudio-server commands. See the Changing the admin status of a user and the Locking and unlocking users sections of this guide for more information.