Authenticating Users
Overview
You must set up local system accounts manually, or using network services such as LDAP or Active Directory, and then map authenticating users to these accounts.
Additional information about system accounts is available in the Server account section.
For user identification, authentication, and authorization using local system accounts, Workbench relies heavily on Linux Pluggable Authentication Module (PAM). PAM can be used by itself to authenticate users or along with other external authentication mechanisms (e.g., Web Single Sign-On) to authorize existing local system accounts.
Not all Posit products require local system accounts or PAM. For example, Posit Connect and Shiny Server rely on their own authentication engines and on a single system account for doing their work in most cases, not requiring individualized development environments like the ones offered by Posit Workbench.
Here are the various authentication mechanisms supported by Posit Workbench:
| Authentication | Posit Workbench Configuration |
|---|---|
| Local Accounts | PAM Authentication (via pam_unix) |
| LDAP or Active Directory | PAM Authentication (via pam_sss or pam_ldap in older systems) |
| Kerberos | PAM Authentication (via pam_sss or pam_krb5 in older systems) |
| Web Single Sign-On (SSO) | SAML Single Sign-On Authentication or OpenID Connect Authentication |
| Others (client-server, e.g., RADIUS) | As supported by various PAM modules |
| Others (browser-based, e.g., Kerberos SPNEGO SSO) | Proxied Authentication |
SAML, OpenID, and Proxied authentication still require PAM Sessions to automatically create local system accounts. Without it, local system accounts have to be provisioned manually one-by-one.