Authenticating Users

Overview

Workbench users require local or networked system accounts regardless of what Workbench authentication method you use.

You must set up local system accounts manually, or using network services such as LDAP or Active Directory, and then map authenticating users to these accounts.

Additional information about system accounts is available in the Server account section.

For user identification, authentication, and authorization using local system accounts, Workbench relies heavily on Linux Pluggable Authentication Module (PAM). PAM can be used by itself to authenticate users or along with other external authentication mechanisms (e.g., Web Single Sign-On) to authorize existing local system accounts.

Note

Not all Posit products require local system accounts or PAM. For example, Posit Connect and Shiny Server rely on their own authentication engines and on a single system account for doing their work in most cases, not requiring individualized development environments like the ones offered by Posit Workbench.

Here are the various authentication mechanisms supported by Posit Workbench:

Authentication Posit Workbench Configuration
Local Accounts PAM Authentication (via pam_unix)
LDAP or Active Directory PAM Authentication (via pam_sss or pam_ldap in older systems)
Kerberos PAM Authentication (via pam_sss or pam_krb5 in older systems)
Web Single Sign-On (SSO) SAML Single Sign-On Authentication or OpenID Connect Authentication
Others (client-server, e.g., RADIUS) As supported by various PAM modules
Others (browser-based, e.g., Kerberos SPNEGO SSO) Proxied Authentication
Note

SAML, OpenID, and Proxied authentication still require PAM Sessions to automatically create local system accounts. Without it, local system accounts have to be provisioned manually one-by-one.