Configuring Microsoft Entra ID for SAML in Posit Workbench
Posit Workbench is a registered application with Microsoft Entra ID, formerly Azure Active Directory (AD).
Configure Application in Microsoft Entra ID
Navigate to the Microsoft Azure portal and then to Microsoft Entra ID.
From the Overview page, click the Add drop-down and select Enterprise Application.
In the Search application search box, type “RStudio Server Pro SAML Authentication”.
From the results panel, select RStudio Server Pro SAML Authentication and click Create. You may have to wait several seconds while the app is added to your tenant.
From the Microsoft Entra ID portal, in the left pane Manage section, click Single sign-on.
From the Select a Single sign-on method page, click SAML.
From the Set up Single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
From the Basic SAML Configuration page, if you wish to configure the application in IdP initiated mode, do the following:
- In the Identifier (Entity ID) section, click Add identifier and in the Enter an identifier text box, type a URL using the following pattern:
https://<RSW-SERVER>/<PATH>/saml/metadata
. - In the Reply URL (Assertion Consumer Server URL) section, click Add reply URL and type the URL using the following pattern:
https://<RSW-SERVER>/<PATH>/saml/acs
.
- In the Identifier (Entity ID) section, click Add identifier and in the Enter an identifier text box, type a URL using the following pattern:
If you wish to configure the application in SP initiated mode, in the Sign on URL section Enter a sign on URL text box, type a URL using the following pattern:
https://<RSW-SERVER>/<PATH>
Click Save.
In the upper-right corner, click the X to return to the Enterprise Application page.
Scroll down to the Set up single sign-on with SAML section, in the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url and save it on your computer.
Additionally, we recommend reviewing the Azure documentation.
Configure Workbench
Update the Workbench configuration file with the following:
/etc/rstudio/rserver.conf
auth-saml=1 auth-saml-metadata-url=<federation-metadata-URI> auth-saml-sp-name-id-format=emailaddress auth-saml-sp-attribute-username=NameID auth-saml-sp-base-uri=<RStudio-Server-URI>
Restart Workbench by running the following:
Terminal
sudo rstudio-server restart
Any user who has been given access via Microsoft Entra ID and has been provisioned on the Workbench server, should now be able to log in. For the above configuration, the username is the email address (converted to lowercase).