Authentication Migration

It is possible to migrate between the supported authentication mechanisms.

Migrating from PAM

Your local system accounts currently used with PAM can be used for Single Sign-On (SSO) authentication with SAML or OpenID. Ensure that:

  • The existing PAM configuration is configured for PAM and provisioning.
  • Posit Workbench is configured with PAM Sessions if your local system accounts are maintained by sssd.
  • Workbench is configured with the appropriate SSO authentication mechanism.
  • The configured SAML attribute or OpenID claim for username from your Identity Management system matches the names of your existing local system accounts.
Important

If PAM was used with Kerberos, please note that the credential forwarding functionality offered by Kerberos is only possible with PAM and it cannot be leveraged directly by Workbench when using SSO.

Migrating to PAM

Since all other authentication methods already leverage PAM in some degree, there’s no actual migration to PAM. You should only make sure PAM is configured for authenticating the existing users and configure Workbench to use PAM.

Migrating from proxied authentication

Your local system accounts currently used with Proxied authentication can be used for Single Sign-On (SSO) authentication with SAML or OpenID. Ensure that:

  • If Workbench is placed under a different path by the proxy (e.g., example.com/rstudio), be sure to check the “Proxy Considerations” sections under SAML Single Sign-On Authentication or OpenID Connect Authentication for additional options your proxy or Workbench configuration may need.
  • Workbench is configured with the appropriate SSO authentication mechanism.
  • The configured SAML attribute or OpenID claim for username match the names of your existing local system accounts as they were sent by the proxy in the HTTP header for username.

Migrating to proxied authentication

Note

This migration is not recommended unless none of the other existing authentication mechanisms are sufficient for your organization’s needs.

If Migrating from PAM, you can follow the same recommendations listed above for SSO, noting that the HTTP header for username must match existing accounts. If migrating from SAML or OpenID, the same observation on the HTTP header for username applies.

Migrating from Google accounts

Migrating from Google accounts is similar to Migrating from PAM to SSO, or Migrating to PAM.

Important

Google accounts have been deprecated and we strongly recommend against migrating to this authentication.

Note

If you are currently using Google accounts for authentication, the migration from Google accounts to OpenID using Google itself as the OpenID provider is not yet supported. We recommend to keep using Google accounts or migrating to some other non-Google SSO authentication.