Just-in-Time Provisioning
Posit Workbench can be configured to use Just-in-Time Provisioning (JIT) to automatically create users upon their first successful login attempt. JIT can be used as an alternative to configuring your Identity Provider (IdP) with SCIM provisioning.
When using JIT provisioning, SCIM provisioning does not need to be configured within your IdP. However, JIT provisioning does not support the full user lifecycle management capabilities of SCIM provisioning. If you need to manage user lifecycle events through your IdP, such as user unassignment and deactivation, you should use SCIM provisioning.
Supported authentication mechanisms
JIT provisioning is supported only for the following authentication mechanisms:
Prerequisites
- A supported authentication mechanism must be configured in Workbench.
- User provisioning must be enabled and configured. Reference the Configuration section of this guide for more information.
Configuration
JIT provisioning is disabled by default in Workbench. To enable JIT provisioning, set the user-provisioning-register-on-first-login configuration option:
/etc/rstudio/rserver.conf
user-provisioning-register-on-first-login=1User provisioning
Users provisioned with JIT follow the same process as users provisioned with SCIM. See the How it works section of this guide for more information on how users are provisioned and the user attributes that are stored by Workbench.
Proxied Authentication
When using Proxied Authentication with JIT, Workbench will create a new user account for the authenticated user based on the user’s username header. See the Proxied Authentication section of this guide for more information on how to forward the user’s username to Workbench.
OpenID Connect Authentication
When using OpenID Connect Authentication with JIT, Workbench creates and updates user accounts based on the incoming claims from the OpenID Provider. New and existing users are matched on the basis of the auth-openid-username-claim setting. See the OpenID Claims section of this guide for more information on configuring the username claim for OpenID Connect authentication.
If a user with the specified claim already exists in Workbench, the existing user account is used and updated if any user information has changed. If no user with the specified claim exists, a new user account is created.
Workbench supports the following settings in /etc/rstudio/rserver.conf to control how OpenID Connect claims are translated to user attributes:
| Configuration Option | Default Value | Description |
|---|---|---|
auth-openid-username-claim |
preferred_username |
The claim that contains the username. |
auth-openid-email-claim |
email |
The claim that contains the user’s email address. |
auth-openid-name-claim |
name |
The claim that contains the user’s full name. |
auth-openid-posix-id-claim |
None | The claim that contains the user’s POSIX ID. |
auth-openid-posix-name-claim |
None | The claim that contains the user’s POSIX username. |
auth-openid-homedir-claim |
None | The claim that contains the user’s home directory path. |
The user’s POSIX ID, POSIX username, and home directory are set by Workbench automatically when a user is provisioned. If these configuration options are specified, they override the default values set by Workbench.
SAML Authentication
When using SAML authentication with JIT, Workbench creates and updates user accounts based on the attributes in the SAML assertion received from the IdP. New and existing users are matched on the basis of the auth-saml-sp-attribute-username setting. See the Configure Workbench with IdP metadata section of this guide for more information on configuring the username attribute for SAML authentication.
If a user with the specified attribute already exists in Workbench, the existing user account is used and updated if any user information has changed. If no user with the specified attribute exists, a new user account is created.
Workbench supports the following settings in /etc/rstudio/rserver.conf to control how SAML assertion attributes are translated to user attributes:
| Configuration Option | Default Value | Description |
|---|---|---|
auth-saml-sp-attribute-username |
Username |
The attribute that contains the username. |
auth-saml-sp-attribute-email |
None | The attribute that contains the user’s email address. |
auth-saml-sp-attribute-name |
None | The attribute that contains the user’s full name. |
auth-saml-sp-attribute-posix-id |
None | The attribute that contains the user’s POSIX ID. |
auth-saml-sp-attribute-posix-name |
None | The attribute that contains the user’s POSIX username. |
auth-saml-sp-attribute-homedir |
None | The attribute that contains the user’s home directory path. |
The user’s POSIX ID, POSIX username, and home directory are set by Workbench automatically when a user is provisioned. If these configuration options are specified, they override the default values set by Workbench.
Managing Users
Users provisioned with JIT can be managed through rstudio-server commands. See the Changing the admin status of a user and the Locking and unlocking users sections of this guide for more information.