Skip to content

Configuring SAML in Posit Workbench#

RStudio is now Posit!

Our professional products have been renamed to Posit Connect, Posit Workbench, Posit Package Manager, Posit Cloud, and Posit Academy so it’s easier for folks to understand that we support more than just R. Please review our Blog post/FAQ to answer commonly asked questions about the rebrand.

The SAML protocol is an industry standard for single-sign-on (SSO), multi-factor authentication, and authorization within the enterprise. RStudio Workbench, formerly RStudio Server Pro, supports SAML 2.0 for authentication.

For complete reference on Workbench's SAML implementation, see the Workbench Administration Guide.

User Provisioning

SAML in Workbench is for SSO authentication only. Users and groups can be provisioned manually or via LDAP or Active Directory.

If you wish to use LDAP or Active Directory for user provisioning, please configure user provisioning using this guide before configuring SAML.

Prerequisites#

To get started with SAML for Workbench, you will need:

  • Workbench version 1.4 or later installed
  • Information about your SAML Identity Provider
  • The URL where users will access Workbench

  • Local system accounts

    Important

    SAML still requires PAM Sessions to automatically create local system accounts. Without it, local system accounts have to be provisioned manually one-by-one. For more information, see the SAML section of the Administration Guide.

Integrated Providers#

There are integrated templates that you can use to simplify your setup if you are using:

Other providers will need to use the General Configuration instructions below.

General Configuration#

To configure Workbench with SAML, you need to:

  1. Exchange metadata between your IdP and
  2. Configure the details of the authentication assertion.

Step 1. Configure the SAML Identity Provider (IdP)#

Step 1a. Provide Workbench Metadata#

How you provide the Workbench metadata to your IdP depends on what your IdP supports and whether direct network access exists between your IdP and Workbench.

  1. Provide the metadata URL directly to your IdP (<SERVER URL>/saml/metadata)
  2. Download the metadata XML file and upload it to your IdP
  3. Use the metadata file to manually provide the information to your IdP

Step 1b. Configure the SAML Assertion#

  • The SAML assertion provides the information Workbench requires to do authentication.
  • By default, Workbench accepts the user's Linux username (lowercase) named Username (uppercase).
  • If your IdP does not permit this configuration, you will need to configure Workbench to accept a different assertion (see Step 2b. Configure SAML Assertion, below).

Step 2. Configure Workbench#

Step 2a. Configure the IdP Metadata#

  • Workbench SAML configuration is done in /etc/rstudio/rserver.conf.

  • For an IdP metadata file available at https://idp.example.com/saml/metadata and direct network access between your IdP and Workbench, you could configure:

    File: /etc/rstudio/rserver.conf
    auth-saml=1
auth-saml-metadata-url=https://idp.example.com/saml/metadata

  • If your IdP does not provide a metadata URL or you do not have a direct network connection between your IdP and Workbench, you will need to provide metadata fields manually in /etc/rstudio/rserver.conf.

See the Workbench Administration Guide for configuration details.

Step 2b. Configure the SAML Assertion#

  • If your IdP allows you to configure the SAML assertion as specified above, no further configuration is needed.
  • If not, you will need to add configuration about the name and format of the username assertion. Details on how to provide that configuration is in the Workbench Administration Guide.

Proxy Considerations#

If you are running Workbench behind a proxy, further configuration is required to allow the SAML IdP to redirect back to Workbench after authenticating users. Usually, setting the X-RStudio-Request header is sufficient.

You must first know which SAML Identity Provider (IdP) you intend to use. Workbench will be a Service Provider (SP) to this SAML IdP. Please reference the Workbench Admin guide which provides additional information.

If you have problems integrating Workbench with your IdP, please reference our Support documentation and send an email to support@rstudio.com.

Posit Software, PBC formerly RStudio, PBC. All Rights Reserved.