Configure Posit Workbench SAML authentication to support case-insensitive usernames

Abstract

How to configure your system to allow case insensitive usernames for Workbench login.

Description

In some environments, a Security Assertion Markup Language (SAML) identity provider (IdP) may return username claims with mixed casing, such as JSmith, while the associated system account is provisioned with lowercase only, such as jsmith. When this mismatch occurs, authentication may fail because the user ID does not resolve properly.

To address this, you can configure sssd.conf to perform case-insensitive lookups, allowing the username claim from the IdP to match the correct Linux account regardless of letter casing.

Solution

Locate the /etc/sssd/sssd.conf file on your Posit Workbench server.

sudo vim /etc/sssd/sssd.conf

In the relevant [domain] section, add or update the following setting:

case_sensitive = false

This setting tells the System Security Services Daemon (SSSD) to treat usernames as case-insensitive, which allows JSmith, jsmith, or JSMITH, to resolve to the same user ID.

Important

Ensure that the value is added in the correct domain section. Incorrect placement may result in SSSD startup failure.

After saving your changes, restart the SSSD service to apply them:

sudo systemctl restart sssd

Once restarted, SSSD performs case-insensitive username lookups. This ensures that a user claim like JSmith returned by the SAML IdP matches the lowercase Linux account jsmith, or any variation in casing.

Note

You should still ensure usernames are unique in a case-insensitive context to avoid unexpected conflicts.

If you’re still having issues, you can reach out to Support by opening a ticket.