Posit Workbench requires the use of local system accounts for user home directories. In most cases, this is straightforward with PAM authentication, as these names don't need to match any third party software. However, when integrating with SAML or Open ID Connect, these names will need to match the value of the user stored on your authentication provider.
The local system account name will depend on the assertion that comes back from your SAML provider. Specifically, the
auth-saml-sp-attribute-username contains the name value that is used from the assertion that comes back from your IdP. If your SAML configuration looks something like this:
Then your local system account will need to match the
NameID returned, which in most cases will be in the format of firstname.lastname@example.org. However, it's worth consulting with your authentication team to verify this. Alternatively, you could review the assertion that is returned from your metadata URL to confirm. In this example with NameID, if the system account is email@example.com, then user home directories will need to be named accordingly. For example, /firstname.lastname@example.org.
OpenID Connect in this case is slightly simpler. Workbench will look for a claim called
preferred_username which is case-sensitive. If you wish to use a different value for the user's name, you can implement the
auth-openid-username-claim option with the claim that you wish to use. An example OIDC configuration is below:
In this example, if the user's name is email@example.com, then the home directory will need to match this value on the OIDC portal. In this case, /firstname.lastname@example.org.