Posit Workbench requires the use of local system accounts for user home directories. In most cases, this is straightforward with PAM authentication, as these names don't need to match any third party software. However, when integrating with SAML or Open ID Connect, these names will need to match the value of the user stored on your authentication provider.
SAML
The local system account name will depend on the assertion that comes back from your SAML provider. Specifically, the auth-saml-sp-attribute-username
contains the name value that is used from the assertion that comes back from your IdP. If your SAML configuration looks something like this:
# /etc/rstudio/rserver.conf
auth-saml=1
auth-saml-sp-attribute-username=NameID
auth-saml-metadata-url=https://idp.example.com/saml/metadata
Then your local system account will need to match the NameID
returned, which in most cases will be in the format of username@domain.com. However, it's worth consulting with your authentication team to verify this. Alternatively, you could review the assertion that is returned from your metadata URL to confirm. In this example with NameID, if the system account is username@domain.com, then user home directories will need to be named accordingly. For example, /home/username@domain.com.
OIDC
OpenID Connect in this case is slightly simpler. Workbench will look for a claim called preferred_username
which is case-sensitive. If you wish to use a different value for the user's name, you can implement the auth-openid-username-claim
option with the claim that you wish to use. An example OIDC configuration is below:
# /etc/rstudio/rserver.conf
auth-openid=1
auth-openid-issuer=https://op.example.com
auth-openid-username-claim=preferred_username
In this example, if the user's name is username+okta@domain.com, then the home directory will need to match this value on the OIDC portal. In this case, /home/username+okta@domain.com.
Comments