Skip to main content

Naming local system accounts in Workbench with SAML/OIDC

Cecil Singh
  • Updated

Posit Workbench requires the use of local system accounts for user home directories. In most cases, this is straightforward with PAM authentication, as these names don't need to match any third party software. However, when integrating with SAML or Open ID Connect, these names will need to match the value of the user stored on your authentication provider.  

 

Update for Workbench version 2024.12.0

From Workbench version 2024.12.0 there are options to have Workbench manage local user provisioning for users with Entra ID and Okta authentication systems configured. Please see the User Provisioning documentation:

https://docs.posit.co/ide/server-pro/user_provisioning/user_provisioning.html

 

SAML

The local system account name will depend on the assertion that comes back from your SAML provider. Specifically, the auth-saml-sp-attribute-username contains the name value that is used from the assertion that comes back from your IdP. If your SAML configuration looks something like this:

# /etc/rstudio/rserver.conf 
auth-saml=1 
auth-saml-sp-attribute-username=NameID 
auth-saml-metadata-url=https://idp.example.com/saml/metadata

Then your local system account will need to match the NameID returned, which in most cases will be in the format of username@domain.com. However, it's worth consulting with your authentication team to verify this. Alternatively, you could review the assertion that is returned from your metadata URL to confirm. In this example with NameID, if the system account is username@domain.com, then user home directories will need to be named accordingly. For example, /home/username@domain.com.

OIDC

OpenID Connect in this case is slightly simpler. Workbench will look for a claim called preferred_username which is case-sensitive. If you wish to use a different value for the user's name, you can implement the auth-openid-username-claim option with the claim that you wish to use. An example OIDC configuration is below:

# /etc/rstudio/rserver.conf
auth-openid=1
auth-openid-issuer=https://op.example.com
auth-openid-username-claim=preferred_username

In this example, if the user's name is username+okta@domain.com, then the home directory will need to match this value on the OIDC portal. In this case, /home/username+okta@domain.com.

Related articles

Comments

0 comments

Article is closed for comments.