Naming local system accounts in Workbench with SAML/OIDC


Posit Workbench requires the use of local system accounts for user home directories. In most cases, this is straightforward with PAM authentication, as these names don't need to match any third party software. However, when integrating with SAML or Open ID Connect, these names will need to match the value of the user stored on your authentication provider.  


The local system account name will depend on the assertion that comes back from your SAML provider. Specifically, the auth-saml-sp-attribute-username contains the name value that is used from the assertion that comes back from your IdP. If your SAML configuration looks something like this:

# /etc/rstudio/rserver.conf 

Then your local system account will need to match the NameID returned, which in most cases will be in the format of However, it's worth consulting with your authentication team to verify this. Alternatively, you could review the assertion that is returned from your metadata URL to confirm. In this example with NameID, if the system account is, then user home directories will need to be named accordingly. For example, /home/


OpenID Connect in this case is slightly simpler. Workbench will look for a claim called preferred_username which is case-sensitive. If you wish to use a different value for the user's name, you can implement the auth-openid-username-claim option with the claim that you wish to use. An example OIDC configuration is below:

# /etc/rstudio/rserver.conf

In this example, if the user's name is, then the home directory will need to match this value on the OIDC portal. In this case, /home/