Using AD for user provisioning and SAML for auth on RStudio Workbench

Follow
  1. Configure LDAP/AD with RSW (source)
    1. Install the prerequisites
    2. Join the underlying Linux server with Active Directory
    3. Configure the rstudio PAM profile
      # /etc/pam.d/common-session
      session required pam_unix.so 
      session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

      cp /etc/pam.d/login /etc/pam.d/rstudio

      # /etc/pam.d/rstudio  
      #%PAM-1.0  
      #
      auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so  

      auth substack system-auth  
      auth include postlogin  
      account required pam_nologin.so  
      account include system-auth  
      password include system-auth  
      # pam_selinux.so close should be the first session rule  
      session required pam_selinux.so close 
      session required pam_loginuid.so  
      session optional pam_console.so
      # pam_selinux.so open should only be followed by sessions
      # to be executed in the user context 

      session required pam_selinux.so open  
      session required pam_namespace.so  
      session optional pam_keyinit.so force revoke  
      session include system-auth  
      session include postlogin  
      -session optional pam_ck_connector.so
  2. Change auth to SAML (source)
    # /etc/rstudio/rserver.conf

    auth-saml=1
    auth-saml-sp-attribute-username=NameID
    auth-saml-metadata-url=https://idp.example.com/saml/metadata
  3. Ensure that the SAML assertion has an attribute (on login) that matches the user's linux username exactly (i.e. the output of `getent passwd username`)

Comments