Authenticating Users

R users require local or networked system accounts regardless of what RStudio authentication method you use. You must set up local system accounts manually or using network services such as LDAP or Active Directory and then map authenticating users to these accounts.

For user identification, authentication, and authorization using local system accounts, RStudio relies heavily on Linux Pluggable Authentication Module (PAM). PAM can be used by itself to authenticate users or along with other external authentication mechanisms (e.g., Web Single Sign-On) to authorize existing local system accounts.


Not all RStudio products require local system accounts or PAM. For example, RStudio Connect and Shiny Server rely on their own authentication engines and on a single system account for doing their work in most cases, not requiring individualized development environments like the ones offered by RStudio Workbench.

Here are the various authentication mechanisms supported by RStudio:

Authentication RStudio Configuration
Local Accounts PAM Authentication (via pam_unix)
LDAP or Active Directory PAM Authentication (via pam_sss or pam_ldap in older systems)
Kerberos PAM Authentication (via pam_sss or pam_krb5 in older systems)
Web Single Sign-On (SSO) SAML Single Sign-On Authentication or OpenID Connect Authentication
Others (client-server, e.g., RADIUS) As supported by various PAM modules
Others (browser-based, e.g., Kerberos SPNEGO SSO) Proxied Authentication

SAML, OpenID, and Proxied authentication still require PAM Sessions to automatically create local system accounts. Without it, local system accounts have to be provisioned manually one-by-one.