Configuring Authentication in RStudio Connect

RStudio Connect can be configured with the following authentication methods:

Password Configuration

Password (built-in) authentication

The default authentication provider used by RStudio Connect. Password authentication uses a local user account backed by the RStudio Connect database and it is not integrated with a third-party service. The Password section of the Admin Guide provides a full description.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting.

    Note

    If this is the initial installation of RStudio Connect, then Password authentication is the default method, even if the Provider setting is left blank.

  • Even though Password authentication is the default method, locate the Authentication.Provider setting and for the Provider, type:

[Authentication]
Provider = password
  • Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

LDAP & Active Directory Configuration

LDAP & AD

Integrates with your company’s LDAP or AD infrastructure. User authentication and user search requests will be directed to the LDAP/AD server.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the Provider, type "LDAP":
[Authentication]
Provider = LDAP
  • Now define an LDAP or AD section in the configuration file by adding a header that is case-sensitive, such as:
[LDAP "European LDAP Server"]

Support for LDAP and AD has the following constraints:

Constraint Description
LDAP/AD user objects User objects must contain a user’s first name, last name, email address, and username.
Changes to a user When changes are made to a user's name, email address, or username that are in your LDAP/AD sytem, the changes do not automatically propogate to RStudio Connect. However, the user information updates the next time that the user logs into RStudio Connect after the LDAP/AD update is made.
Single bind When using single bind, the DN of a user must contain their username (i.e., it must utilize the UsernameAttribute). Using a different attribute for username, such as CN only to match the DN, may cause users to have to type their full name to log in. For example, it is not supported if the DN for a user is cn=SueJacobs, ou=People, dc=company, dc=com but their actual username is stored in the uid or SAMAccountName LDAP attribute. You must use double bind when the DN does not contain the username. If the DN doesn't contain a username, then use double bind.
Single-bind searches When using single-bind configuration, searches only include users who have previously logged in to RStudio Connect.
Single-bind groups When using single-bind configuration, groups are not available.

Several configurations are discussed above, however:

After you've applied the configuration options that are relevant to your needs: save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

SAML Configuration

Security Assertion Markup Language (SAML)

The SAML protocol is an industry-standard for single sign-on, multi-factor authentication, and authorization within the enterprise. RStudio Connect supports SAML 2.0 for authentication and group membership. The Appendix A section of the Admin Guide provides additional information.

Before you configure SAML authentication, you must know which SAML identity provider that you intend to use. RStudio Connect is the service provider (SP) for this SAML identity provider (IdP). SAML requires that RStudio Connect version 1.7.6, or later, is installed. The following IdPs provide integrated templates to simplify configuration. Additionally, certain providers may require that you add the integration to your account before the guide is available.

IdP Links to the IdP's custom configuration guides
Azure Active Directory (AD) https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.rstudioconnect?tab=Overview
Okta https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-RStudio-Connect.html
Onelogin https://www.onelogin.com/product/app-catalog

For all other IdPs, or to proceed with custom configuration, do the following:

  1. Determine your RStudio Connect Server Address (i.e., the URL) where users log in to RStudio Connect for example, https://example.com.
  2. Configure an SP for RStudio Connect within your SAML IdP. Modify our example values to fit your environment.

    The RStudio Connect's "Entity ID" or unique URL is directly related to your server address from step 1. Additionally, this is the two underscores before and after the word "login". For example, https://example.com/__login__/saml.

    Note the following:

    • The Assertion Consumer Response URL for RStudio Connect is directly related to your server address. For example, https://example.com/__login__/saml/acs.
    • The URL to log in to RStudio Connect used to create SP-initiated logins is your server address. For example, https://example.com.
    • SAML creates an Assertion when users log in to the system. Some IdPs require that you configure the assertion attributes for the SP. By default, RStudio Connect uses the following attributes, which are case sensitive, and can be configured and changed, if desired:
      • Username
      • FirstName
      • LastName
      • Email

    If your IdP can pass groups in an Assertion Attribute, then those groups can be defined within RStudio Connect. By default, this attribute is named “Groups.” You can either configure:

    • A multi-valued Assertion Attribute.
    • A single-valued Assertion Attribute, where multiple group memberships are text-delimited (e.g. group1|group2|group3).

    The IdP Metadata provided by your Identity Provider is required. Oftentimes, this is just an HTTPS URL that the XML metadata can be fetched from. Otherwise, the XML file can be downloaded and moved to the RStudio Connect server.

  3. Do the following to configure RStudio Connect by using the values that are shown above. For more information about the available options, refer to the SAML section in the Admin Guide.

    1. Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
    2. Ensure that the server address is set within the [Server] configuration block, for example:
      [Server]
      Address = https://<serveraddress>.com
      
    3. Locate the Authentication.Provider setting and for the Provider and type "saml":
      [Authentication]
      Provider = saml
      

    To see an example of the SAML configuration section that uses the values configured in this section, refer to the Getting Started with SAML in RStudio Connect article's step 3.a to the RStudio support site.

  4. Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

For the full description of configuring SAML authentication, see the SAML section in the Admin Guide.

PAM Configuration

Pluggable Authenticaion Module (PAM)

Provides dynamic authentication support for applications and services in a Linux System.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the provider, type "pam":

[Authentication]
Provider = pam
- Optionally, you can change the PAM service name that's used for authentication by customizing the PAM.Service setting. By default, the default PAM service name used for RStudio Connect is rstudio-connect. For example:

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio-connect

??? info "Ubuntu systems" RStudio Connect does not create a PAM service on Ubuntu systems and attempts to use the rstudio-connect service name for authentication. PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other. If the other service is not appropriate for your organization, see the Ubuntu documentation.

??? info "Red Hat/CentOS/SUSE systems" Additionally, Red Hat/CentOS/SUSE systems may deny access to unknown PAM service names by default because of the other configuration in /etc/pam.d/other contains only “deny” rules. If you are running a Red Hat/CentOS/SUSE system and require PAM to be configured, refer to the Red Hat/CentOS/SUSE documentation.

Refer to the PAM section of the admin guide if your organization requires:

  • Different requirements from the default behavior or
  • Groups to be configured and managed

Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

For the full description of configuring OAuth2 authentication, see the PAM documentation.

OAuth2 Configuration

OAuth2

OAuth2 authentication is available for authenticating against the Google OAuth2 service. OAuth2 requires that you have a client ID and client secret.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the Provider, type "oath2":
[Authentication]
Provider = oath2
Obtain a client ID and client secret

You must obtain a client ID and client secret to add to the rstudio-connect.gcfg file to enable OAuth2 authentication.

  • Navigate to the Google Developers Console.
  • Do the following:

    • Create a new project.
    • Enable Google+ API.
    • From the Google+ API dashboard, create the appropriate user type.
    • Fill out and save any necessary fields in the OAuth consent screen.

    Note

    Ensure that you populate the Authorized domains field because it is required in a later step.

    • Create an OAuth client ID.
    • For the Application type, select Web application and use the following configurations in the corresponding fields:

      Field name Configuration
      client ID Give your client ID a descriptive name.
      Authorized JavaScript origins Enter your RStudio Server URL (e.g. https://HOST:PORT).
      Authorized redirect URIs Enter your RStudio Connect server address with "/login/callback" (e.g. https://HOST:PORT/login/callback). This field should be populated with the same domain that was entered for your Authorized domains that was configured in a previous step.
    • Save your changes.

    • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
    • Add the client ID and client secret to the file. For example:
      [OAuth2]
      DiscoveryEndpoint = https://accounts.google.com/.well-known/openid-configuration
      ClientId = <CLIENT ID>
      ClientSecret = <CLIENT SECRET>
      
  • After adding the client ID and client secret to the file, save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

Now, you may use your Google Apps account to sign into RStudio Connect.

For the full description of configuring OAuth2 authentication, see the OAuth2 (Google) documentation.

Proxied Configuration

Proxied

Proxied authentication allows an external system to intercept requests and handle the authentication of:

  • Users visiting the RStudio Connect dashboard or
  • Applications that RStudio Connect is hosting

Proxied authentication is only used in rare cases when you are not able to use one of the other authentication methods that RStudio Connect supports.

If you fall into this unique category and require Proxied authentication, the Proxied Authentication section in the Admin Guide has a full description for configuring Proxied authentication, including additional headers that can be configured.

The RStudio Connect Admin Guide provides a detailed explanation and additional information about configuring authentication in RStudio Connect.