Step 3: Initial Authentication Configuration

RStudio Connect offers a variety of user authentication methods. It is important that you configure the desired method before logging into RStudio Connect for the first time.

Caution

Failure to configure authentication before logging in for the first time may cause serious problems for you in the future. Although it is possible to change the authentication method at a later date, it is cumbersome and may result in a loss of user content subscriptions, and other assets. However, if you plan on using RStudio Connect on a trial basis using Password authentication, you are now able to log into RStudio Connect.

Authentication types

Info

By default, RStudio Connect is set to use Password authentication as the provider, unless you configure an alternate method.

RStudio Connect can be configured with the following authentication methods by customizing the Authentication.Provider property:

Password Configuration

Password (default)

The default authentication provider used by RStudio Connect. Password authentication uses a local user account backed by the RStudio Connect database and it is not integrated with a third-party service. The Password section of the Admin Guide provides a full description.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.

  • Locate the Authentication.Provider setting.

    Note

    If this is the initial installation of RStudio Connect, then Password authentication is the default method, even if the Provider setting is left blank.

  • Even though Password authentication is the default method, locate the Authentication.Provider setting and for the Provider, type:

[Authentication]
Provider = password
  • Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

LDAP & Active Directory Configuration

LDAP/AD

Integrates with your company’s LDAP or AD infrastructure. User authentication and user search requests will be directed to the LDAP/AD server.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the Provider, type "LDAP":
[Authentication]
Provider = LDAP
  • Now define an LDAP or AD section in the configuration file by adding a header that is case-sensitive, such as:
[LDAP "European LDAP Server"]

Support for LDAP and AD has the following constraints:

Constraint Description
LDAP/AD user objects User objects must contain a user’s first name, last name, email address, and username.
Changes to a user When changes are made to a user's name, email address, or username that are in your LDAP/AD system, the changes do not automatically propagate to RStudio Connect. However, the user information updates the next time that the user logs into RStudio Connect after the LDAP/AD update is made.
Single bind When using single bind, the DN of a user must contain their username (i.e., it must utilize the UsernameAttribute). Using a different attribute for username, such as CN only to match the DN, may cause users to have to type their full name to log in. For example, it is not supported if the DN for a user is cn=SueJacobs, ou=People, dc=company, dc=com but their actual username is stored in the uid or SAMAccountName LDAP attribute. You must use double bind when the DN does not contain the username. If the DN doesn't contain a username, then use double bind.
Single-bind searches When using single-bind configuration, the searches only include users who have previously logged in to RStudio Connect.
Single-bind groups When using single-bind configuration, groups are not available.

Several configurations are discussed above, however:

  • If you would like to view all of the configurable options available, refer to the LDAP and Active Directory section of the Admin Guide.
  • If you would like to view additional configuration examples, refer to the Complete Configuration Examples section in the appendix of the Admin Guide.

After you've applied the configuration options that are relevant to your needs: save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

SAML Configuration

SAML

Security Assertion Markup Language (SAML) protocol is an industry-standard for single sign-on, multi-factor authentication, and authorization within the enterprise. RStudio Connect supports SAML 2.0 for authentication and group membership. The Appendix - SAML section of the Admin Guide provides additional information.

Before you configure SAML authentication, you must know which SAML identity provider that you intend to use. RStudio Connect is the service provider (SP) for this SAML identity provider (IdP). SAML requires that RStudio Connect version 1.7.6, or later, is installed. The following IdPs provide integrated templates to simplify configuration. Additionally, certain providers may require that you add the integration to your account before the guide is available.

IdP Links to the IdP's custom configuration guides
Azure Active Directory (AD) https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.rstudioconnect?tab=Overview
Okta https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-RStudio-Connect.html
OneLogin https://www.onelogin.com/product/app-catalog

For all other IdPs, or to proceed with custom configuration, do the following:

  1. Determine your RStudio Connect Server.Address where users log in to RStudio Connect, for example, https://example.com.

  2. Configure an SP for RStudio Connect within your SAML IdP. Modify our example values to fit your environment.

    The RStudio Connect's "Entity ID" or unique URL is directly related to your server address from step 1. Additionally, this is the two underscores before and after the word "login". For example, https://example.com/__login__/saml.

    Note the following:

    • The Assertion Consumer Response URL for RStudio Connect is directly related to your server address. For example, https://example.com/__login__/saml/acs.
    • The URL to log in to RStudio Connect used to create SP-initiated logins is your server address. For example, https://example.com.
    • SAML creates an Assertion when users log in to the system. Some IdPs require that you configure the assertion attributes for the SP. By default, RStudio Connect uses the following attributes, which are case sensitive, and can be configured and changed, if desired:
      • Username
      • FirstName
      • LastName
      • Email

    If your IdP can pass groups in an Assertion Attribute, then those groups can be defined within RStudio Connect. By default, this attribute is named “Groups.” You can either configure:

    • A multi-valued Assertion Attribute.
    • A single-valued Assertion Attribute, where multiple group memberships are text-delimited (e.g. group1|group2|group3).

    The IdP Metadata provided by your Identity Provider is required. Oftentimes, this is just an HTTPS URL that the XML metadata can be fetched from. Otherwise, the XML file can be downloaded and moved to the RStudio Connect server.

  3. Do the following to configure RStudio Connect by using the values that are shown above. For more information about the available options, refer to the SAML section in the Admin Guide.

    1. Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
    2. Ensure that the server address is set within the [Server] configuration block, for example: 
      [Server]
Address = https://<serveraddress>.com
    3. Locate the Authentication.Provider setting and for the Provider and type "saml": 
      [Authentication]
Provider = saml

    To see an example of the SAML configuration section that uses the values configured in this section, refer to the Getting Started with SAML in RStudio Connect article's step 3.a to the RStudio support site.

  4. Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

For the full description of configuring SAML authentication, see the SAML section in the Admin Guide.

PAM Configuration

PAM

Pluggable Authentication Module (PAM) provides dynamic authentication support for applications and services in a Linux System.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the provider, type "pam":
[Authentication]
Provider = pam
  • Optionally, you can change the PAM service name that's used for authentication by customizing the PAM.Service setting. By default, the default PAM service name used for RStudio Connect is rstudio-connect. For example:
; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio-connect
Ubuntu systems

RStudio Connect does not create a PAM service on Ubuntu systems and attempts to use the rstudio-connect service name for authentication. PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other. If the other service is not appropriate for your organization, see the Ubuntu documentation.

Red Hat/CentOS/SUSE systems

Additionally, Red Hat/CentOS/SUSE systems may deny access to unknown PAM service names by default because of the other configuration in /etc/pam.d/other contains only “deny” rules. If you are running a Red Hat/CentOS/SUSE system and require PAM to be configured, refer to the Red Hat/CentOS/SUSE documentation.

Refer to the PAM section of the admin guide if your organization requires:

  • Different requirements from the default behavior or
  • Groups to be configured and managed

Save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

For the full description of configuring OAuth2 authentication, see the PAM documentation.

OAuth2 Configuration

OAuth

OAuth2 authentication is available for authenticating against the Google OAuth2 service. OAuth2 requires that you have a client ID and client secret.

  • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
  • Locate the Authentication.Provider setting and for the Provider, type "oauth2":
[Authentication]
Provider = oauth2
Obtain a client ID and client secret

You must obtain a client ID and client secret to add to the rstudio-connect.gcfg file to enable OAuth2 authentication.

  • Navigate to the Google Developers Console.

  • Do the following:

    • Create a new project.
    • From the Google APIs dashboard, ensure that your new project is selected.
    • Click + ENABLE APIS AND SERVICES.
    • Search and enable Enable Google+ API.
    • From the Navigation menu, select APIs & Services and click OAuth consent screen.
    • Create the appropriate User Type.

    Note

    It is important that you populate the Authorized domains field because this URL is used as your Authorized redirect URIs path in a later step.

    • Fill out and save any necessary fields in the OAuth consent screen.

    Note

    Ensure that you populate the Authorized domains field because it is required in a later step.

    • Create an OAuth client ID.

    • For the Application type, select Web application and use the following configurations in the corresponding fields:

      Field name Configuration
      Name Give your client ID a descriptive name.
      Authorized JavaScript origins Enter your RStudio Server URL (e.g. https://HOST:PORT).
      Authorized redirect URIs Enter your RStudio Connect server address with "/login/callback" (e.g. https://HOST:PORT/login/callback). This field should be populated with the same domain that was entered for your Authorized domains that was configured in a previous step.

    • Save your changes.

    • Navigate to the /etc/rstudio-connect/rstudio-connect.gcfg file.
    • Add the client ID and client secret to the file. For example: 
      [OAuth2]
DiscoveryEndpoint = https://accounts.google.com/.well-known/openid-configuration
ClientId = <CLIENT ID>
ClientSecret = <CLIENT SECRET>
  • After adding the client ID and client secret to the file, save your changes and restart RStudio Connect:

Terminal

$ sudo systemctl restart rstudio-connect

Now, you may use your Google Apps account to sign into RStudio Connect.

For the full description of configuring OAuth2 authentication, see the OAuth2 (Google) documentation.

Proxied Auth Configuration

Proxied

Proxied authentication allows an external system to intercept requests and handle the authentication of:

  • Users visiting the RStudio Connect dashboard or
  • Applications that RStudio Connect is hosting

Proxied authentication is only used in rare cases when you are not able to use one of the other authentication methods that RStudio Connect supports.

If you fall into this unique category and require Proxied authentication, the Proxied Authentication section in the Admin Guide has a full description for configuring Proxied authentication, including additional headers that can be configured.

The RStudio Connect Admin Guide provides detailed explanations and additional information about configuring authentication in RStudio Connect.