Configuring SAML in RStudio Server Pro#
The SAML protocol is an industry standard for single-sign-on (SSO), multi-factor authentication, and authorization within the enterprise. RStudio Server Pro supports SAML 2.0 for authentication.
For complete reference on RStudio Server Pro's (RSP) SAML implementation, see the RSP Admin Guide.
SAML in RSP is for SSO authentication only. Users and groups can be provisioned manually or via LDAP or Active Directory.
If you wish to use LDAP or Active Directory for user provisioning, please configure user provisioning using this guide before configuring SAML.
To get started with SAML for RSP, you will need:
- RSP version 1.4 or later installed
- Information about your SAML Identity Provider
- The URL where users will access RSP
There are integrated templates that you can use to simplify your setup if you are using:
Other providers will need to use the General Configuration instructions below.
To configure RSP with SAML, you will need to (1) exchange metadata between your IdP and (2) configure the details of the authentication assertion.
Step 1. Configure the SAML Identity Provider (IdP)#
Step 1a. Provide RSP Metadata#
How you provide the RSP metadata to your IdP depends on what your IdP supports and whether direct network access exists between your IdP and RSP.
- Provide the metadata URL directly to your IdP (
- Download the metadata XML file and upload it to your IdP
- Use the metadata file to manually provide the information to your IdP
Step 1b. Configure the SAML Assertion#
- The SAML assertion provides the information RSP requires to do authentication.
- By default, RSP accepts the user's Linux username (lowercase) named
- If your IdP does not permit this configuration, you will need to configure RSP to accept a different assertion (see Step 2b. Configure SAML Assertion, below).
Step 2. Configure RSP#
Step 2a. Configure the IdP Metadata#
- RSP SAML configuration is done in
For an IdP metadata file available at
https://idp.example.com/saml/metadataand direct network access between your IdP and RSP, you could configure:File: /etc/rstudio/rserver.conf
If your IdP does not provide a metadata URL or you do not have a direct network connection between your IdP and RSP, you will need to provide metadata fields manually in
See the RSP Admin guide for configuration details.
Step 2b. Configure the SAML Assertion#
- If your IdP allows you to configure the SAML assertion as specified above, no further configuration is needed.
- If not, you will need to add configuration about the name and format of the username assertion. Details on how to provide that configuration is in the RSP Admin guide.
If you are running RSP behind a proxy, further configuration is required to allow the SAML IdP to redirect back to RSP after authenticating users. Usually, setting the
X-RStudio-Request header is sufficient.
You must first know which SAML Identity Provider (IdP) you intend to use. RSP will be a Service Provider (SP) to this SAML IdP. Please reference the RSP Admin guide which will provide additional information.