Configuring SAML in RStudio Workbench
The SAML protocol is an industry standard for single-sign-on (SSO), multi-factor authentication, and authorization within the enterprise. RStudio Workbench, formerly RStudio Server Pro, supports SAML 2.0 for authentication.
For complete reference on RStudio Workbench's SAML implementation, see the RStudio Workbench Admin Guide.
SAML in RStudio Workbench is for SSO authentication only.
Users and groups can be provisioned manually or via LDAP or Active Directory.
If you wish to use LDAP or Active Directory for user provisioning,
please configure user provisioning using this guide
before configuring SAML.
To get started with SAML for RStudio Workbench, you will need:
- RStudio Workbench version 1.4 or later installed
- Information about your SAML Identity Provider
- The URL where users will access RStudio Workbench
Local system accounts
SAML still requires PAM Sessions to automatically create local system accounts. Without it, local system accounts have to be provisioned manually one-by-one. For more information, see the SAML section of the Administration Guide.
There are integrated templates that you can use to simplify your setup if you
Other providers will need to use the General Configuration instructions below.
To configure RStudio Workbench with SAML, you need to:
- Exchange metadata between your IdP and
- Configure the details of the authentication assertion.
Step 1. Configure the SAML Identity Provider (IdP)
How you provide the RStudio Workbench metadata to your IdP depends on what your IdP supports and whether direct network access exists between your IdP and RStudio Workbench.
- Provide the metadata URL directly to your IdP (
- Download the metadata XML file and upload it to your IdP
- Use the metadata file to manually provide the information to your IdP
Step 1b. Configure the SAML Assertion
- The SAML assertion provides the information RStudio Workbench requires to do authentication.
- By default, RStudio Workbench accepts the user's Linux username (lowercase) named
- If your IdP does not permit this configuration, you will need to configure RStudio Workbench
to accept a different assertion (see Step 2b. Configure SAML Assertion, below).
Step 2. Configure RStudio Workbench
- RStudio Workbench SAML configuration is done in
For an IdP metadata file available at
https://idp.example.com/saml/metadata and direct network access between your IdP and RStudio Workbench, you could configure:
If your IdP does not provide a metadata URL or you do not have a direct network
connection between your IdP and RStudio Workbench, you will need to provide metadata fields manually in
See the RStudio Workbench Admin guide for configuration details.
Step 2b. Configure the SAML Assertion
- If your IdP allows you to configure the SAML assertion as specified above, no further configuration is needed.
- If not, you will need to add configuration about the name and format of the username assertion. Details on how to provide that configuration is in the RStudio Workbench Admin guide.
If you are running RStudio Workbench behind a proxy, further configuration is required to allow the SAML IdP to redirect back to RStudio Workbench after authenticating users. Usually, setting the
X-RStudio-Request header is sufficient.
You must first know which SAML Identity Provider (IdP) you
intend to use. RStudio Workbench will be a Service Provider (SP) to this SAML IdP. Please
reference the RStudio Workbench Admin
which provides additional information.
If you have problems integrating RStudio Workbench with your IdP, please reference our
Support documentation and send an email to