Configuring SAML in RStudio Workbench#
The SAML protocol is an industry standard for single-sign-on (SSO), multi-factor authentication, and authorization within the enterprise. RStudio Workbench, formerly RStudio Server Pro1, supports SAML 2.0 for authentication.
For complete reference on RStudio Workbench's SAML implementation, see the RStudio Workbench Admin Guide.
SAML in RStudio Workbench is for SSO authentication only. Users and groups can be provisioned manually or via LDAP or Active Directory.
If you wish to use LDAP or Active Directory for user provisioning, please configure user provisioning using this guide before configuring SAML.
To get started with SAML for RStudio Workbench, you will need:
- RStudio Workbench version 1.4 or later installed
- Information about your SAML Identity Provider
- The URL where users will access RStudio Workbench
Local system accounts
There are integrated templates that you can use to simplify your setup if you are using:
Other providers will need to use the General Configuration instructions below.
To configure RStudio Workbench with SAML, you need to:
- Exchange metadata between your IdP and
- Configure the details of the authentication assertion.
Step 1. Configure the SAML Identity Provider (IdP)#
Step 1a. Provide RStudio Workbench Metadata#
How you provide the RStudio Workbench metadata to your IdP depends on what your IdP supports and whether direct network access exists between your IdP and RStudio Workbench.
- Provide the metadata URL directly to your IdP (
- Download the metadata XML file and upload it to your IdP
- Use the metadata file to manually provide the information to your IdP
Step 1b. Configure the SAML Assertion#
- The SAML assertion provides the information RStudio Workbench requires to do authentication.
- By default, RStudio Workbench accepts the user's Linux username (lowercase) named
- If your IdP does not permit this configuration, you will need to configure RStudio Workbench to accept a different assertion (see Step 2b. Configure SAML Assertion, below).
Step 2. Configure RStudio Workbench#
Step 2a. Configure the IdP Metadata#
- RStudio Workbench SAML configuration is done in
For an IdP metadata file available at
https://idp.example.com/saml/metadataand direct network access between your IdP and RStudio Workbench, you could configure:File: /etc/rstudio/rserver.conf
If your IdP does not provide a metadata URL or you do not have a direct network connection between your IdP and RStudio Workbench, you will need to provide metadata fields manually in
See the RStudio Workbench Admin guide for configuration details.
Step 2b. Configure the SAML Assertion#
- If your IdP allows you to configure the SAML assertion as specified above, no further configuration is needed.
- If not, you will need to add configuration about the name and format of the username assertion. Details on how to provide that configuration is in the RStudio Workbench Admin guide.
If you are running RStudio Workbench behind a proxy, further configuration is required to allow the SAML IdP to redirect back to RStudio Workbench after authenticating users. Usually, setting the
X-RStudio-Request header is sufficient.
You must first know which SAML Identity Provider (IdP) you intend to use. RStudio Workbench will be a Service Provider (SP) to this SAML IdP. Please reference the RStudio Workbench Admin guide which provides additional information.