Support

Using AD for user provisioning and SAML for auth on RStudio Workbench

Follow
  1. Configure LDAP/AD with RSW (source)
    1. Install the prerequisites
    2. Join the underlying Linux server with Active Directory
    3. Configure the rstudio PAM profile

      /etc/pam.d/common-session

      session required pam_unix.so 

      session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


      cp /etc/pam.d/login /etc/pam.d/rstudio


      /etc/pam.d/rstudio  

      #%PAM-1.0  

      auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so  

      auth substack system-auth  

      auth include postlogin  

      account required pam_nologin.so  

      account include system-auth  

      password include system-auth  


      # pam_selinux.so close should be the first session rule  

      session required pam_selinux.so close  

      session required pam_loginuid.so  

      session optional pam_console.so


      # pam_selinux.so open should only be followed by sessions to be executed in the user context  

      session required pam_selinux.so open  

      session required pam_namespace.so  

      session optional pam_keyinit.so force revoke  

      session include system-auth  

      session include postlogin  

      -session optional pam_ck_connector.so

  2. Change auth to SAML (source)

    # /etc/rstudio/rserver.conf

    auth-saml=1

    auth-saml-sp-attribute-username=NameID

    auth-saml-metadata-url=https://idp.example.com/saml/metadata

  3. Ensure that the SAML assertion has an attribute (on login) that matches the user's linux username exactly (i.e. the output of `getent passwd username`)

Comments