Restricting Access to Active Directory Users and Groups via SAML

  1. We are trying to restrict RStudio access to members of a specific group in Active Directory. RStudio is installed on an AWS EC2 instance, which is itself integrated to Active Directory via a SAML Identity Provider. We see the following error in the RStudio server log (assuming user "ruser" is a member of the group "app-analyst").

WARNING User ruser could not be authenticated because they do not belong to one of the required groups (app-analyst...User.cpp:127)

  1. We have determined that the EC2 instance is correctly integrated with Active Directory as the command "id" returns the correct group membership.

id ruser | grep analyst

2227031(app-analyst)

  1. The Linux "lid" tool does not recognise the user or the AD groups. Note that these groups (and the user) do not exist of the local machine, i.e. are not found in /etc/passwd or /etc/group.

lid -g APP-Analyst

APP-Analyst does not exist

  1. Group names from Active Directory returns EC2 instances in lower case. However, it appears not to make any difference. It also appears that lid is not aware of the AD integration.

lid -g app-analyst

app-analyst does not exist

  1. RStudio may have the same issue, and is configured to allow access to specific group.

vi /etc/rstudio/rserver.conf

# Server Configuration File

auth-saml=1

auth-required-user-group=auth-analyst

  1. However, "auth-saml" is not recognised in RStudio. We think RStudio is looking for local system group, not following the AD integration via SAML to retrieve the AD group.

sudo rstudio-server restart

Error reading /etc/rstudio/rserver.conf: unrecognised option 'auth-saml'

What is the correct rserver.conf configuration for the AD via SAML integration?

Has anyone done this kind of AD integration with RStudio before? Can you suggest where our configuration is going wrong?

Many thanks,

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.