Restricting Access to Specific Users and Groups using SAML

andret889 · November 10, 2021, 2:43pm

Hi,

In RStudio-Server/Workbench, is it possible to restrict access to specific users/groups with SAML authentication?

For example, using PAM authentication, restriction is applied adding auth-required-user-group in /etc/rstudio/rserver.conf and creating a ldap filter in /etc/sssd/sssd.conf.

Thank you, best regards
Andrea

rstub · November 11, 2021, 9:51am

Hi Andrea,

With SAML this configuration is normally done within the identity provider (IdP). Which IdP do you use for SAML?

andret889 · November 11, 2021, 9:57am

Hi Ralf,

we are using Oracle Access Manager as IDP.

Thank you, best regards
Andrea

rstub · November 11, 2021, 10:50am

Unfortunately I was not able to find documentation on how Oracle Access Manager does this. But I assume the people administering it in your organization know how to this. The general idea is the following:

In order to use SAML authentication, RStudio Workbench needs to be registered within the IdP as client/service, c.f. RStudio Workbench Administration Guide – SAML Single Sign-On Authentication PRO
After that, users and groups/roles can be configured within the IdP to have access to this client/service.

andret889 · November 11, 2021, 2:06pm

Hi Ralf,

the IdP manages user authentication, but we cannot limit the access at this level.

For example, if my user, user1, authenticates with SAML, I should also have a valid PAM Session and sssd service in the system, in order to get the groups associated with (e.g. group1, group2).
If group1 is set in the property auth-required-user-group in /etc/rstudio/rserver.conf, I should get access to RStudio. If not, access should be denied.

Our IdP returns the NameID, matching the user's account username in the local system.

So, I expect access would be regulated through this property in /etc/rstudio/rserver.conf, even if I use SAML.

Thank you again, best regards
Andrea

rstub · November 11, 2021, 6:28pm

Hi Andrea,

I find it surprising that your IdP does not provide this feature. However, auth-required-user-group should work even for SAML authentication. And if you are provisioning the users via sssd, you can also use an LDAP filter since a valid user is required to log into RStudio Workbench. So if the user does not exist on the Linux system, they won't be able to log in.

Ralf

andret889 · November 12, 2021, 8:32am

Thank you Ralf.
I'll check again these options: if I can filter at this level, it will be a good solution.
I will let you know.

Thank you again for the support.
Best regards
Andrea

andret889 · November 12, 2021, 3:49pm

Hi Ralf,
we confirm that using auth-required-user-group we can limit the access to RStudio, even if ldap filter (on the user) does not take effect!

system · December 3, 2021, 3:49pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.