Request for SAML authentication support for shinyloadtest and shinycannon

[slourens]

Hello,

My team and I are releasing some shiny applications to a rather large set of users at our company (more than 300) in September 2020. We recently found out that we shinyloadtest is not configured to work with SAML authentication, which is what is being used in our Azure architecture by the firm. Are there plans for the team to support SAML authentication in the future?

Thank you,

Spencer

[slopp]

We don't have specific plans, and I would not expect SAML support by September.

However, most of RStudio's customers in this scenario run the load tests on the application and systems by temporarily removing authentication while simultaneously locking down the network access - essentially running a load test on a staging version of the architecture that does not require auth but is only accessible for the purpose of the test.

This scenario is a realistic test as long as the application's behavior does not depend significantly on who is logged in. The actual "authentication" step is usually not a significant part of a load test or serving a shiny app. The load tests instead focus on ensuring the application code is optimized and the supporting infrastructure is properly configured.

[slourens]

Sean, Thanks so much for your response. This makes sense and I think my team and I may be able to figure out how to get it to work. We just need to work out some technical understanding of reverse proxy etc. and whether these features are currently locked down in our environment. We plan to look into this for the remainder of the week and follow up with our internal security team etc if needed. Appreciate it very much and hope that perhaps one day SAML support will be added.

[slourens]

Hello again! Just following up on what we've discovered so far:

Thank you for the advice of disabling the authentication to remove that component from the equation. The applications that we're looking to test now do not depend on the logged in user to an extent that it would cause an issue to use an anonymous login. To make sure we're doing this properly, we changed the access settings within RStudio on the published app to not require a login to view the app. We verified that we are able to navigate to the application URL and use the controls without being logged in to RStudio Connect.

However, we are still unable to get the application to come up when attempting to record the session. We are using the default host and port, but when the browser pops up, it displays a a message stating "Hmmm...can't reach this page".

We believe the issue we're having may have to do with the creation of the listener or reverse proxy, but don't know enough about how this is being created to verify this. Could you please shed some light on how the session is being recorded or any dependencies that we could check on? We have a pretty locked down environment, from a security perspective, so setting up a reverse proxy as a general user may be restricted.

[jcheng5]

Right, shinyloadtest creates a local web server that proxies traffic to your actual app. From the appearance of the error page, it looks to me like the browser can't reach the local web server.

There are a couple of potential reasons I can think of off the top of my head.

1. The listener isn't being created at all--in that case I'd expect to see error messages from shinyloadtest. Since you haven't mentioned seeing any errors at the R console, I'll assume it's not this.
2. Your browser is using a proxy server even for 127.0.0.1. You generally (always?) want your browser/OS configured to bypass the usual proxy settings when accessing 127.0.0.1 or localhost. The directions for doing this vary by browser, but googling for "localhost bypass proxy [name of browser]" should give you some hits.
3. Your local machine (where your browser is, where you're trying to run shinytest) has local software firewall that is blocking connections even from localhost. If that's the case you'll have to allow incoming requests on port 8600 from 127.0.0.1/localhost--directions for doing that are going to vary depending on your firewall software.

Hope that helps.