This guide walks you through configuring Single Sign-On (SSO) for ArgoCD with Okta as the Identity Provider (IdP) using the SAML protocol. ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It allows you to manage your Kubernetes resources using Git repositories as the source of truth. By configuring SSO with Okta, you can enable users to authenticate to ArgoCD using their Okta credentials. This provides a seamless and secure login experience for users.

Prerequisites

  • Okta Account: An active Okta account with administrator access.
  • ArgoCD Setup: A running instance of ArgoCD.
  • Domain or DNS Name: A public DNS name for accessing ArgoCD (e.g., argocd.example.com).
  • kubectl Access: Admin access to the Kubernetes cluster running ArgoCD.

    • Configure an Okta SAML Application

    Log in to your Okta account as an administrator

    First, log in to your Okta account as an administrator. You will need to have administrative access to create a new SAML application.

    Create a new SAML application

    Then you need to create a new SAML application in Okta. To do this, follow these steps:

    1. In the Okta dashboard, go to Applications and click on Add Application.
    2. Select SAML 2.0 and click on Next.
    3. Enter the following details:
      • App name: ArgoCD
      • App logo: (Optional)
    4. Click on Next.
    5. Configure the SAML settings as follows:
      • Single sign on URL: https://<ARGOCD_DOMAIN>/api/dex/callback
      • Audience URI (SP Entity ID): https://<ARGOCD_DOMAIN>/api/dex/callback
    6. In the Attribute Statements section, provide attributes as email so that users can login using basic email addresses
      • Name: email
      • Name format: Basic
      • Value: user.email
    7. In the Group Attribute Statements section, provide attributes as groups so that users can login using basic email addresses
      • Name: groups
      • Name format: Basic
      • Filter: Matches regex and provide the .* for all groups and for specific groups you can provide the group name like admin|dev|qa pattern is for specific groups
    8. Click on Next then select I’m an Okta customer adding an internal app and Click on Finish.

    Now you have successfully created a new SAML application in Okta. Once your app is created in Okta, you can go to the app details and click on Sign On tab to get the Identity Provider metadata. You will need this metadata to configure ArgoCD.

    Configure ArgoCD to Use SAML

    Now that you have created a SAML application in Okta, you can configure ArgoCD to use SAML for authentication. To do this, follow these steps:

    Update the ArgoCD ConfigMap

    First you need to get the ArgoCD ConfigMap. To do this, run the following command:

    1
    kubectl edit configmap argocd-cm -n argocd

    Then you need to add the following SAML configuration to the ConfigMap:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    apiVersion: v1
    kind: ConfigMap
    ...
    data:
      url: https://<ARGOCD_DOMAIN>
      dex.config: |-
        logger:
          level: debug
          format: json
        connectors:
        - type: saml
          name: okta
          id: okta
          config:
            ssoURL: https://dev-xxxxxxxx.okta.com/app/dev-xxxxxxxx_argocdsso_1/exklcqhr56cEERa6B5d7/sso/saml
            redirectURI: https://<ARGOCD_DOMAIN>/api/dex/callback
            usernameAttr: email
            emailAttr: email
            groupsAttr: group
            caData: "LS0tLS1CRUdXXXXXXXXXXXXXXXX" # Base64 encoded certificate (you need to use the base64 encoded certificate)

    Onece you have added the above configuration to the ConfigMap, save the changes and exit the editor.

    Restart the ArgoCD Server

    After updating the ConfigMap, you need to restart the ArgoCD server to apply the changes. To do this, run the following command:

    1
    kubectl rollout restart deployment argocd-server -n argocd

    Now you have successfully configured SSO authentication in ArgoCD using Okta as the Identity Provider. Users can now log in to ArgoCD using their Okta credentials. But make sure to give the proper permissions to the users in Okta to access the ArgoCD application.

    Conclusion

    In this tutorial, you have learned how to configure Single Sign-On (SSO) authentication in ArgoCD using Okta as the Identity Provider (IdP) with the SAML protocol. This provides a seamless and secure login experience for users, allowing them to authenticate to ArgoCD using their Okta credentials.

    Happy Coding