Microsoft

Azure AD SAML Enterprise App Auth using Dex

Configure a new Azure AD Enterprise App

  1. From the Azure Active Directory > Enterprise applications menu, choose + New application
  2. Select Non-gallery application
  3. Enter a Name for the application (e.g. Argo CD), then choose Add
  4. Once the application is created, open it from the Enterprise applications menu.
  5. From the Users and groups menu of the app, add any users or groups requiring access to the service. Azure Enterprise SAML Users
  6. From the Single sign-on menu, edit the Basic SAML Configuration section as follows (replacing my-argo-cd-url with your Argo URL):
    • Identifier (Entity ID): https://<my-argo-cd-url>/api/dex/callback
    • Reply URL (Assertion Consumer Service URL): https://<my-argo-cd-url>/api/dex/callback
    • Sign on URL: https://<my-argo-cd-url>/auth/login
    • Relay State: <empty>
    • Logout Url: <empty> Azure Enterprise SAML URLs
  7. From the Single sign-on menu, edit the User Attributes & Claims section to create the following claims:
    • + Add new claim | Name: email | Source: Attribute | Source attribute: user.mail
    • + Add group claim | Which groups: All groups | Source attribute: Group ID | Customize: True | Name: Group | Namespace: <empty> | Emit groups as role claims: False
    • Note: The Unique User Identifier required claim can be left as the default user.userprincipalname Azure Enterprise SAML Claims
  8. From the Single sign-on menu, download the SAML Signing Certificate (Base64)
    • Base64 encode the contents of the downloaded certificate file, for example:
    • $ cat ArgoCD.cer | base64
    • Keep a copy of the encoded output to be used in the next section.
  9. From the Single sign-on menu, copy the Login URL parameter, to be used in the next section.

Configure Argo to use the new Azure AD Enterprise App

  1. Edit argocd-cm and add the following dex.config to the data section, replacing the caData, my-argo-cd-url and my-login-url your values from the Azure AD App:

    1.     data:
    2.       url: https://my-argo-cd-url
    3.       dex.config: |
    4.         logger:
    5.           level: debug
    6.           format: json
    7.         connectors:
    8.         - type: saml
    9.           id: saml
    10.           name: saml
    11.           config:
    12.             entityIssuer: https://my-argo-cd-url/api/dex/callback
    13.             ssoURL: https://my-login-url (e.g. https://login.microsoftonline.com/xxxxx/a/saml2)
    14.             caData: |
    15.                MY-BASE64-ENCODED-CERTIFICATE-DATA
    16.             redirectURI: https://my-argo-cd-url/api/dex/callback
    17.             usernameAttr: email
    18.             emailAttr: email
    19.             groupsAttr: Group

  2. Edit argocd-rbac-cm to configure permissions, similar to example below.

    • Use Azure AD Group IDs for assigning roles.

    • See RBAC Configurations for more detailed scenarios.

      1. # example policy
      2. policy.default: role:readonly
      3. policy.csv: |
      4.    p, role:org-admin, applications, *, */*, allow
      5.    p, role:org-admin, clusters, get, *, allow
      6.    p, role:org-admin, repositories, get, *, allow
      7.    p, role:org-admin, repositories, create, *, allow
      8.    p, role:org-admin, repositories, update, *, allow
      9.    p, role:org-admin, repositories, delete, *, allow
      10.    g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin # (azure group assigned to role)

Azure AD App Registration Auth using OIDC

Configure a new Azure AD App registration

Add a new Azure AD App registration

  1. From the Azure Active Directory > App registrations menu, choose + New registration
  2. Enter a Name for the application (e.g. Argo CD).
  3. Specify who can use the application (e.g. Accounts in this organizational directory only).
  4. Enter Redirect URI (optional) as follows (replacing my-argo-cd-url with your Argo URL), then choose Add.
    • Platform: Web
    • Redirect URI: https://<my-argo-cd-url>/auth/callback
  5. When registration finishes, the Azure portal displays the app registration’s Overview pane. You see the Application (client) ID. Azure App registration's Overview

Configure additional platform settings for ArgoCD CLI

  1. In the Azure portal, in App registrations, select your application.
  2. Under Manage, select Authentication.
  3. Under Platform configurations, select Add a platform.
  4. Under Configure platforms, select the “Mobile and desktop applications” tile. Use the below value. You shouldn’t change it.
    • Redirect URI: http://localhost:8085/auth/callback Azure App registration's Authentication

Add credentials a new Azure AD App registration

  1. From the Certificates & secrets menu, choose + New client secret
  2. Enter a Name for the secret (e.g. ArgoCD-SSO).
    • Make sure to copy and save generated value. This is a value for the client_secret. Azure App registration's Secret

Setup permissions for Azure AD Application

  1. From the API permissions menu, choose + Add a permission
  2. Find User.Read permission (under Microsoft Graph) and grant it to the created application: Azure AD API permissions
  3. From the Token Configuration menu, choose + Add groups claim Azure AD token configuration

Associate an Azure AD group to your Azure AD App registration

  1. From the Azure Active Directory > Enterprise applications menu, search the App that you created (e.g. Argo CD).
    • An Enterprise application with the same name of the Azure AD App registration is created when you add a new Azure AD App registration.
  2. From the Users and groups menu of the app, add any users or groups requiring access to the service. Azure Enterprise SAML Users

Configure Argo to use the new Azure AD App registration

  1. Edit argocd-cm and configure the data.oidc.config and data.url section:

    1.     ConfigMap -> argocd-cm
    3.     data:
    4.        url: https://argocd.example.com/ # Replace with the external base URL of your Argo CD
    5.        oidc.config: |
    6.              name: Azure
    7.              issuer: https://login.microsoftonline.com/{directory_tenant_id}/v2.0
    8.              clientID: {azure_ad_application_client_id}
    9.              clientSecret: $oidc.azure.clientSecret
    10.              requestedIDTokenClaims:
    11.                 groups:
    12.                    essential: true
    13.              requestedScopes:
    14.                 - openid
    15.                 - profile
    16.                 - email

  2. Edit argocd-secret and configure the data.oidc.azure.clientSecret section:

    1.     Secret -> argocd-secret
    3.     data:
    4.        oidc.azure.clientSecret: {client_secret | base64_encoded}

  3. Edit argocd-rbac-cm to configure permissions. Use group ID from Azure for assigning roles RBAC Configurations

    1.     ConfigMap -> argocd-rbac-cm
    3.     policy.default: role:readonly
    4.     policy.csv: |
    5.        p, role:org-admin, applications, *, */*, allow
    6.        p, role:org-admin, clusters, get, *, allow
    7.        p, role:org-admin, repositories, get, *, allow
    8.        p, role:org-admin, repositories, create, *, allow
    9.        p, role:org-admin, repositories, update, *, allow
    10.        p, role:org-admin, repositories, delete, *, allow
    11.        g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin

  4. Mapping role from jwt token to argo If you want to map the roles from the jwt token to match the default roles (readonly and admin) then you must change the scope variable in the rbac-configmap.

    1.     policy.default: role:readonly
    2.     policy.csv: |
    3.        p, role:org-admin, applications, *, */*, allow
    4.        p, role:org-admin, clusters, get, *, allow
    5.        p, role:org-admin, repositories, get, *, allow
    6.        p, role:org-admin, repositories, create, *, allow
    7.        p, role:org-admin, repositories, update, *, allow
    8.        p, role:org-admin, repositories, delete, *, allow
    9.        g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin
    10.     scopes: '[groups, email]'

Refer to operator-manual/argocd-rbac-cm.yaml for all of the available variables.

Azure AD App Registration Auth using Dex

Configure a new AD App Registration, as above. Then, add the dex.config to argocd-cm:

  1. ConfigMap -> argocd-cm
  3. data:
  4.     dex.config: |
  5.       connectors:
  6.       - type: microsoft
  7.         id: microsoft
  8.         name: Your Company GmbH
  9.         config:
  10.           clientID: $MICROSOFT_APPLICATION_ID
  11.           clientSecret: $MICROSOFT_CLIENT_SECRET
  12.           redirectURI: http://localhost:8080/api/dex/callback
  13.           tenant: ffffffff-ffff-ffff-ffff-ffffffffffff
  14.           groups:
  15.             - DevOps

Validation

Log in to ArgoCD UI using SSO

  1. Open a new browser tab and enter your ArgoCD URI: https://<my-argo-cd-url> Azure SSO Web Log In
  2. Click LOGIN VIA AZURE button to log in with your Azure Active Directory account. You’ll see the ArgoCD applications screen. Azure SSO Web Application
  3. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the Setup permissions for Azure AD Application step. Azure SSO Web User Info

Log in to ArgoCD using CLI

  1. Open terminal, execute the below command.

    1.     argocd login <my-argo-cd-url> --grpc-web-root-path / --sso

  2. You will see the below message after entering your credentials from the browser. Azure SSO CLI Log In

  3. Your terminal output will be similar as below.

    1.     WARNING: server certificate had error: x509: certificate is valid for ingress.local, not my-argo-cd-url. Proceed insecurely (y/n)? y
    2.     Opening browser for authentication
    3.     INFO[0003] RequestedClaims: map[groups:essential:true ]
    4.     Performing authorization_code flow login: https://login.microsoftonline.com/XXXXXXXXXXXXX/oauth2/v2.0/authorize?access_type=offline&claims=%7B%22id_token%22%3A%7B%22groups%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&client_id=XXXXXXXXXXXXX&code_challenge=XXXXXXXXXXXXX&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=XXXXXXXX
    5.     Authentication successful
    6.     'yourid@example.com' logged in successfully
    7.     Context 'my-argo-cd-url' updated

You may get an warning if you are not using a correctly signed certs. Refer to Why Am I Getting x509: certificate signed by unknown authority When Using The CLI?.