Okta¶
Are you using this? Please contribute!
If you're using this IdP please consider contributing to this document.
A working Single Sign-On configuration using Okta via at least two methods was achieved using:
SAML (with Dex)¶
- Create a new SAML application in Okta UI.
I've disabled App Visibilitybecause Dex doesn't support Provider-initiated login flows.
- Click
View setup instructionsafter creating the application in Okta. - Copy the SSO URL to the
argocd-cmin the data.oicd - Download the CA certificate to use in the
argocd-cmconfiguration. If you are using this in the caData field, you will need to pass the entire certificate (including-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----stanzas) through base64 encoding, for example,base64 my_cert.pem. - Edit the
argocd-cmand configure thedata.dex.configsection:
dex.config: |
logger:
level: debug
format: json
connectors:
- type: saml
id: okta
name: Okta
config:
ssoURL: https://yourorganization.oktapreview.com/app/yourorganizationsandbox_appnamesaml_2/rghdr9s6hg98s9dse/sso/saml
# You need `caData` _OR_ `ca`, but not both.
caData: |
<CA cert passed through base64 encoding>
# You need `caData` _OR_ `ca`, but not both.
ca: /path/to/ca.pem
redirectURI: https://ui.argocd.yourorganization.net/api/dex/callback
usernameAttr: email
emailAttr: email
groupsAttr: group
OIDC (without Dex)¶
Do you want groups for RBAC later?
If you want groups scope returned from Okta you need to unfortunately contact support to enable API Access Management with Okta or just use SAML above!
Next you may need the API Access Management feature, which the support team can enable for your OktaPreview domain for testing, to enable "custom scopes" and a separate endpoint to use instead of the "public" /oauth2/v1/authorize API Access Management endpoint. This might be a paid feature if you want OIDC unfortunately. The free alternative I found was SAML.
- On the
Okta Adminpage, navigate to the Okta API Management atSecurity > API.
- Choose your
defaultauthorization server. - Click
Scopes > Add Scope- Add a scope called
groups.
- Add a scope called
- Click
Claims > Add Claim.- Add a claim called
groups - Choose the matching options you need, one example is:
- e.g. to match groups starting with
argocd-you'd return anID Tokenusing your scope name from step 3 (e.g.groups) where the groups namematchestheregexargocd-.*
- e.g. to match groups starting with
- Add a claim called
- Edit the
argocd-cmand configure thedata.oidc.configsection:
oidc.config: |
name: Okta
issuer: https://yourorganization.oktapreview.com
clientID: 0oaltaqg3oAIf2NOa0h3
clientSecret: ZXF_CfUc-rtwNfzFecGquzdeJ_MxM4sGc8pDT2Tg6t
requestedScopes: ["openid", "profile", "email", "groups"]
requestedIDTokenClaims: {"groups": {"essential": true}}

