Skip to content

Okta

Are you using this? Please contribute!

If you're using this IdP please consider contributing to this document.

A working Single Sign-On configuration using Okta via at least two methods was achieved using:

SAML (with Dex)

  1. Create a new SAML application in Okta UI.
    • Okta SAML App 1 I've disabled App Visibility because Dex doesn't support Provider-initiated login flows.
    • Okta SAML App 2
  2. Click View setup instructions after creating the application in Okta.
    • Okta SAML App 3
  3. Copy the SSO URL to the argocd-cm in the data.oicd
  4. Download the CA certificate to use in the argocd-cm configuration. If you are using this in the caData field, you will need to pass the entire certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- stanzas) through base64 encoding, for example, base64 my_cert.pem.
    • Okta SAML App 4
  5. Edit the argocd-cm and configure the data.dex.config section:
dex.config: |
  logger:
    level: debug
    format: json
  connectors:
  - type: saml
    id: okta
    name: Okta
    config:
      ssoURL: https://yourorganization.oktapreview.com/app/yourorganizationsandbox_appnamesaml_2/rghdr9s6hg98s9dse/sso/saml
      # You need `caData` _OR_ `ca`, but not both.
      caData: |
        <CA cert passed through base64 encoding>
      # You need `caData` _OR_ `ca`, but not both.
      ca: /path/to/ca.pem
      redirectURI: https://ui.argocd.yourorganization.net/api/dex/callback
      usernameAttr: email
      emailAttr: email
      groupsAttr: group

OIDC (without Dex)

Do you want groups for RBAC later?

If you want groups scope returned from Okta you need to unfortunately contact support to enable API Access Management with Okta or just use SAML above!

Next you may need the API Access Management feature, which the support team can enable for your OktaPreview domain for testing, to enable "custom scopes" and a separate endpoint to use instead of the "public" /oauth2/v1/authorize API Access Management endpoint. This might be a paid feature if you want OIDC unfortunately. The free alternative I found was SAML.

  1. On the Okta Admin page, navigate to the Okta API Management at Security > API. Okta API Management
  2. Choose your default authorization server.
  3. Click Scopes > Add Scope
    1. Add a scope called groups. Groups Scope
  4. Click Claims > Add Claim.
    1. Add a claim called groups
    2. Choose the matching options you need, one example is:
      • e.g. to match groups starting with argocd- you'd return an ID Token using your scope name from step 3 (e.g. groups) where the groups name matches the regex argocd-.* Groups Claim
  5. Edit the argocd-cm and configure the data.oidc.config section:
oidc.config: |
  name: Okta
  issuer: https://yourorganization.oktapreview.com
  clientID: 0oaltaqg3oAIf2NOa0h3
  clientSecret: ZXF_CfUc-rtwNfzFecGquzdeJ_MxM4sGc8pDT2Tg6t
  requestedScopes: ["openid", "profile", "email", "groups"]
  requestedIDTokenClaims: {"groups": {"essential": true}}