Skip to content

Okta

Are you using this? Please contribute!

If you're using this IdP please consider contributing to this document.

A working Single Sign-On configuration using Okta via at least two methods was achieved using:

SAML (with Dex)

Okta app group assignment

The Okta app's Group Attribute Statements regex will be used later to map Okta groups to Argo CD RBAC roles.

  1. Create a new SAML application in Okta UI.
    • Okta SAML App 1 I've disabled App Visibility because Dex doesn't support Provider-initiated login flows.
    • Okta SAML App 2
  2. Click View setup instructions after creating the application in Okta.
    • Okta SAML App 3
  3. Copy the SSO URL to the argocd-cm in the data.oicd
  4. Download the CA certificate to use in the argocd-cm configuration.
    • If you are using this in the caData field, you will need to pass the entire certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- stanzas) through base64 encoding, for example, base64 my_cert.pem.
    • If you are using the ca field and storing the CA certificate separately as a secret, you will need to mount the secret to the dex container in the argocd-dex-server Deployment.
    • Okta SAML App 4
  5. Edit the argocd-cm and configure the data.dex.config section:
dex.config: |
  logger:
    level: debug
    format: json
  connectors:
  - type: saml
    id: okta
    name: Okta
    config:
      ssoURL: https://yourorganization.oktapreview.com/app/yourorganizationsandbox_appnamesaml_2/rghdr9s6hg98s9dse/sso/saml
      # You need `caData` _OR_ `ca`, but not both.
      caData: |
        <CA cert passed through base64 encoding>
      # You need `caData` _OR_ `ca`, but not both.
      # Path to mount the secret to the dex container
      ca: /path/to/ca.pem
      redirectURI: https://ui.argocd.yourorganization.net/api/dex/callback
      usernameAttr: email
      emailAttr: email
      groupsAttr: group

Private deployment

It is possible to setup Okta SSO with a private Argo CD installation, where the Okta callback URL is the only publicly exposed endpoint. The settings are largely the same with a few changes in the Okta app configuration and the data.dex.config section of the argocd-cm ConfigMap.

Using this deployment model, the user connects to the private Argo CD UI and the Okta authentication flow seamlessly redirects back to the private UI URL.

Often this public endpoint is exposed through an Ingress object.

  1. Update the URLs in the Okta app's General settings
    • Okta SAML App Split The Single sign on URL field points to the public exposed endpoint, and all other URL fields point to the internal endpoint.
  2. Update the data.dex.config section of the argocd-cm ConfigMap with the external endpoint reference.
dex.config: |
  logger:
    level: debug
  connectors:
  - type: saml
    id: okta
    name: Okta
    config:
      ssoURL: https://yourorganization.oktapreview.com/app/yourorganizationsandbox_appnamesaml_2/rghdr9s6hg98s9dse/sso/saml
      # You need `caData` _OR_ `ca`, but not both.
      caData: |
        <CA cert passed through base64 encoding>
      # You need `caData` _OR_ `ca`, but not both.
      # Path to mount the secret to the dex container
      ca: /path/to/ca.pem
      redirectURI: https://external.path.to.argocd.io/api/dex/callback
      usernameAttr: email
      emailAttr: email
      groupsAttr: group

Connect Okta Groups to Argo CD Roles

Argo CD is aware of user memberships of Okta groups that match the Group Attribute Statements regex. The example above uses the argocd-* regex, so Argo CD would be aware of a group named argocd-admins.

Modify the argocd-rbac-cm ConfigMap to connect the argocd-admins Okta group to the builtin Argo CD admin role.

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    g, argocd-admins, role:admin
  scopes: '[email,groups]'

OIDC (without Dex)

Do you want groups for RBAC later?

If you want groups scope returned from Okta you need to unfortunately contact support to enable API Access Management with Okta or just use SAML above!

Next you may need the API Access Management feature, which the support team can enable for your OktaPreview domain for testing, to enable "custom scopes" and a separate endpoint to use instead of the "public" /oauth2/v1/authorize API Access Management endpoint. This might be a paid feature if you want OIDC unfortunately. The free alternative I found was SAML.

  1. On the Okta Admin page, navigate to the Okta API Management at Security > API. Okta API Management
  2. Choose your default authorization server.
  3. Click Scopes > Add Scope
    1. Add a scope called groups. Groups Scope
  4. Click Claims > Add Claim.
    1. Add a claim called groups
    2. Choose the matching options you need, one example is:
      • e.g. to match groups starting with argocd- you'd return an ID Token using your scope name from step 3 (e.g. groups) where the groups name matches the regex argocd-.* Groups Claim
  5. Edit the argocd-cm and configure the data.oidc.config section:
oidc.config: |
  name: Okta
  issuer: https://yourorganization.oktapreview.com
  clientID: 0oaltaqg3oAIf2NOa0h3
  clientSecret: ZXF_CfUc-rtwNfzFecGquzdeJ_MxM4sGc8pDT2Tg6t
  requestedScopes: ["openid", "profile", "email", "groups"]
  requestedIDTokenClaims: {"groups": {"essential": true}}