Microsoft

Azure AD SAML Enterprise App Auth using Dex

Configure a new Azure AD Enterprise App

  1. From the Azure Active Directory > Enterprise applications menu, choose + New application
  2. Select Non-gallery application
  3. Enter a Name for the application (eg. Argo CD), then choose Add
  4. Once the application is created, open it from the Enterprise applications menu.
  5. From the Users and groups menu of the app, add any users or groups requiring access to the service.

Azure Enterprise SAML Users

  1. From the Single sign-on menu, edit the Basic SAML Configuration section as follows (replacing my-argo-cd-url with your Argo URL):
  2. Identifier (Entity ID): https://<my-argo-cd-url>/api/dex/callback
  3. Reply URL (Assertion Consumer Service URL): https://<my-argo-cd-url>/api/dex/callback
  4. Sign on URL: https://<my-argo-cd-url>/auth/login
  5. Relay State: <empty>
  6. Logout Url: <empty>

Azure Enterprise SAML URLs

  1. From the Single sign-on menu, edit the User Attributes & Claims section to create the following claims:
  2. + Add new claim | Name: email | Source: Attribute | Source attribute: user.mail
  3. + Add group claim | Which groups: All groups | Source attribute: Group ID | Customize: True | Name: Group | Namespace: <empty> | Emit groups as role claims: False
  4. Note: The Unique User Identifier required claim can be left as the default user.userprincipalname

Azure Enterprise SAML Claims

  1. From the Single sign-on menu, download the SAML Signing Certificate (Base64)
  2. Base64 encode the contents of the downloaded certificate file, for example:
  3. $ cat ArgoCD.cer | base64
  4. Keep a copy of the encoded output to be used in the next section.
  5. From the Single sign-on menu, copy the Login URL parameter, to be used in the next section.

Configure Argo to use the new Azure AD Enterprise App

  1. Edit argo-cm and add the following dex.config to the data section, replacing the caData, my-argo-cd-url and my-login-url your values from the Azure AD App:
  1. data:
  2. url: https://my-argo-cd-url
  3. dex.config: |
  4. logger:
  5. level: debug
  6. format: json
  7. connectors:
  8. - type: saml
  9. id: saml
  10. name: saml
  11. config:
  12. entityIssuer: https://my-argo-cd-url/api/dex/callback
  13. ssoURL: https://my-login-url (eg. https://login.microsoftonline.com/xxxxx/a/saml2)
  14. caData: |
  15. MY-BASE64-ENCODED-CERTIFICATE-DATA
  16. redirectURI: https://my-argo-cd-url/api/dex/callback
  17. usernameAttr: email
  18. emailAttr: email
  19. groupsAttr: Group
  1. Edit argo-rbac-cm to configure permissions, similar to example below.

  2. Use Azure AD Group IDs for assigning roles.

  3. See RBAC Configurations for more detailed scenarios.

  1. # example policy
  2. policy.default: role:readonly
  3. policy.csv: |
  4. p, role:org-admin, applications, *, */*, allow
  5. p, role:org-admin, clusters, get, *, allow
  6. p, role:org-admin, repositories, get, *, allow
  7. p, role:org-admin, repositories, create, *, allow
  8. p, role:org-admin, repositories, update, *, allow
  9. p, role:org-admin, repositories, delete, *, allow
  10. g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin # (azure group assigned to role)

Azure AD App Registration Auth using OIDC

  1. Register a new Azure AD Application

    Quickstart: Register an application

    1. App Registrations Inputs
    2. Redirect URI: https://argocd.example.com/auth/callback
    3. Outputs
    4. Application (client) ID: aaaaaaaa-1111-bbbb-2222-cccccccccccc
    5. Directory (tenant) ID: 33333333-dddd-4444-eeee-555555555555
    6. Secret: some_secret
  2. Setup permissions for Azure AD Application

    On “API permissions” page find User.Read permission (under Microsoft Graph) and grant it to the created application:

    Azure AD API permissions

    Also, on “Token Configuration” page add groups claim for the groups assigned to the application:

    Azure AD token configuration

  3. Edit argocd-cm and configure the data.oidc.config section:

    1. ConfigMap -> argocd-cm
    2. data:
    3. url: https://argocd.example.com/
    4. oidc.config: |
    5. name: Azure
    6. issuer: https://login.microsoftonline.com/{directory_tenant_id}/v2.0
    7. clientID: {azure_ad_application_client_id}
    8. clientSecret: $oidc.azure.clientSecret
    9. requestedIDTokenClaims:
    10. groups:
    11. essential: true
    12. requestedScopes:
    13. - openid
    14. - profile
    15. - email
  4. Edit argocd-secret and configure the data.oidc.azure.clientSecret section:

    1. Secret -> argocd-secret
    2. data:
    3. oidc.azure.clientSecret: {client_secret | base64_encoded}
  5. Edit argocd-rbac-cm to configure permissions. Use group ID from Azure for assigning roles

    RBAC Configurations

    1. ConfigMap -> argocd-rbac-cm
    2. policy.default: role:readonly
    3. policy.csv: |
    4. p, role:org-admin, applications, *, */*, allow
    5. p, role:org-admin, clusters, get, *, allow
    6. p, role:org-admin, repositories, get, *, allow
    7. p, role:org-admin, repositories, create, *, allow
    8. p, role:org-admin, repositories, update, *, allow
    9. p, role:org-admin, repositories, delete, *, allow
    10. g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin
  6. Mapping role from jwt token to argo

    If you want to map the roles from the jwt token to match the default roles (readonly and admin) then you must change the scope variable in the rbac-configmap.

    1. scopes: '[roles, email]'

Azure AD App Registration Auth using Dex

Configure a new AD App Registration, as above.

Then, add the dex.config to argocd-cm:

  1. ConfigMap -> argocd-cm
  2. data:
  3. dex.config: |
  4. connectors:
  5. - type: microsoft
  6. id: microsoft
  7. name: Your Company GmbH
  8. config:
  9. clientID: $MICROSOFT_APPLICATION_ID
  10. clientSecret: $MICROSOFT_CLIENT_SECRET
  11. redirectURI: http://localhost:8080/api/dex/callback
  12. tenant: ffffffff-ffff-ffff-ffff-ffffffffffff
  13. groups:
  14. - DevOps