redirectUrl
for SSO login with Dex?
#13439
-
Hi all, I've setup SSO login for argo-workflows UI using an existing argocd Dex instance (which is configured with a SAML connector to AWS IAM Identity Center) for authentication, following these docs: https://argo-workflows.readthedocs.io/en/latest/argo-server-sso-argocd/ I'm running into the following issue:
Issues I've ruled out
Has anyone been able to successfully set up argo-workflows UI SSO with a Dex instance / has background on what's going on behind the scenes here, and able to share what the expected redirectUrl is/what else may be missing from my configuration? Here's my setup for context: Dex/CD ConfigMap: kind: ConfigMap
metadata:
namespace: argocd
name: argocd-cm
data:
dex.config: |
logger:
level: debug
format: json
connectors:
- type: saml
id: aws
name: "AWS IAM Identity Center"
config:
ssoURL: <ssoURL>
caData: <caData>
entityIssuer: https://<argocd-domain>/api/dex/callback
usernameAttr: email
emailAttr: email
groupsAttr: groups
# allows argo-workflows to use argocd Dex installation for authentication
staticClients:
- id: argo-workflows-sso
name: argo-workflows
redirectURIs:
- https://<argocd-domain>/api/dex/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET SSO Secrets: kind: Secret
metadata:
namespace: argocd
name: argo-workflows-sso
data:
client-id:
client-secret:
---
kind: Secret
metadata:
namespace: argo-workflows
name: argo-workflows-sso
data:
client-id: <same>
client-secret: <same> Workflows ConfigMap: metadata:
namespace: argo-workflows
name: argo-workflows-workflow-controller-configmap
data:
config: |
sso:
issuer: https://<argocd-domain>/api/dex
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: "https://<argocd-domain>/api/dex/callback" # it doesn't seem to matter what I put here. I get the same errors regardless
rbac:
enabled: false
scopes:
- groups
- email |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Possibly @agilgur5, as I see you've answered a number of SSO related questions? |
Beta Was this translation helpful? Give feedback.
-
The The example in the docs is: |
Beta Was this translation helpful? Give feedback.
The
redirectUrl
is Argo Workflow's own URL, not Dex's. It's where Dex will send the user after they complete SSO. Theissuer
is Dex's URL, which you have correctly.The example in the docs is:
https://argo-workflows.mydomain.com/oauth2/callback
.It depends on what your Ingress uses for the host/domain etc, so Workflows can't determine that for you and so it must be configured.
/oauth2/callback
is required because that's Workflows's Server's route, so we know that part for sure.