github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/user-management/identity-center.md (about) 1 # Identity Center (AWS SSO) 2 3 !!! note "Are you using this? Please contribute!" 4 If you're using this IdP please consider [contributing](../../developer-guide/docs-site.md) to this document. 5 6 A working Single Sign-On configuration using Identity Center (AWS SSO) has been achieved using the following method: 7 8 * [SAML (with Dex)](#saml-with-dex) 9 10 ## SAML (with Dex) 11 12 1. Create a new SAML application in Identity Center and download the certificate. 13 14  15 16  17 18 2. Click `Assign Users` after creating the application in Identity Center, and select the users or user groups you wish to grant access to this application. 19 20  21 22 3. Copy the Argo CD URL into the `data.url` field in the `argocd-cm` ConfigMap. 23 24 data: 25 url: https://argocd.example.com 26 27 4. Configure Attribute mappings. 28 29 !!! note "Group attribute mapping is not officially!" 30 Group attribute mapping is not officially supported in the AWS docs, however the workaround is currently working. 31 32  33 34  35 36 <!-- markdownlint-enable MD046 --> 37 38 5. Download the CA certificate to use in the `argocd-cm` configuration. 39 40 * If using the `caData` field, you'll need to base64-encode the entire certificate, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` stanzas (e.g., `base64 my_cert.pem`). 41 42 * If using the `ca` field and storing the CA certificate separately as a secret, you will need to mount the secret onto the `dex` container in the `argocd-dex-server` Deployment. 43 44  45 46 6. Edit the `argocd-cm` and configure the `data.dex.config` section: 47 48 <!-- markdownlint-disable MD046 --> 49 ```yaml 50 dex.config: | 51 logger: 52 level: debug 53 format: json 54 connectors: 55 - type: saml 56 id: aws 57 name: "AWS IAM Identity Center" 58 config: 59 # You need value of Identity Center APP SAML (IAM Identity Center sign-in URL) 60 ssoURL: https://portal.sso.yourregion.amazonaws.com/saml/assertion/id 61 # You need `caData` _OR_ `ca`, but not both. 62 caData: <CA cert (IAM Identity Center Certificate of Identity Center APP SAML) passed through base64 encoding> 63 # Path to mount the secret to the dex container 64 entityIssuer: https://external.path.to.argocd.io/api/dex/callback 65 redirectURI: https://external.path.to.argocd.io/api/dex/callback 66 usernameAttr: email 67 emailAttr: email 68 groupsAttr: groups 69 ``` 70 <!-- markdownlint-enable MD046 --> 71 72 ### Connect Identity Center Groups to Argo CD Roles 73 74 Argo CD recognizes user memberships in Identity Center groups that match the **Group Attribute Statements** regex. 75 76 In the example above, the regex `argocd-*` is used, making Argo CD aware of a group named `argocd-admins`. 77 78 Modify the `argocd-rbac-cm` ConfigMap to connect the `ArgoCD-administrators` Identity Center group to the builtin Argo CD `admin` role. 79 <!-- markdownlint-disable MD046 --> 80 ```yaml 81 apiVersion: v1 82 kind: ConfigMap 83 metadata: 84 name: argocd-rbac-cm 85 data: 86 policy.csv: | 87 g, <Identity Center Group ID>, role:admin 88 scopes: '[groups, email]' 89 ``` 90 <!-- markdownlint-enable MD046 -->