github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/onelogin.md

github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/onelogin.md (about)

     1  # OneLogin
     2  
     3  !!! note "Are you using this? Please contribute!"
     4      If you're using this IdP please consider [contributing](../../developer-guide/site.md) to this document.
     5  
     6  <!-- markdownlint-disable MD033 -->
     7  <div style="text-align:center"><img src="../../../assets/argo.png" /></div>
     8  <!-- markdownlint-enable MD033 -->
     9  
    10  # Integrating OneLogin and ArgoCD
    11  
    12  These instructions will take you through the entire process of getting your ArgoCD application authenticating with OneLogin. You will create a custom OIDC application within OneLogin and configure ArgoCD to use OneLogin for authentication, using UserRoles set in OneLogin to determine privileges in Argo.
    13  
    14  ## Creating and Configuring OneLogin App
    15  
    16  For your ArgoCD application to communicate with OneLogin, you will first need to create and configure the OIDC application on the OneLogin side.
    17  
    18  ### Create OIDC Application
    19  
    20  To create the application, do the following:
    21  
    22  1. Navigate to your OneLogin portal, then Administration > Applications.
    23  2. Click "Add App".
    24  3. Search for "OpenID Connect" in the search field.
    25  4. Select the "OpenId Connect (OIDC)" app to create.
    26  5. Update the "Display Name" field (could be something like "ArgoCD (Production)".
    27  6. Click "Save".
    28  
    29  ### Configuring OIDC Application Settings
    30  
    31  Now that the application is created, you can configure the settings of the app.
    32  
    33  #### Configuration Tab
    34  
    35  Update the "Configuration" settings as follows:
    36  
    37  1. Select the "Configuration" tab on the left.
    38  2. Set the "Login Url" field to https://argocd.myproject.com/auth/login, replacing the hostname with your own.
    39  3. Set the "Redirect Url" field to https://argocd.myproject.com/auth/callback, replacing the hostname with your own.
    40  4. Click "Save".
    41  
    42  !!! note "OneLogin may not let you save any other fields until the above fields are set."
    43  
    44  #### Info Tab
    45  
    46  You can update the "Display Name", "Description", "Notes", or the display images that appear in the OneLogin portal here.
    47  
    48  #### Parameters Tab
    49  
    50  This tab controls what information is sent to Argo in the token. By default it will contain a Groups field and "Credentials are" is set to "Configured by admin". Leave "Credentials are" as the default.
    51  
    52  How the Value of the Groups field is configured will vary based on your needs, but to use OneLogin User roles for ArgoCD privileges, configure the Value of the Groups field with the following:
    53  
    54  1. Click "Groups". A modal appears.
    55  2. Set the "Default if no value selected" field to "User Roles".
    56  3. Set the transform field (below it) to "Semicolon Delimited Input".
    57  4. Click "Save".
    58  
    59  When a user attempts to login to Argo with OneLogin, the User roles in OneLogin, say, Manager, ProductTeam, and TestEngineering, will be included in the Groups field in the token. These are the values needed for Argo to assign permissions.
    60  
    61  The groups field in the token will look similar to the following:
    62  
    63  ```
    64  "groups": [
    65      "Manager",
    66      "ProductTeam",
    67      "TestEngineering",
    68    ],
    69  ```
    70  
    71  #### Rules Tab
    72  
    73  To get up and running, you do not need to make modifications to any settings here.
    74  
    75  #### SSO Tab
    76  
    77  This tab contains much of the information needed to be placed into your ArgoCD configuration file (API endpoints, client ID, client secret).
    78  
    79  Confirm "Application Type" is set to "Web".
    80  
    81  Confirm "Token Endpoint" is set to "Basic".
    82  
    83  #### Access Tab
    84  
    85  This tab controls who can see this application in the OneLogin portal.
    86  
    87  Select the roles you wish to have access to this application and click "Save".
    88  
    89  #### Users Tab
    90  
    91  This tab shows you the individual users that have access to this application (usually the ones that have roles specified in the Access Tab).
    92  
    93  To get up and running, you do not need to make modifications to any settings here.
    94  
    95  #### Privileges Tab
    96  
    97  This tab shows which OneLogin users can configure this app.
    98  
    99  To get up and running, you do not need to make modifications to any settings here.
   100  
   101  ## Updating OIDC configuration in ArgoCD
   102  
   103  Now that the OIDC application is configured in OneLogin, you can update Argo configuration to communicate with OneLogin, as well as control permissions for those users that authenticate via OneLogin.
   104  
   105  ### Tell Argo where OneLogin is
   106  
   107  Argo needs to have its config map (argocd-cm) updated in order to communicate with OneLogin. Consider the following yaml:
   108  
   109  ```
   110  apiVersion: v1
   111  kind: ConfigMap
   112  metadata:
   113    name: argocd-cm
   114  data:
   115    url: https://<argocd.myproject.com>
   116    oidc.config: |
   117      name: OneLogin
   118      issuer: https://openid-connect.onelogin.com/oidc
   119      clientID: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaaaaaaaa
   120      clientSecret: abcdef123456
   121  
   122      # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
   123      requestedScopes: ["openid", "profile", "email", "groups"]
   124  ```
   125  
   126  The "url" key should have a value of the hostname of your Argo project.
   127  
   128  The "clientID" is taken from the SSO tab of the OneLogin application.
   129  
   130  The “issuer” is taken from the SSO tab of the OneLogin application. It is one of the issuer api endpoints.
   131  
   132  The "clientSecret" value is a client secret located in the SSO tab of the OneLogin application.
   133  
   134  !!! note "If you get an `invalid_client` error when trying the authenticate with OneLogin, there is a possibility that your client secret is not proper. Keep in mind that in previous versions `clientSecret` value had to be base64 encrypted, but it is not required anymore."
   135  
   136  ### Configure Permissions for OneLogin Auth'd Users
   137  
   138  Permissions in ArgoCD can be configured by using the OneLogin role names that are passed in the Groups field in the token. Consider the following yaml in argocd-rbac-cm.yaml:
   139  
   140  ```
   141  apiVersion: v1
   142  kind: ConfigMap
   143  metadata:
   144    name: argocd-rbac-cm
   145    namespace: argocd
   146  data:
   147    policy.default: role:readonly
   148    policy.csv: |
   149      p, role:org-admin, applications, *, */*, allow
   150      p, role:org-admin, clusters, get, *, allow
   151      p, role:org-admin, repositories, get, *, allow
   152      p, role:org-admin, repositories, create, *, allow
   153      p, role:org-admin, repositories, update, *, allow
   154      p, role:org-admin, repositories, delete, *, allow
   155  
   156      g, TestEngineering, role:org-admin
   157  ```
   158  
   159  In OneLogin, a user with user role "TestEngineering" will receive ArgoCD admin privileges when they log in to Argo via OneLogin. All other users will receive the readonly role. The key takeaway here is that "TestEngineering" is passed via the Group field in the token (which is specified in the Parameters tab in OneLogin).