ArgoCD SAML Integration

This document explains how to implement Monosign with ArgoCD. It covers Single Sign-On. Before you continue, it is better to start with ArgoCD’s Single Sign-On implementation page.

Monofor has no responsibility to do ArgoCD configurations. If you need support please contact ArgoCD Support Services.

📑 Instructions

This documentation contains 4 main steps for integration.

Creating an Application on Monosign
Configuration Single Sign-On for ArgoCD
Assign a user to the ArgoCD application
Sign In Test

1- Creating an Application on Monosign

Create application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for SAML Key for access.

This information will be necessary during the configuration of the application.

Property	Value	Options
Key Type	SAML	Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server
Expiration	Lifetime	Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

Configuration details for the ArgoCD application are provided as follows:

Change Entity Id, Name Id, Attribute Mapping and Group Mapping.

Property	Value
Entity Id	`https://<ARGOCD-FQDN-OR-IP>:<PORT>/api/dex/callback`
Name Id	`UserName`
Attribute Mapping	`Attribute : UserName` `Value : {{UserName}}` `Attribute : Email` `Value : {{Email}}`
Group Mapping	Enable

To ensure that the application has access to user groups, follow these steps:

If the application hasn't been configured yet, click the “Edit” option for the application.
In the application settings, navigate to the “Source, Provider, and Profile” tab.
Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to access by user groups when users sign in.

Property	Description	Options
User Access Type	Defines which Users will access to this application.	Only Assigned Users All Users
User Group Access Type	Defines application’s user group access	Only Assigned Users Assigned Users and Defined Sources All Users
Profile Access Type	Defines Application’s user’s profile access	Restricted - Only restricted user profile attributes All - All user profile attributes

2- Configuration Single Sign-On for ArgoCD

As it highlighted at the beginning of document, please check out the ArgoCD’s SSO configuration page first.

Please add your ArgoCD settings to the application. The following information is needed for your configuration.

Below information needed before configure the ArgoCD.

Property	Value
url	`https://<ARGOCD-FQDN-OR-IP>:<PORT>`
type	`saml`
id	`monosign`
name	`Monosign`
entityIssuer	`https://<ARGOCD-FQDN-OR-IP>:<PORT>/api/dex/callback`
ssoUrl	`https://account.monofor.com/saml/468dcbfb-f55c-4235-a8d8-1d362b98865c/login`
caData	Base64 Encoded IdP Certificate
redirectUrl	`https://<ARGOCD-FQDN-OR-IP>:<PORT>/api/dex/callback`
usernameAttr	`UserName`
emailAttr	`Email`
groupsAttr	`Groups`

Download Monosign IdP certificate and convert to base64 encoded.

In Linux

BASH

cat monosign.pem | base64 -w 0

This command output like below example

BASH

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQW...........................

In windows

POWERSHELL

[convert]::ToBase64String([System.IO.File]::ReadAllBytes("monosign.pem"))

This command output like below example

POWERSHELL

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQW...........................

Edit ArgoCD configmap called argocd-cm.

Create argocd-cm.yaml file and apply to Kubernetes cluster which ArgoCD installed already.

YAML

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://<ARGOCD-FQDN-OR-IP>:<PORT>
  dex.config: |
    logger:
      level: debug
      format: json
    connectors:
    - type: saml
      id: monosign
      name: Monosign
      config:
        entityIssuer: https://<ARGOCD-FQDN-OR-IP>:<PORT>/api/dex/callback
        ssoURL: https://account.monofor.com/saml/468dcbfb-f55c-4235-a8d8-1d362b98865c/login
        caData: |
          LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURwVENDQW8y.....
        redirectURI: https://<ARGOCD-FQDN-OR-IP>:<PORT>/api/dex/callback
        usernameAttr: UserName
        emailAttr: Email
        groupsAttr: Groups

Save file and apply

CODE

kubectl apply -f argocd-cm.yaml

Argo CD is aware of user memberships of Monosign groups, so Argo CD would be aware of a group named which has assigned to ArgoCD app on Monosign.

Modify the argocd-rbac-cm ConfigMap to connect the argocd-admins Monosign group to the builtin Argo CD admin role.

Create argocd-rbac-cm.yaml file and apply to Kubernetes cluster which ArgoCD installed already.

YAML

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    g, argocd-admins, role:admin
  scopes: '[email,groups]'

Save file and apply

CODE

kubectl apply -f argocd-rbac-cm.yaml

Now, go back to Monosign and give access to your users and try login.

3- Assign a user to the ArgoCD application

Please follow below instructions on how to assign a user to the ArgoCD application. In this example john.smith will assign to the application access.

4- Sign In Test

Now try login. Navigate to the ArgoCD application login page. Click LOG IN VIA MONOSIGN.

If everything is well configured, the page will be redirected to Monosign’s login page. It can be log in passwordless with QR code or type username and password.

When the user logged in, the page will be redirected to the ArgoCD page.