Configure ArgoCD (via dex) to use Teleport's SAML IDP

[programmerq]

July 2024 update: This issue has been created to track adding a preset for ArgoCD to Teleport #44077. It is expected that once complete, that will supersede this guide.

Generally, the approach is to follow Teleport as a SAML identity provider. This post is to replace steps 2-4 in that guide with ArgoCD-specific steps.

---

Step 2/4. Configure ArgoCD to recognize Teleport's identity provider

Obtain the Teleport saml-idp certificate authority.

tctl auth export --type saml-idp | openssl x509 -inform der > ca.pem

ArgoCD loads its configuration from ConfigMaps and secrets¹. Be sure to set the url of your ArgoCD instance, and add the following connector to your dex.config in your argocd-cm ConfigMap².

data:
  # Argo CD's externally facing base URL (optional). Required when configuring SSO
  url: https://argo.example.com

  # A dex connector configuration (optional). See SSO configuration documentation:
  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
  # https://dexidp.io/docs/connectors/
  dex.config: |
    connectors:
      - type: saml
        id: teleport
        name: Teleport
        config:
          ssoURL: https://teleport.example.com/enterprise/saml-idp/sso
          # You need `caData` _OR_ `ca`, but not both. The caData field should
          # be a base64 encoded representation of the ca.pem file.
          # `cat ca.pem | base64`
          caData: LS0tLS1CRUd...LS0tLS0K # replace with your base64 encoded ca.crt obtained from your Teleport cluster.
          # You need `caData` _OR_ `ca`, but not both.
          # Path to mount the secret to the dex container
          #ca: /path/to/ca.pem
          redirectURI: https://argo.example.com/api/dex/callback
          entityIssuer: https://argo.example.com/api/dex/callback
          #ssoIssuer: https://teleport.example.com/enterprise/saml-idp/sso
          usernameAttr: urn:oid:0.9.2342.19200300.100.1.1
          emailAttr: urn:oid:0.9.2342.19200300.100.1.1
          groupsAttr: urn:oid:1.3.6.1.4.1.5923.1.1.1.1
          nameIDPolicyFormat: transient

Once this new config is applied, you should see a "LOG IN VIA TELEPORT" button in your ArgoCD interface.

Step 3/4. Obtain the service provider metadata and add it to Teleport

ArgoCD and dex do not have a method to generate the service provider metadata directly. You can use the SAML Service Provider (SP) Metadata XML Builder on samltool.com to assist you in creating this file.

The EntityId should match the entityIssuer in the dex config. The ACS and Logout values should match the redirectURI in the dex config. For simplicity, they can all be set to the same value: https://argo.example.com/api/dex/callback. Choose the "transient" option in the NameId Format dropdown.

Scroll down, and click on the "BUILD SP METADATA" button.

This will look something like this:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2023-10-01T19:31:34Z"
                     cacheDuration="PT604800S"
                     entityID="https://argo.example.com/api/dex/callback">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://argo.example.com/api/dex/callback" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:transient</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://argo.example.com/api/dex/callback"
                                     index="1" />
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Using the template below, create a file called saml-sp.yaml. Assign the metadata you just generated to the entity_descriptor field in the saml_idp_service_provider object:

kind: saml_idp_service_provider
metadata:
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: argocd
spec:
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1

Add this to Teleport using tctl:

% tctl create saml-sp.yaml
SAML IdP service provider 'argocd' has been created.

Teleport now trusts the argocd service provider.

Step 4/4. Verify ArgoCD login works

To verify everything works, navigate to ArgoCD and click "LOG IN VIA TELEPORT"

If you are not already logged into Teleport, you will be prompted to log in. Once you are logged in, you should see the ArgoCD user interface. Click on "User Info" and you should see your Teleport username and groups:

This has verified service provider initiated SSO.

To verify identity provider initiated SSO, log out of ArgoCD and then navigate to https://teleport.example.com/enterprise/saml-idp/login/argocd, where argocd is the friendly name of the saml_idp_service_provider object created earlier. You should be redirected to the same successful login page seen earlier.

---

At this point, you can refer back to the rest of the Teleport as a SAML identity provider guide.

Limitations

If you are not already authenticated to Teleport, you will encounter an error due to a bug in Teleport. This bug is being tracked in #44279. If a user encounters an error on their first login attempt, it should succeed on the second try.

Resources

While creating this guide, I referred to several upstream resources.

Specific examples for configuration of ArgoCD with other SAML identity providers

• https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/google/#saml-app-auth-using-dex
• https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/okta/#saml-with-dex

Upstream dex documentation on its SAML connector support.

• https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuration
• https://dexidp.io/docs/connectors/saml/

Footnotes

1. ArgoCD uses a declarative configuration approach. https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/ ↩

2. https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm-yaml/ ↩

[betoui]

is this possible if we are exposing argo with Teleport?

[programmerq]

Yes, you can combine App Access and Teleport's IDP provider, with a caveat. You need to authenticate via app access first, and then go through the Argo SAML login flow second. There isn't a way to authenticate both layers at the same time.