ArgoCD SSO Integration: SAML 2.0 Edition

Ishikawa Kumo, Service Reliability Group (SRG), Technology Division@ishikawa_kumo)is.
#SRGThe Service Reliability Group primarily provides comprehensive support for the infrastructure surrounding our media services, focusing on improving existing services, launching new ones, and contributing to open-source software (OSS).
This article introduces the current state of SAML integration within the ArgoCD community and provides examples of integrations, focusing on the limited number of SAML 2.0 integrations available for ArgoCD.
 

Regarding ArgoCD's SSO integration


ArgoCD is a declarative GitOps integration tool for Kubernetes environments. We adopted ArgoCD before its general availability (GA) and use it in multiple projects.
admin
There are two main ways to configure SSO in ArgoCD.
  1. Embedded Dex Connector
    1. LDAP
  1. Existing OIDC providers
    1. This is suitable if you already have an OIDC provider in use, such as GitHub, Auth0, Microsoft, Keycloak, Google, or Okta.

About SAML2.0

SAML (Security Assertion Markup Language) was established in 2001 as a standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). In 2005, an updated version of this standard, SAML 2.0, was approved, standardizing the exchange of identity information for cross-domain authentication and authorization.
This standard aims to enable user authentication and authorization across different domains. The initial problem was the need for a consistent and secure authentication method when users access multiple applications and services.
The SAML specification defines the following terms:
  • SubjectThe entity with which security information is exchanged. This usually refers to an individual, but can also refer to any authenticated entity (including software programs). In the use cases discussed here, the subject is generally the user of the application.
  • SAML AssertionAn XML-based message containing security information about the subject.
  • SAML ProfileThis is an XML file that defines how SAML messages are used for business use cases such as inter-domain SSO. It typically includes X.509 certificates, IdP and SP identifiers, the URL to which the SP receives assertions (ACS URL), and supported binding types.
  • Identity Provider(IdP)This is a server that issues SAML assertions for authenticated subjects.
  • Service Provider(SP)Authentication is delegated to the IdP, and relies on the SAML Assertion issued by the IdP regarding the authenticated Subject.
  • Trust RelationshipThis is an agreement between the SP and the IdP. It is typically maintained by an X.509 certificate or the exchange of pre-authentication metadata.
  • SAML Protocol BindingSAML message elements are mapped to standard communication protocols (e.g., HTTP) and transmitted between the SP and IdP. In practice, SAML Request and Response messages are typically sent over HTTPS using HTTP-Redirect or HTTP-POST.
SP-Initiated SSO
IdP-Initiated SSO
Compared to OIDC's Code Flow/Implicit Flow, SAML 2.0 is somewhat simpler, but in many scenarios, authentication and authorization are extended with additional layers rather than relying solely on SAML, making it often more complex to configure and manage than OIDC.
SP-Initiated SSO

Which one is best for integration with ArgoCD?

Generally, in corporate environments with existing Active Directory (AD) or LDAP, SAML 2.0 is suitable because many systems only support SAML 2.0.
However, the Dex Connector in ArgoCD, which supports SAML 2.0 integration, deprecates SAML 2.0 itself. For use outside the internal network,The integration of SAML 2.0 and ArgoCD should be avoided as much as possible.is.

Reasons for SAML 2.0 deprecation

Dex developerericchiang butDiscussionAs mentioned above, there are three main reasons why SAML 2.0 is deprecated in Dex Connector.
  1. Vulnerability in Go language XML package
    1. github.com/beevik/etree
  1. Potential vulnerabilities in the SAML Connector pose a risk of exploiting Dex configuration.
    1. Because Dex plays a central role in the authentication process, if Dex authentication is bypassed, it could potentially lead to access to all resources that trust Dex. Furthermore, SAML is technically more complex than other connectors, and this complexity may be creating additional security challenges. In short, it seems that the current development structure for the Dex Connector has been deemed insufficient to fully comply with the SAML specification.
  1. Shortage of SAML Connector developers
In response to these points, the PHP developerscweagansThey emphasized the importance of maintaining SAML support for Dex. They stated that Dex is particularly important as a bridge to the transition from SAML to OIDC for users of services where SAML is the only option.
“I fully agree that OIDC is the future and that SAML is broken and horrible, but Dex is currently serving a really important purpose as a stepping stone to help people get from SAML to OIDC while the rest of the world catches up.”
encoding/xml
A proposal has also been made to split the Dex Connector to mitigate the risk of the Dex configuration being misused. There are various objections being raised to deprecating it.

Examples of collaboration

Dex SAML Connector support features

What Dex's SAML Connector supports
  • Attribute value mapping to user information (username, email, group, etc.)
  • SAML 2.0 HTTP POST Binding
  • Group Filter function
Unsupported content
  • RefreshToken
  • SAML 2.0 HTTP Redirect Binding
  • Signing AuthnRequests and encrypting MetaData
Below is an example of integration using Keycloak and Okta SAML IdP.

Keycloak

  • Settings that are turned off
    • Client signature required
    • Encrypt assertions
  • ACS URL settings
    • Groups settings
      • Basically, the keycloak group name is set to the same name as the ArgoCD group. In contrast, the ArgoCD RBAC ConfigMap needs to be set as follows. Of course, it is also possible to use a different name and map it to Groups in the attribute mapping settings.
    • Attribute mapping settings
      • The following two are being mapped:
      • email
        • email
        • nameIDPolicyFormat
      • group
        • Group List
        • /admin
    groupsAttr: roles
    END CERTIFICATE

    Okta

    • ACS URL settings
      • Attribute mapping settings
        • Similar to Keycloak, we configured Okta to use the same group names as ArgoCD. For convenience, we configured it to map all Okta groups, but in practice, you should change the filters to match your Okta organization's policies.
      The complete ArgoCD ConfigMap is as follows:

      bonus

      Debugging ArgoCD's SSO integration is difficult. Error logs are often unclear, and documentation can be insufficient. As pointed out in many issues and discussions, when debugging SSO integration, try checking in the following order:
      • Check the argocd-server error log.
      • Check the dex-server error log.
      • data.url

      References

      In conclusion


      While ArgoCD's SSO integration is something you rarely need to touch after initial setup, the choice of configuration itself is important. Unfortunately, due to the deprecation of SAML 2.0, we cannot recommend using it at this time. However, given ArgoCD's popularity and the power of its community, there may be a time when SAML 2.0 will once again play a significant role.
       
      SRG is looking for new team members. If you are interested, please contact us here.
       
      SRG runs a podcast where we chat about the latest hot IT technologies and books. We hope you'll enjoy listening to it while you work.