HOME/Articles/ArgoCD SSO Integration SAML2.0

ArgoCD SSO Integration SAML2.0

2023/11/28 17:372024/9/20 8:58

Kumo Ishikawa (Service Reliability Group (SRG) of the Technology Headquarters)@ishikawa_kumo)is.

#SRG(Service Reliability Group) mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, contributing to OSS, etc.

This article introduces the current state of SAML 2.0 integration within the ArgoCD community and provides examples of integration, regarding the few SAML 2.0 integrations available on ArgoCD.

About ArgoCD SSO integration About SAML 2.0 Which is the best way to integrate with ArgoCD?Reasons for SAML 2.0 deprecation Examples of collaboration Dex SAML Connector Supported Features Keycloak Okta bonus References Conclusion

About ArgoCD SSO integration

ArgoCD is a declarative GitOps integration tool for Kubernetes environments. We introduced ArgoCD before its general availability and have been using it in multiple projects.

admin

There are two main ways to configure SSO in ArgoCD:

Built-in Dex Connector

LDAP

Existing OIDC Providers

This is a good choice if you already have an OIDC provider you are using, such as Github, Auth0, Microsoft, Keycloak, Google, Okta, etc.

About SAML 2.0

SAML (Security Assertion Markup Language) was established in 2001 as a standard for exchanging authentication and authorization data between identity providers (IdP) and service providers (SP). In 2005, an updated version of this standard, SAML 2.0, was approved to standardize the exchange of identity information for cross-domain authentication and authorization.

The standard is intended to enable user authentication and authorization across different domains. The original problem was that users needed a consistent and secure way to authenticate themselves when accessing multiple applications and services.

The SAML specification defines the following terms:

Subject: An entity with which security information is exchanged. Usually refers to an individual, but can refer to any entity that can be authenticated (including software programs). In the use cases discussed here, the subject is typically the user of the application.

SAML Assertion: An XML-based message that contains security information about a subject.

SAML Profile: An XML file that defines how to use SAML messages for business use cases such as cross-domain SSO. It typically contains X.509 certificates, IdP and SP identifiers, the URL where the SP accepts assertions (ACS URL), the types of bindings supported, etc.

Identity Provider(IdP): A server that issues SAML assertions for authenticated subjects.

Service Provider(SP): Delegates authentication to the IdP and relies on a SAML assertion about the authenticated Subject issued by the IdP.

Trust Relationship: An agreement between a SP and an IdP, usually maintained by an X.509 certificate or by exchanging metadata prior to authentication.

SAML Protocol Binding: SAML message elements are mapped to a standard communication protocol (for example HTTP) and transmitted between the SP and the IdP. In practice, SAML Request and Response messages are usually sent over HTTPS using HTTP-Redirect or HTTP-POST.

SP-Initiated SSO

IdP-Initiated SSO

Compared to OIDC's Code Flow/Implicit Flow, SAML 2.0 is somewhat simpler, but in many scenarios, it is more complicated to configure and manage than OIDC because it extends authentication and authorization with an additional layer rather than relying on SAML alone.

SP-Initiated SSO

Which is the best way to integrate with ArgoCD?

Generally, in an enterprise environment with existing AD or LDAP, SAML 2.0 is the preferred option since that is the only system that many systems support.

However, Dex Connector, which supports SAML 2.0 integration in ArgoCD, has deprecated SAML 2.0 itself. For use outside the internal network,SAML 2.0 and ArgoCD integration should be avoided if possibleis.

Reasons for SAML 2.0 deprecation

Developer of Dexericchiang butDiscussionAs mentioned in the article, there are three main reasons for the deprecation of SAML 2.0 in Dex Connector:

Go language XML package vulnerability

github.com/beevik/etree

Potential vulnerability in SAML Connector could allow Dex configuration to be exploited

Because Dex plays a central role in the authentication process, if Dex authentication is bypassed, access to all resources that trust Dex may be possible. In addition, SAML is technically more complex than other connectors, and this complexity may cause additional security issues. In other words, it seems that the current development structure of the Dex Connector does not fully support the SAML specification.

Lack of SAML Connector developers

In response to these issues, PHP developerscweagansemphasized the importance of maintaining SAML support in Dex, especially for users of services where SAML is the only option, and that Dex is also important as a bridge for the transition from SAML to OIDC.

“I fully agree that OIDC is the future and that SAML is broken and horrible, but Dex is currently serving a really important purpose as a stepping stone to help people get from SAML to OIDC while the rest of the world catches up.”

encoding/xml

In response to the risk of Dex configuration being abused, a proposal was made to split the Dex Connector. There seems to be a lot of opposition to deprecating it.

Examples of collaboration

Dex SAML Connector Supported Features

What the Dex SAML Connector supports

Mapping attribute values to user information (username, email, group, etc.)

SAML 2.0 HTTP POST Binding

Group Filter Function

What is not supported?

RefreshToken

SAML 2.0 HTTP Redirect Binding

Signing AuthnRequests and encrypting MetaData

Below we provide an example of integration using Keycloak and Okta SAML IdP.

Keycloak

Settings that are turned off

Client signature required
Encrypt assertions

ACS URL settings

Groups Settings

Basically, the keycloak Group name is set to the same name as the ArgoCD Group, whereas the ArgoCD RBAC ConfigMap should be configured as follows: Of course, you can use other names and map them to Groups in the attribute mapping configuration.

Attribute Mapping Settings

The following two are mapped:

email
nameIDPolicyFormat

group

Group List
/admin

groupsAttr: roles

END CERTIFICATE

Okta

ACS URL settings

Attribute Mapping Settings

Similar to Keycloak, we set the same group names in Okta as in ArgoCD. For convenience, we set it to map all Okta groups, but in practice you should change it to the appropriate filter according to your Okta organizational policy.

The entire ArgoCD ConfigMap looks like this:

bonus

Debugging ArgoCD SSO integration is difficult. The error logs are hard to understand, and the documentation is sometimes insufficient. As pointed out in many issues and discussions, when debugging SSO integration, please check the following in order.

Check the argocd-server error log

Check the dex-server error log

data.url

References

Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0

Know how to design and use identity management to protect your application and the data it manages. At a time when security breaches result in increasingly onerous penalties, it is … - Selection from Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 [Book]

https://www.oreilly.com/library/view/solving-identity-management/9781484250952/

www.cs.auckland.ac.nz

https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt

Dex

Documentation:

https://dexidp.io/docs/connectors/saml/#warning

Proposal: deprecate the SAML connector · dexidp/dex · Discussion #1884

@justaugustus @srenatus @sagikazarmark Due to the nature of complex security issues in SAML, and lack of technical domain experts, I'd like to propose dex deprecate the SAML connector. Is your ...

https://github.com/dexidp/dex/discussions/1884

proposal: encoding/xml: round-trip safe mode [freeze exception] · Issue #43168 · golang/go

Background Juho Nurminen of Mattermost reported multiple parsing issues in encoding/xml that lead to round-trip mismatches: parsing the output of encoding a list of tokens does not produce the same...

https://github.com/golang/go/issues/43168

Conclusion

ArgoCD's SSO integration is something that you rarely touch after you set it up, but the choice of the settings themselves is important. Unfortunately, with the deprecation of SAML2.0, we cannot recommend using SAML2.0, but with the popularity of ArgoCD and the power of the community, the time may come when SAML2.0 will be used again.

SRG is looking for people to work with us. If you are interested, please contact us here.

Recruitment information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SREs to the media business as a cross-sectional SRE under the vision of "improving reliability across the media business." The work is centered around the following three pillars: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers

SRG runs a podcast where we chat about the latest hot topics in IT and books. We hope you will enjoy listening to it while you work.

Tech-Talk with SRG #1 by Tech-Talk with SRG

Tech-Talk with SRG is a podcast where members of CyberAgent's horizontal SRE organization, the Service Reliability Group (SRG), chat and introduce the latest hot IT technologies and books. If you have any questions or comments, we would appreciate it if you would tweet them with the hashtag #ca_srg. ■ Links SRG Portal Site https://ca-srg.dev Recruitment Information https://ca-srg.dev/careers Music generated by Mubert https://mubert.com/render

https://podcasters.spotify.com/pod/show/cyberagent-srg/episodes/Tech-Talk-with-SRG-1-e26fugj