HOME/Technical Articles/ArgoCD SSO Integration SAML2.0

ArgoCD SSO Integration SAML2.0

2023/11/28 17:372024/9/20 8:58

Mr. Kumo Ishikawa (Service Reliability Group (SRG) of the Technology Headquarters)@ishikawa_kumo)is.

#SRG(Service Reliability Group) is a group that mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, and contributing to OSS.

This article introduces the current state of SAML 2.0 integration within the ArgoCD community and provides examples of integration, focusing on the limited SAML 2.0 integration capabilities of ArgoCD.

About ArgoCD SSO integration About SAML 2.0 Which one is best for integrating with ArgoCD?Reasons for SAML 2.0 deprecation Collaboration example Dex SAML Connector Supported Features Keycloak Okta bonus References Conclusion

About ArgoCD SSO integration

ArgoCD is a declarative GitOps integration tool for Kubernetes environments. We introduced ArgoCD before its general availability and have been using it in multiple projects.

admin

There are two main ways to configure SSO in ArgoCD:

Built-in Dex Connector

LDAP

Existing OIDC Providers

This is a good choice if you already have an OIDC provider you're using, such as Github, Auth0, Microsoft, Keycloak, Google, or Okta.

About SAML 2.0

SAML (Security Assertion Markup Language) was established in 2001 as a standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). In 2005, an updated version of this standard, SAML 2.0, was approved, standardizing the exchange of identity information for cross-domain authentication and authorization.

The standard aims to enable user authentication and authorization across different domains. The original problem was the need for a consistent and secure method of authentication when users accessed multiple applications and services.

The SAML specification defines the following terms:

Subject: An entity with which security information is exchanged. Usually refers to an individual, but can refer to any entity that can be authenticated (including software programs). In the use cases discussed here, the subject is typically the user of the application.

SAML Assertion: An XML-based message that contains security information about a subject.

SAML Profile: An XML file that defines how to use SAML messages for business use cases such as cross-domain SSO. It typically contains X.509 certificates, IdP and SP identifiers, the URL where the SP receives assertions (ACS URL), supported binding types, etc.

Identity Provider(IdP): A server that issues SAML assertions for authenticated subjects.

Service Provider(SP): Delegates authentication to the IdP and relies on a SAML Assertion about the authenticated Subject issued by the IdP.

Trust Relationship: An agreement between the SP and the IdP, usually maintained by an X.509 certificate or by exchanging metadata before authentication.

SAML Protocol BindingSAML message elements are mapped to a standard communication protocol (e.g., HTTP) and transmitted between the SP and the IdP. In practice, SAML Request and Response messages are typically sent over HTTPS using HTTP-Redirect or HTTP-POST.

SP-Initiated SSO

IdP-Initiated SSO

Compared to OIDC's Code Flow/Implicit Flow, SAML 2.0 is somewhat simpler, but in many scenarios it is more complex to configure and manage than OIDC because it extends authentication and authorization with an additional layer rather than relying on SAML alone.

SP-Initiated SSO

Which one is best for integrating with ArgoCD?

Generally, in an enterprise environment with an existing AD or LDAP, SAML 2.0 is the preferred option, as many systems only support SAML 2.0.

However, Dex Connector, which supports SAML 2.0 integration with ArgoCD, has deprecated SAML 2.0 itself. For use outside the internal network,SAML 2.0 and ArgoCD integration should be avoided if possible.is.

Reasons for SAML 2.0 deprecation

Dex Developerericchiang butDiscussionAs mentioned above, there are three main reasons for the deprecation of SAML 2.0 in Dex Connector:

Go language XML package vulnerability

github.com/beevik/etree

Potential vulnerability in SAML Connector could allow Dex configuration to be exploited

Because Dex plays a central role in the authentication process, bypassing Dex authentication could potentially allow access to all resources that trust Dex. Furthermore, SAML is technically more complex than other connectors, and this complexity could potentially create additional security challenges. In other words, it appears that the current development structure for the Dex Connector is unable to fully support the SAML specification.

Shortage of SAML Connector developers

In response to these issues, PHP developerscweagansemphasized the importance of maintaining SAML support in Dex, especially for users of services where SAML is the only option, noting that Dex is also important as a bridge for the transition from SAML to OIDC.

“I fully agree that OIDC is the future and that SAML is broken and horrible, but Dex is currently serving a really important purpose as a stepping stone to help people get from SAML to OIDC while the rest of the world catches up.”

encoding/xml

There has also been a proposal to split the Dex Connector due to the risk of Dex configuration being abused, but there seems to be a lot of opposition to deprecating it.

Collaboration example

Dex SAML Connector Supported Features

Dex SAML Connector Support

Attribute value mapping to user information (username, email, group, etc.)

SAML 2.0 HTTP POST Binding

Group Filter function

Unsupported content

RefreshToken

SAML 2.0 HTTP Redirect Binding

Signing AuthnRequests and encrypting MetaData

Below we provide an example of integration using Keycloak and Okta SAML IdP.

Keycloak

Settings that are turned off

Client signature required
Encrypt assertions

ACS URL settings

Groups settings

Basically, the Keycloak Group name is set to the same name as the ArgoCD Group, whereas the ArgoCD RBAC ConfigMap needs to be set as follows: Of course, you can use other names and map them to Groups in the attribute mapping configuration.

Attribute Mapping Settings

The following two mappings are made:

email
nameIDPolicyFormat

group

Group List
/admin

groupsAttr: roles

END CERTIFICATE

Okta

ACS URL settings

Attribute Mapping Settings

As with Keycloak, we configured Okta with the same group names as ArgoCD. For convenience, we configured it to map all Okta groups, but in practice you should change it to the appropriate filter according to your Okta organizational policy.

The complete ArgoCD ConfigMap looks like this:

bonus

Debugging ArgoCD SSO integration is difficult. The error logs are confusing and the documentation is sometimes lacking. As pointed out in many issues and discussions, when debugging SSO integration, please check the following in order:

Check the argocd-server error log

Check the dex-server error log

data.url

References

Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0

Know how to design and use identity management to protect your application and the data it manages. At a time when security breaches result in increasingly onerous penalties, it is … - Selection from Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 [Book]

https://www.oreilly.com/library/view/solving-identity-management/9781484250952/

www.cs.auckland.ac.nz

https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt

Dex

Documentation:

https://dexidp.io/docs/connectors/saml/#warning

Proposal: deprecate the SAML connector · dexidp/dex · Discussion #1884

@justaugustus @srenatus @sagikazarmark Due to the nature of complex security issues in SAML, and lack of technical domain experts, I'd like to propose dex deprecate the SAML connector. Is your ...

https://github.com/dexidp/dex/discussions/1884

proposal: encoding/xml: round-trip safe mode [freeze exception] · Issue #43168 · golang/go

Background Juho Nurminen of Mattermost reported multiple parsing issues in encoding/xml that lead to round-trip mismatches: parsing the output of encoding a list of tokens does not produce the same...

https://github.com/golang/go/issues/43168

Conclusion

ArgoCD's SSO integration is something you rarely touch after setting it up, but the choice of the setting itself is important. Unfortunately, with the deprecation of SAML 2.0, we can no longer recommend using it. However, with the popularity of ArgoCD and the power of the community, the time may come when SAML 2.0 will be used again.

SRG is looking for people to work with us. If you're interested, please contact us here.

Recruitment Information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SRE to the media business as a cross-sectional SRE, based on the vision of "improving reliability across the media business." The work is centered around the following three areas: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers

SRG runs a podcast where we chat about the latest hot topics in IT technology and books. We hope you'll listen to it while you work.

Tech-Talk with SRG #1 by Tech-Talk with SRG

Tech-Talk with SRG is a podcast where members of CyberAgent, Inc.'s horizontal SRE organization, the Service Reliability Group (SRG), chat and introduce the latest hot IT technologies and books. If you have any questions or comments, please tweet them with #ca_srg. ■ Links SRG Portal Site https://ca-srg.dev Recruitment Information https://ca-srg.dev/careers Music generated by Mubert https://mubert.com/render

https://podcasters.spotify.com/pod/show/cyberagent-srg/episodes/Tech-Talk-with-SRG-1-e26fugj