automation-suite
2022.10
false
Automation Suite Installation Guide
Last updated Oct 4, 2024

Enabling SSO for ArgoCD

Overview

The uipathctl.sh script is required to enable SSO authentication. For more details on the script and the parameters you need to use, see Using uipathctl.sh.

Preparing the configuration files

You must generate the RBAC file and the connector file before enabling SSO for ArgoCD.

The RBAC file

The RBAC file contains access rules.

For details on the built-in role definitions, see the ArgoCD documentation.

For details on the ArgoCD account types and their permissions, see Managing the cluster in ArgoCD.

We recommend using these roles when defining your groups, but you can create your own set of permissions.

Configuring the RBAC file

  1. Create a file named policy.csv, add the following content, and save the file:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  2. Associate your RBAC groups with the built-in admin role and the UiPath® argocdro read-only role, by appending the following lines to the policy.csv RBAC file:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  3. Save the updated policy.csv RBAC file.

Example:

Say your LDAP group for ArgoCD administrators is "Administrators", and the LDAP group for ArgoCD read-only users is "Readers", the RBAC file should be:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

For more advanced use cases, see the default RBAC file.

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

The LDAP connector file

The LDAP connector file contains the LDAP parameters required to configure SSO for ArgoCD.

Note: If you already have an LDAP connector file (ldap_connector.yaml), skip to Enabling the SSO for ArgoCD.

To configure SSO through LDAP, take the following steps:

  1. Generate the LDAP template file by running the following command. The connector template file is generated in the same directory you run the command.
    ./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement
  2. Copy the output which begins at --- and save it as ldap_connector.yaml.
    Example of an openLDAP connector file:
    ---
    type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn---
    type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn
    Example of an Active Directory LDAP connector file:
    ---
    id: ldap
    name: ActiveDirectory
    type: ldap
    config:
      bindDN: cn=admin,cn=Users,dc=example,dc=local
      bindPW: "<admins's password>"
      groupSearch:
        baseDN: dc=example,dc=local
        filter: "(objectClass=group)"
        nameAttr: cn
        userMatchers:
          - userAttr: distinguishedName
            groupAttr: member
      host: "ldaphost:389"
      insecureNoSSL: true
      insecureSkipVerify: true
      startTLS: false
      userSearch:
        baseDN: cn=Users,dc=example,dc=local
        emailAttr: userPrincipalName
        filter: (objectClass=person)
        idAttr: DN
        nameAttr: cn
        username: userPrincipalName
      usernamePrompt: Email Address---
    id: ldap
    name: ActiveDirectory
    type: ldap
    config:
      bindDN: cn=admin,cn=Users,dc=example,dc=local
      bindPW: "<admins's password>"
      groupSearch:
        baseDN: dc=example,dc=local
        filter: "(objectClass=group)"
        nameAttr: cn
        userMatchers:
          - userAttr: distinguishedName
            groupAttr: member
      host: "ldaphost:389"
      insecureNoSSL: true
      insecureSkipVerify: true
      startTLS: false
      userSearch:
        baseDN: cn=Users,dc=example,dc=local
        emailAttr: userPrincipalName
        filter: (objectClass=person)
        idAttr: DN
        nameAttr: cn
        username: userPrincipalName
      usernamePrompt: Email Address
  3. Update the LDAP connector file with the required information and save it. We recommend using LDAPS.

Enabling SSO for ArgoCD

After preparing the RBAC and the connector file, you can enable SSO for ArgoCD.

Using LDAP

Enable the SSO for ArgoCD by running the following command in the directory where the connector file is stored:

./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv
Note: After running the previous command, you should see an SSO login button on the ArgoCD login page. Provide your company domain username and password.
  • Overview
  • Preparing the configuration files
  • The RBAC file
  • The LDAP connector file
  • Enabling SSO for ArgoCD
  • Using LDAP

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.