Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Enabling SSO for ArgoCD

This page provides instructions on how to enable SSO (single sign-on) authentication for ArgoCD.

Overview


The uipathctl.sh script is required to enable SSO authentication. For more details on the script and the parameters you need to use, see Using uipathctl.sh.

 

Preparing the configuration files


You must generate the RBAC file and the connector file before enabling SSO for ArgoCD.

The RBAC file

The RBAC file contains access rules. For details on the built-in role definitions, see ArgoCD documentation. For details on the ArgoCD account types and their permissions, see Managing the cluster in ArgoCD. We recommend using these roles when defining your groups, but you can create your own set of permissions.

Configuring the RBAC file

  1. Create a file named policy.csv, add the following content, and save the file:
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
  1. Associate your RBAC groups with the built-in admin role and the UiPath argocdro read-only role, by appending the following lines to the policy.csv RBAC file:
g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin
  1. Save the updated policy.csv RBAC file.

Example:
Say your LDAP group for ArgoCD administrators is "Administrators", and the LDAP group for ArgoCD read-only users is "Readers", the RBAC file should be:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
For more advanced use cases, click to see the default RBAC file.
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

The LDAP connector file

The LDAP connector file contains the LDAP parameters required to configure SSO for ArgoCD.

📘

If you already have an LDAP connector file (ldap_connector.yaml), skip to Enabling the SSO for ArgoCD.

To configure SSO through LDAP, take the following steps:

  1. Generate the LDAP template file by running the following command. The connector template file is generated in the same directory you run the command.
./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement
  1. Copy the output which begins at --- and save it as ldap_connector.yaml.
Click to see an example of an openLDAP connector file.
---
type: ldap
# Required field for connector id.
id: ldap
# Required field for connector name.
name: OpenLDAP
config:
  host: openldap:389
  insecureNoSSL: true
  startTLS: false
  bindDN: cn=admin,dc=example,dc=org
  bindPW: adminpassword
  usernamePrompt: Email Address
  userSearch:
    baseDN: ou=People,dc=example,dc=org
    filter: "(objectClass=person)"
    username: mail
    idAttr: DN
    emailAttr: mail
    nameAttr: cn
  # Group search queries for groups given a user entry.
  groupSearch:
    baseDN: ou=Groups,dc=example,dc=org
    filter: "(objectClass=groupOfNames)"
    userMatchers:
      - userAttr: DN
        groupAttr: member
    nameAttr: cn

Click to see an example of an Active Directory LDAP connector file.
---
id: ldap
name: ActiveDirectory
type: ldap
config:
  bindDN: cn=admin,cn=Users,dc=example,dc=local
  bindPW: "<admins's password>"
  groupSearch:
    baseDN: dc=example,dc=local
    filter: "(objectClass=group)"
    nameAttr: cn
    userMatchers:
      - userAttr: distinguishedName
        groupAttr: member
  host: "ldaphost:389"
  insecureNoSSL: true
  insecureSkipVerify: true
  startTLS: false
  userSearch:
    baseDN: cn=Users,dc=example,dc=local
    emailAttr: userPrincipalName
    filter: (objectClass=person)
    idAttr: DN
    nameAttr: cn
    username: userPrincipalName
  usernamePrompt: Email Address

  1. Update the LDAP connector file with the required information and save it. We recommend using LDAPS.

 

Enabling SSO for ArgoCD


After preparing the RBAC and the connector file, you can enable SSO for ArgoCD.

Using LDAP

Enable the SSO for ArgoCD by running the following command in the directory where the connector file is stored:

./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv

📘

After running the previous command, you should see an SSO login button on the ArgoCD login page. Provide your company domain username and password.

Updated 27 days ago


Enabling SSO for ArgoCD


This page provides instructions on how to enable SSO (single sign-on) authentication for ArgoCD.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.