Automation Suite
2023.10
false
Banner background image
Automation Suite on Linux Installation Guide
Last updated Mar 25, 2024

Enabling SSO for ArgoCD

Overview

The uipathctl.sh script is required to enable SSO authentication. For more details on the script and the parameters you need to use, see .

Preparing the configuration files

You must generate the RBAC file and the Dex configuration file before enabling SSO for ArgoCD.

The RBAC file

The RBAC file contains access rules. For details on the built-in role definitions, see ArgoCD documentation. For details on the ArgoCD account types and their permissions, see Managing the cluster in ArgoCD. We recommend using these roles when defining your groups, but you can create your own set of permissions.

Configuring the RBAC file

  1. Create a file named policy.csv, add the following content, and save the file:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  2. Associate your RBAC groups with the built-in admin role and the UiPath argocdro read-only role, by appending the following lines to the policy.csv RBAC file:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  3. Save the updated policy.csv RBAC file.

Example:

Say your LDAP group for ArgoCD administrators is "Administrators", and the LDAP group for ArgoCD read-only users is "Readers", the RBAC file should be:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

For more advanced use cases, see the default RBAC file.

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

The Dex configuration file

The Dex configuration file contains the parameters required to configure SSO for ArgoCD.

Note: If you already have an LDAP connector file (ldap_connector.yaml), skip to Enabling the SSO for ArgoCD.

To configure SSO through LDAP, take the following steps:

  1. Generate the LDAP template file by running the following command. The connector template file is generated in the same directory you run the command.
    ./uipathctl.sh sso-generate-connector --sso-connector-type ldap --accept-license-agreement./uipathctl.sh sso-generate-connector --sso-connector-type ldap --accept-license-agreement
  2. Copy the output which begins at --- and save it as ldap_connector.yaml.
    Example of an ArgoCD configuration file:
    ---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn
    Example of an Active Directory LDAP connector file:
    ---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address
  3. Update the LDAP connector file with the required information and save it. We recommend using LDAPS.

Enabling SSO for ArgoCD

After preparing the RBAC and the Dex configuration file, you can enable SSO for ArgoCD:

  1. Update the cluster_config.json file with the following parameters:

    1. fabric.argocd_dex_config_file - enter the path to the previously created Dex configuration file.
    2. fabric.argocd_rbac_config_file - enter the path to the previously created RBAC file.
  2. Rerun the fabric installer:

    ./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement

  • Overview
  • Preparing the configuration files
  • The RBAC file
  • The Dex configuration file
  • Enabling SSO for ArgoCD

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.