Skip to main content
Version: Next

Argo CD SSO Configuration

Prerequisites

Create Keycloak Client

tip

If this client already exists due to it being configured for another cluster, consider adding the environment name as common prefix to the client name. For example, the client name could be my-org-run-argocd.

  1. While you are in the smoothglue realm, click on Clients under Manage in the left pane.
  2. Click Create client.
  3. Enter client name argocd for Client ID.
  4. Click on the Next button.
  5. Toggle on Client authentication.
  6. Click on the Next button. Note: The application's FQDN name may be obtained by running kubectl get virtualservice -A
  7. Enter https://{{ application_fqdn }}/auth/callback for Valid Redirect URIs.
  8. Click on the Save button.

Creating Client Scopes

ArgoCD needs to be added in the Client Scopes.

  1. While you are in the smoothglue realm, click on Client Scopes.
  2. Click Create client scope.
  3. Enter ArgoCD for Name, and click on the Save button.
  4. Go to the Mappers tab.
  5. Click Configure a new mapper.
  6. Select Group Membership
  7. Enter the following information:
    1. Name - Groups
    2. Token claim Name - groups
    3. Full group path - Enabled
    4. Add to ID token - Enabled
    5. Add to access token - Enabled
    6. Save
  8. Go to Clients, and click on the argocd client.
  9. Go to the Client Scopes tab.
  10. Click Add client scope.
  11. Enable the ArgoCD client scope.
  12. Click Add -> Default.

SSO Configuration

Retrieve the client_secret from the Keycloak client:

  1. As a Keycloak Admin and within the smoothglue realm, click Clients on the left-hand panel.
  2. Click on the argocd client.
  3. Click on the Credentials tab.
  4. Copy the value from the Client Secret field.

Add the following values to bigbang-secrets.yaml to configure SSO:

# SSO Settings
addons:
  argocd:
    sso:
      client_id: argocd # should match the client name in keycloak
      client_secret: "" # change to your Argo CD client secret
      enabled: true
      provider_name: Keycloak
      groups: |
        g, /_structsureAdmins, role:admin
        g, /_structsureAudit, role:readonly
info

See How to Configure Big Bang Values for more information on configuring Big Bang applications.