search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18k stars 5.48k forks source link

SSO Azure SAML - all users can login #20857

Open Vormillion opened 2 days ago

Vormillion commented 2 days ago

Hi,

I've setup SSO with Azure and everything works fine. On Azure Enterprise app I have hundreds of groups but I allow only 1 in ArgoCD RBAC.

The problem is that any user not belonging to allowed group can you Login via SAML and he will access ArgoCD but without seeing any application. How to prevent such behaviour.

andrii-korotkov-verkada commented 1 day ago

You probably need to configure the RBAC configmap. Can you provide more details about your setup, please?

Vormillion commented 1 day ago

Hi,

That's my RBAC

apiVersion: v1
data:
  policy.csv: |
    g, AAD-XX-ECOMM-DevOps, role:readonly
    g, AWS-sln-XX-XX-devops, role:readonly
    g, XX, role:admin
  policy.default: ""
  policy.matchMode: glob
  scopes: '[groups, email]'
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argo-cd
    meta.helm.sh/release-namespace: default
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.13.0
    helm.sh/chart: argo-cd-7.7.1
  name: argocd-rbac-cm
  namespace: default

Argocd CM

apiVersion: v1
data:
  accounts.XX: apiKey,login
  accounts.XX.enabled: "true"
  admin.enabled: "false"
  application.instanceLabelKey: argocd.argoproj.io/instance
  dex.config: |
    logger:
      level: debug
      format: json
    connectors:
    - type: saml
      id: saml
      name: saml
      config:
        entityIssuer: https://argocd.XXX
        ssoURL: https://login.microsoftonline.com/XXX/saml2
        caData: |
        XXX
        redirectURI: https://argocd.XXX/api/dex/callback
        usernameAttr: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        emailAttr: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        groupsAttr: XXX
  exec.enabled: "false"
  helm.valuesFileSchemes: secrets+gpg-import, secrets+gpg-import-kubernetes, secrets+age-import,
    secrets+age-import-kubernetes, secrets,secrets+literal, https
  server.rbac.log.enforce.enable: "false"
  statusbadge.enabled: "false"
  timeout.hard.reconciliation: 0s
  timeout.reconciliation: 180s
  url: https://argocd.XXX
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argo-cd
    meta.helm.sh/release-namespace: default
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argo-cd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.13.0
    helm.sh/chart: argo-cd-7.7.1
  name: argocd-cm
  namespace: default
andrii-korotkov-verkada commented 1 day ago

Do you want to not allow login at all in those cases?

Vormillion commented 18 hours ago

Yes, If group/email is not listed in RBAC, SAML login should show error or something like this, but not allow accessing "empty" argoCD.