admin管理员组文章数量:1300246
I am integrating dex with Okta (SAML) in ArgoCD: /
I have multiple ArgoCD instances (let's call them url1 and url2), and the end goal is to have a single Okta application to manage them all.
The ArgoCD helm chart config for url1 looks like this:
- type: saml
id: okta
name: Okta
config:
ssoURL: {redacted}/sso/saml
ssoIssuer: {redacted}
redirectURI: {url1}/api/dex/callback
caData: $argocd-external-secret:dex.okta.caData
usernameAttr: email
emailAttr: email
groupsAttr: group
The config is working for url1. However, it doesn't work for url2 (even when I update the config above to use url2). I get the following error message:
argocd-dex-server-6ddbc6f96d-x2h6b dex-server time=2025-02-11T12:47:10.814Z level=ERROR msg="failed to authenticate" err="required audience {url2}/api/dex/callback was not in Response audiences [{url1}]" request_id={redacted}
--> log from .go#L575
The Okta SAML application has both url1 and url2 in Requestable SSO URLs ().
Followed this tutorial: / + official argocd docs for dex integration.
Any ideas on how to troubleshoot this?
I am integrating dex with Okta (SAML) in ArgoCD: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/okta/
I have multiple ArgoCD instances (let's call them url1 and url2), and the end goal is to have a single Okta application to manage them all.
The ArgoCD helm chart config for url1 looks like this:
- type: saml
id: okta
name: Okta
config:
ssoURL: {redacted}/sso/saml
ssoIssuer: {redacted}
redirectURI: {url1}/api/dex/callback
caData: $argocd-external-secret:dex.okta.caData
usernameAttr: email
emailAttr: email
groupsAttr: group
The config is working for url1. However, it doesn't work for url2 (even when I update the config above to use url2). I get the following error message:
argocd-dex-server-6ddbc6f96d-x2h6b dex-server time=2025-02-11T12:47:10.814Z level=ERROR msg="failed to authenticate" err="required audience {url2}/api/dex/callback was not in Response audiences [{url1}]" request_id={redacted}
--> log from https://github/dexidp/dex/blob/a6dfa5ca9f9e1c819a846bd667c3c357da5252ac/connector/saml/saml.go#L575
The Okta SAML application has both url1 and url2 in Requestable SSO URLs (https://support.okta/help/s/article/How-to-add-additional-Requestable-SSO-URLs?language=en_US).
Followed this tutorial: https://rtfm.co.ua/en/argocd-okta-integration-and-user-groups/ + official argocd docs for dex integration.
Any ideas on how to troubleshoot this?
Share asked Feb 11 at 13:42 thiagowfxthiagowfx 5,7707 gold badges42 silver badges57 bronze badges1 Answer
Reset to default 1Populate entityIssuer in Dex / ArgoCD with a value that matches the one in Okta Audience URI (SP Entity ID).
Which URL to use? It doesn't need to be the /api/dex/callback one. Having the URLs match is enough to pass the validation in dex.
Got the idea from this dex PR.
本文标签: ArgoCD with Okta SAML integration does not work with multiple Requestable SSO URLsStack Overflow
版权声明:本文标题:ArgoCD with Okta SAML integration does not work with multiple Requestable SSO URLs - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741660062a2390981.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论