Argo Workflows SSO Quick Fix - Single Sign-On Configuration
DodaTech
Updated 2026-06-26
1 min read
Argo Workflows SSO enables single sign-on authentication via OIDC providers. Misconfigured SSO settings lock users out of the Argo UI. This guide covers the fix.
Quick Fix
Wrong
server:
sso:
issuer: https://accounts.google.com
clientId:
name: argo-sso
key: client-id
The issue: missing sessionExpiry, no rbac configuration, and issuer URL may not include the correct OIDC discovery endpoint. Users cannot log in or have no permissions.
Right
server:
sso:
issuer: https://accounts.google.com
sessionExpiry: 24h
clientId:
name: argo-sso
key: client-id
clientSecret:
name: argo-sso
key: client-secret
rbac:
enabled: true
secret:
name: argo-rbac-config
key: policy.csv
# Expected output after applying the fix
# SSO login redirects to Google OAuth
# Users authenticated and redirected back to Argo UI
# RBAC policies enforce user permissions
# Session expires after 24 hours
Prevention
- Verify OIDC issuer URL includes the full discovery path
- Configure
sessionExpiryfor secure session management - Enable RBAC integration for user authorization
- Store client secret in Kubernetes secret, not ConfigMap
- Test SSO with a test OIDC provider before production
DodaTech Tools
Doda Browser's SSO test tool validates OIDC configuration before deployment. DodaZIP archives SSO configurations for security audits. Durga Antivirus Pro monitors SSO authentication attempts for anomalies.
FAQ
← Previous
Argo Workflows Shutdown Quick Fix - Graceful Shutdown Config
Next →
Argo Workflows Steps Quick Fix - Sequential Step Errors
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro