Skip to content

Argo Workflows SSO Quick Fix - Single Sign-On Configuration

DodaTech Updated 2026-06-26 1 min read

Argo Workflows SSO enables single sign-on authentication via OIDC providers. Misconfigured SSO settings lock users out of the Argo UI. This guide covers the fix.

Quick Fix

Wrong

server:
  sso:
    issuer: https://accounts.google.com
    clientId:
      name: argo-sso
      key: client-id

The issue: missing sessionExpiry, no rbac configuration, and issuer URL may not include the correct OIDC discovery endpoint. Users cannot log in or have no permissions.

server:
  sso:
    issuer: https://accounts.google.com
    sessionExpiry: 24h
    clientId:
      name: argo-sso
      key: client-id
    clientSecret:
      name: argo-sso
      key: client-secret
    rbac:
      enabled: true
      secret:
        name: argo-rbac-config
        key: policy.csv
# Expected output after applying the fix
# SSO login redirects to Google OAuth
# Users authenticated and redirected back to Argo UI
# RBAC policies enforce user permissions
# Session expires after 24 hours

Prevention

  • Verify OIDC issuer URL includes the full discovery path
  • Configure sessionExpiry for secure session management
  • Enable RBAC integration for user authorization
  • Store client secret in Kubernetes secret, not ConfigMap
  • Test SSO with a test OIDC provider before production

DodaTech Tools

Doda Browser's SSO test tool validates OIDC configuration before deployment. DodaZIP archives SSO configurations for security audits. Durga Antivirus Pro monitors SSO authentication attempts for anomalies.

FAQ

What OIDC providers does Argo Workflows support?

Argo supports any OIDC-compliant provider including Google, Okta, Keycloak, Dex, Azure AD, and Auth0. The provider must support the authorization code flow. ||| How do I configure RBAC with SSO? Create a ConfigMap with policy.csv containing RBAC rules, and reference it in the SSO configuration. Map OIDC groups to Argo roles. ||| What happens if SSO configuration is wrong? The Argo server may fail to start, or users may see "Authentication failed" errors. Check server logs for OIDC error messages and verify the issuer URL is accessible.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro