I am integrating dex with Okta (SAML) in ArgoCD: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/okta/
I have multiple ArgoCD instances (let's call them url1 and url2), and the end goal is to have a single Okta application to manage them all.
The ArgoCD helm chart config for url1 looks like this:
- type: saml
id: okta
name: Okta
config:
ssoURL: {redacted}/sso/saml
ssoIssuer: {redacted}
redirectURI: {url1}/api/dex/callback
caData: $argocd-external-secret:dex.okta.caData
usernameAttr: email
emailAttr: email
groupsAttr: group
The config is working for url1. However, it doesn't work for url2 (even when I update the config above to use url2). I get the following error message:
argocd-dex-server-6ddbc6f96d-x2h6b dex-server time=2025-02-11T12:47:10.814Z level=ERROR msg="failed to authenticate" err="required audience {url2}/api/dex/callback was not in Response audiences [{url1}]" request_id={redacted}
--> log from https://github.com/dexidp/dex/blob/a6dfa5ca9f9e1c819a846bd667c3c357da5252ac/connector/saml/saml.go#L575
The Okta SAML application has both url1 and url2 in Requestable SSO URLs (https://support.okta.com/help/s/article/How-to-add-additional-Requestable-SSO-URLs?language=en_US).
Followed this tutorial: https://rtfm.co.ua/en/argocd-okta-integration-and-user-groups/ + official argocd docs for dex integration.
Any ideas on how to troubleshoot this?
Populate entityIssuer in Dex / ArgoCD with a value that matches the one in Okta Audience URI (SP Entity ID).
Which URL to use? It doesn't need to be the /api/dex/callback one. Having the URLs match is enough to pass the validation in dex.
Got the idea from this dex PR.