SSO Overview

Argo CD does not have any local users other than the built-in admin user. All other users are expected to login via SSO. There are two ways that SSO can be configured:

  • Bundled Dex OIDC provider - use this option if your current provider does not support OIDC (e.g. SAML, LDAP) or if you wish to leverage any of Dex's connector features (e.g. the ability to map GitHub organizations and teams to OIDC groups claims).

  • Existing OIDC provider - use this if you already have an OIDC provider which you are using (e.g. Okta, OneLogin, Auth0, Microsoft), where you manage your users, groups, and memberships.


Argo CD embeds and bundles Dex as part of its installation, for the purpose of delegating authentication to an external identity provider. Multiple types of identity providers are supported (OIDC, SAML, LDAP, GitHub, etc...). SSO configuration of Argo CD requires editing the argocd-cm ConfigMap with Dex connector settings.

This document describes how to configure Argo CD SSO using GitHub (OAuth2) as an example, but the steps should be similar for other identity providers.

1. Register the application in the identity provider

In GitHub, register a new application. The callback address should be the /api/dex/callback endpoint of your Argo CD URL (e.g.

Register OAuth App

After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the Argo CD configmap.

OAuth2 Client Config

2. Configure Argo CD for SSO

Edit the argocd-cm configmap:

kubectl edit configmap argocd-cm -n argocd
  • In the url key, input the base URL of Argo CD. In this example, it is
  • In the dex.config key, add the github connector to the connectors sub field. See Dex's GitHub connector documentation for explanation of the fields. A minimal config should populate the clientID, clientSecret generated in Step 1.
  • You will very likely want to restrict logins to one or more GitHub organization. In the connectors.config.orgs list, add one or more GitHub organizations. Any member of the org will then be able to login to Argo CD to perform management tasks.

  dex.config: |
      # GitHub example
      - type: github
        id: github
        name: GitHub
          clientID: aabbccddeeff00112233
          clientSecret: $dex.github.clientSecret
          - name: your-github-org

      # GitHub enterprise example
      - type: github
        id: acme-github
        name: Acme GitHub
          clientID: abcdefghijklmnopqrst
          clientSecret: $dex.acme.clientSecret
          - name: your-github-org

After saving, the changes should take affect automatically.


  • Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $), to obtain the actual value. This allows you to store the clientSecret as a kubernetes secret.
  • There is no need to set redirectURI in the connectors.config as shown in the dex documentation. Argo CD will automatically use the correct redirectURI for any OAuth2 connectors, to match the correct external callback URL (e.g.

Existing OIDC Provider

To configure Argo CD to delegate authenticate to your existing OIDC provider, add the OAuth2 configuration to the argocd-cm ConfigMap under the oidc.config key:


  oidc.config: |
    name: Okta
    clientID: aaaabbbbccccddddeee
    clientSecret: $oidc.okta.clientSecret

    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email", "groups"]

    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}

    # Some OIDC providers require a separate clientID for different callback URLs.
    # For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
    # for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
    # use the same clientID as the Argo CD server
    cliClientID: vvvvwwwwxxxxyyyyzzzz


The callback address should be the /auth/callback endpoint of your Argo CD URL (e.g.

Requesting additional ID token claims

Not all OIDC providers support a special groups scope. E.g. Okta, OneLogin and Microsoft do support a special groups scope and will return group membership with the default requestedScopes.

Other OIDC providers might be able to return a claim with group membership if explicitly requested to do so. Individual claims can be requested with requestedIDTokenClaims, see OpenID Connect Claims Parameter for details. The Argo CD configuration for claims is as follows:

  oidc.config: |
        essential: true
        essential: true
        value: org:myorg
        essential: true
        - urn:mace:incommon:iap:silver
        - urn:mace:incommon:iap:bronze

For a simple case this can be:

  oidc.config: |
    requestedIDTokenClaims: {"groups": {"essential": true}}