如何将 ArgoCD 与单点登录（SSO）系统无缝对接配置？

> ArgoCD 使用 **SAML** 协议接入 SSO --- ## 一、飞连应用配置 在飞连（Feilian/SealSuite）应用中进行如下配置： | 配置项 | 值 | |--------|-----| | **实体 ID** | `https://argocd.example.com/api/dex` | | **单点登录 URL** | `https://argocd.example.com/api/dex/callback` | | **单点登录 Binding** | `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` | | **Name ID Format** | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | --- ## 二、ArgoCD Dex 服务配置 ### 2.1 编辑 ConfigMap ```bash kubectl edit configmap argocd-cm -n argocd ``` ### 2.2 完整配置示例 ```yaml apiVersion: v1 kind: ConfigMap data: url: https://argocd.example.com dex.config: | connectors: - type: saml id: saml name: Feilian config: ssoURL: https://ltp.sealsuite.com/api/idp/sso ssoIssuer: https://ltp.sealsuite.com/api/idp/metadata entityIssuer: https://argocd.example.com/api/dex redirectURI: https://argocd.example.com/api/dex/callback caData: | LS0tLS1CRUdJTi...（Base64 编码的 CA 证书）... usernameAttr: email emailAttr: email ``` ### 2.3 关键参数说明 | 参数 | 说明 | |------|------| | `ssoURL` | IdP 单点登录 URL | | `ssoIssuer` | IdP 元数据 URL | | `entityIssuer` | ArgoCD 实体 ID | | `redirectURI` | 回调地址 | | `caData` | IdP CA 证书（Base64 编码） | | `usernameAttr` | 用户名属性 | | `emailAttr` | 邮箱属性 | --- ## 三、验证配置 ### 3.1 检查 Dex 服务状态 ```bash kubectl -n argocd logs deploy/argocd-dex-server ``` ### 3.2 正常日志输出示例 ```json {"level":"info","msg":"ArgoCD Dex Server is starting","namespace":"argocd","time":"2025-05-14T02:48:27Z","version":"v3.0.0+e98f483"} {"level":"info","msg":"Generating self-signed TLS certificate for this session","time":"2025-05-14T02:48:27Z"} {"level":"info","msg":"Starting configmap/secret informers","time":"2025-05-14T02:48:27Z"} {"level":"INFO","msg":"config connector","connector_id":"saml"} {"level":"INFO","msg":"listening on","server":"https","address":"0.0.0.0:5556"} {"level":"INFO","msg":"listening on","ser