Using existing Dex SSO
Connect Cased CD to your existing ArgoCD + Dex setup
If you already have ArgoCD configured with Dex (using Okta, LDAP, SAML, GitHub, etc.), Cased CD will automatically detect and use your existing SSO configuration. No additional identity provider setup is required.
How it works
Section titled “How it works”Cased CD queries ArgoCD’s /api/v1/settings endpoint on startup. When it detects a dexConfig, it automatically displays an SSO login button that redirects through ArgoCD’s authentication flow.
User clicks "SSO" → ArgoCD /auth/login → Dex → Your IdP (Okta, etc.) ↓User logged into Cased CD ← ArgoCD callback ← Dex ← IdP authenticatesPrerequisites
Section titled “Prerequisites”- ArgoCD with Dex already configured and working
- Users can successfully log in to the standard ArgoCD UI via SSO
-
Verify your Dex configuration is working
Test that SSO works with the standard ArgoCD UI first:
Terminal window # Check ArgoCD has dex configkubectl get configmap argocd-cm -n argocd -o yaml | grep -A 20 "dex.config"You should see your Dex connector configuration (e.g., SAML, OIDC, LDAP).
-
Allow Cased CD as a redirect URL
ArgoCD validates redirect URLs after SSO. Add your Cased CD URL to
additionalUrlsinargocd-cmso ArgoCD accepts the redirect back to Cased CD:Terminal window kubectl patch configmap argocd-cm -n argocd --type merge -p 'data:additionalUrls: "https://cased-cd.example.com"'Replace
https://cased-cd.example.comwith the URL where Cased CD is accessible. Multiple URLs can be pipe-separated:"https://cased-cd.example.com|https://cased-cd-staging.example.com". -
Deploy Cased CD
Terminal window helm install cased-cd oci://registry-1.docker.io/casedcontainers/cased-cd-enterprise \--namespace argocd \--set argocd.url=http://argocd-server.argocd.svc.cluster.local:80
Test the login
Section titled “Test the login”- Navigate to your Cased CD login page
- You should see an “SSO” button (or “Sign in with SSO”)
- Click the button
- You’ll be redirected to your identity provider (Okta, etc.)
- After authenticating, you’ll be redirected back to Cased CD and logged in
Troubleshooting
Section titled “Troubleshooting”SSO button doesn’t appear
Section titled “SSO button doesn’t appear”Check that ArgoCD returns dex config:
# Port-forward to ArgoCDkubectl port-forward svc/argocd-server -n argocd 8080:80
# Check settings endpointcurl -s http://localhost:8080/api/v1/settings | jq '.dexConfig'If this returns null, ArgoCD doesn’t have Dex configured.
Check Cased CD can reach ArgoCD:
The Cased CD backend must be able to proxy requests to ArgoCD. Verify the argocd.url helm value is correct.
Check browser console:
Open browser dev tools and look for errors fetching /api/v1/settings.
”No argocd-initial-admin-secret”
Section titled “”No argocd-initial-admin-secret””This is expected when using Dex/SSO. ArgoCD disables the built-in admin password when SSO is configured. Use SSO to log in instead.
If you need local admin access for emergencies:
# Enable local admin (optional)kubectl patch configmap argocd-cm -n argocd --type merge -p 'data: admin.enabled: "true"'
# Create a passwordargocd account bcrypt --password 'your-password'
# Add to argocd-secretkubectl patch secret argocd-secret -n argocd --type merge -p 'stringData: admin.password: "$2a$10$..."'Callback redirects to ArgoCD UI instead of Cased CD
Section titled “Callback redirects to ArgoCD UI instead of Cased CD”Cased CD passes a return_url parameter when initiating the SSO flow so that ArgoCD redirects back to Cased CD after authentication. If you’re landing on the ArgoCD UI instead:
- Make sure you’re running Cased CD Enterprise (Community edition does not include SSO)
- Verify your Cased CD URL is listed in
additionalUrlsinargocd-cm(see step 2 in Setup above) - Check that the SSO button URL contains
return_url=pointing to your Cased CD domain - Verify you’re using a recent version of Cased CD Enterprise (v0.2.25+)
“Invalid redirect URL” error
Section titled ““Invalid redirect URL” error”ArgoCD validates that return_url matches its configured URLs. Add your Cased CD URL to additionalUrls:
kubectl patch configmap argocd-cm -n argocd --type merge -p 'data: additionalUrls: "https://cased-cd.example.com"'CORS errors in browser console
Section titled “CORS errors in browser console”Ensure Cased CD’s backend is properly proxying to ArgoCD. The frontend should not make direct requests to ArgoCD.
Common Dex configurations
Section titled “Common Dex configurations”Okta via SAML
Section titled “Okta via SAML”dex.config: | connectors: - type: saml id: okta name: Okta config: ssoURL: https://yourcompany.okta.com/app/xxx/sso/saml caData: <base64-encoded-cert> redirectURI: https://argocd.example.com/api/dex/callback usernameAttr: email emailAttr: email groupsAttr: groupsOkta via OIDC
Section titled “Okta via OIDC”dex.config: | connectors: - type: oidc id: okta name: Okta config: issuer: https://yourcompany.okta.com clientID: $dex.okta.clientID clientSecret: $dex.okta.clientSecret redirectURI: https://argocd.example.com/api/dex/callback scopes: - openid - profile - email - groupsGitHub
Section titled “GitHub”dex.config: | connectors: - type: github id: github name: GitHub config: clientID: $dex.github.clientID clientSecret: $dex.github.clientSecret orgs: - name: your-orgdex.config: | connectors: - type: ldap id: ldap name: LDAP config: host: ldap.example.com:636 bindDN: cn=admin,dc=example,dc=com bindPW: $dex.ldap.bindPW userSearch: baseDN: ou=users,dc=example,dc=com username: uid emailAttr: mail groupSearch: baseDN: ou=groups,dc=example,dc=com userMatchers: - userAttr: DN groupAttr: memberGroups and RBAC
Section titled “Groups and RBAC”When using Dex, group membership flows through to ArgoCD RBAC. Configure your ArgoCD RBAC policies to use the group names from your identity provider:
kubectl patch configmap argocd-rbac-cm -n argocd --type merge -p 'data: policy.csv: | p, role:developer, applications, get, */*, allow p, role:developer, applications, sync, */*, allow p, role:admin, applications, *, */*, allow g, developers, role:developer g, platform-team, role:admin'See Groups for more details on RBAC configuration.