docs: added identity-center.md doc for AWS SSO

[zeusal]

I have added specific documentation for configuring Argo CD with Identity Center (AWS SSO). #14703

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

This PR adds documentation to the User Management section to document integration of Identity Center SSO with ArgoCD as proposed in this discussion: #14703

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6e2f2c9) 49.56% compared to head (b0b9412) 49.55%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #15689      +/-   ##
==========================================
- Coverage   49.56%   49.55%   -0.01%     
==========================================
  Files         269      269              
  Lines       46668    46668              
==========================================
- Hits        23131    23128       -3     
- Misses      21263    21265       +2     
- Partials     2274     2275       +1     

see 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[csantanapr]

thank you for the PR @zeusal, some minor nits to fix

[ankursrc]

Hi @csantanapr @zeusal,
I would like to highlight that official AWS Identity Center documentation does not mention user:groups attribute . This is not supported as of now. Only below attributes are supported for application integration.

${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}

Link : https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

[zeusal]

thank you for the PR @zeusal, some minor nits to fix

@csantanapr Thanks for the comments, I will apply them to my commit.

Hi @csantanapr @zeusal, I would like to highlight that official AWS Identity Center documentation does not mention user:groups attribute . This is not supported as of now. Only below attributes are supported for application integration.

${user:AD_GUID} ${user:email} ${user:familyName} ${user:givenName} ${user:middleName} ${user:name} ${user:preferredUsername} ${user:subject}

Link : https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

@ankursrc I know that the official documentation does not indicate that this attribute exists, but it does. If you have the possibility try it, I am currently using it for both Argocd and Jenkins.
https://repost.aws/questions/QUKn8D8aQUSTuxyjcEwfICow/is-it-possible-to-map-the-group-as-an-attribute

The proof that it works:

[34fathombelow]

thank you for the PR @zeusal, some minor nits to fix

@csantanapr Thanks for the comments, I will apply them to my commit.

Hi @csantanapr @zeusal, I would like to highlight that official AWS Identity Center documentation does not mention user:groups attribute . This is not supported as of now. Only below attributes are supported for application integration.
${user:AD_GUID} ${user:email} ${user:familyName} ${user:givenName} ${user:middleName} ${user:name} ${user:preferredUsername} ${user:subject}
Link : https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

@ankursrc I know that the official documentation does not indicate that this attribute exists, but it does. If you have the possibility try it, I am currently using it for both Argocd and Jenkins. https://repost.aws/questions/QUKn8D8aQUSTuxyjcEwfICow/is-it-possible-to-map-the-group-as-an-attribute

The proof that it works:

@zeusal Can we mention that this is not officially supported in the AWS docs, however the workaround is currently working?

[zeusal]

thank you for the PR @zeusal, some minor nits to fix

@csantanapr Thanks for the comments, I will apply them to my commit.

Hi @csantanapr @zeusal, I would like to highlight that official AWS Identity Center documentation does not mention user:groups attribute . This is not supported as of now. Only below attributes are supported for application integration.
${user:AD_GUID} ${user:email} ${user:familyName} ${user:givenName} ${user:middleName} ${user:name} ${user:preferredUsername} ${user:subject}
Link : https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

@ankursrc I know that the official documentation does not indicate that this attribute exists, but it does. If you have the possibility try it, I am currently using it for both Argocd and Jenkins. https://repost.aws/questions/QUKn8D8aQUSTuxyjcEwfICow/is-it-possible-to-map-the-group-as-an-attribute
The proof that it works:

@zeusal Can we mention that this is not officially supported in the AWS docs, however the workaround is currently working?

@34fathombelow that sounds good, I can write it as a note.

[zeusal]

@34fathombelow Suggestion added as a note.

[34fathombelow]

One last Nit

[gdsoumya]

LGTM

[34fathombelow]

LGTM, thanks for all your hard work and patience.

[csantanapr]

@34fathombelow Thank you so much for reviewing this PR 🙏

@zeusal get in touch with me on slack to work on getting the AWS docs updated in the mean time we can can have the note, when it's in the AWS docs we can come back remove it from argocd docs with another PR

[csantanapr]

Thank you @morey-tech and @gdsoumya for reviewing this PR also 🙏

[geek0ps]

@zeusal Please how can i set this up? I have been trying to set it up but without any progress?

[zeusal]

@zeusal Please how can i set this up? I have been trying to set it up but without any progress?

Can you write your actual configuration and logs here? Please.

[geek0ps]

below is my configuration

configs:
  params:
    "server.insecure": true
  cm:
    create: true
    url: "https://${hostname}"
    exec.enabled: false
%{ if sso_enabled ~}
    dex.config: |
      logger:
        level: debug
        format: json
      connectors:
        - type: saml
          id: aws
          name: "AWS SSO"
          config:
            ssoURL: ${aws_sso_url}
            caData: ${aws_sso_cert}
            entityIssuer: https://${hostname}/api/dex/callback
            redirectURI: https://${hostname}/api/dex/callback
            usernameAttr: subject
            emailAttr: email
            groupsAttr: groups
%{ endif ~}
  rbac:
    create: true
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, get, *, allow
      p, role:org-admin, projects, create, *, allow
      p, role:org-admin, projects, update, *, allow
      p, role:org-admin, projects, delete, *, allow
      p, role:org-admin, logs, get, *, allow
      p, role:org-admin, exec, create, */*, allow
      g, ${aws_sso_group_id}, role:org-admin
    scopes: "[groups,email]"
    ```
    
    after doing this i get the following error:  bad input
    
    @zeusal 

[geek0ps]

@zeusal Please how can i set this up? I have been trying to set it up but without any progress?

Can you write your actual configuration and logs here? Please.

can I write you an email ? @zeusal

[zeusal]

below is my configuration

configs:
  params:
    "server.insecure": true
  cm:
    create: true
    url: "https://${hostname}"
    exec.enabled: false
%{ if sso_enabled ~}
    dex.config: |
      logger:
        level: debug
        format: json
      connectors:
        - type: saml
          id: aws
          name: "AWS SSO"
          config:
            ssoURL: ${aws_sso_url}
            caData: ${aws_sso_cert}
            entityIssuer: https://${hostname}/api/dex/callback
            redirectURI: https://${hostname}/api/dex/callback
            usernameAttr: subject
            emailAttr: email
            groupsAttr: groups
%{ endif ~}
  rbac:
    create: true
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, get, *, allow
      p, role:org-admin, projects, create, *, allow
      p, role:org-admin, projects, update, *, allow
      p, role:org-admin, projects, delete, *, allow
      p, role:org-admin, logs, get, *, allow
      p, role:org-admin, exec, create, */*, allow
      g, ${aws_sso_group_id}, role:org-admin
    scopes: "[groups,email]"
    ```
    
    after doing this i get the following error:  bad input
    
    @zeusal 

Hello @geek0ps sorry for delay to answer.

I think it's because you're adding ${aws_sso_group_id} without quotes, Can you try adding double quotes to this value?

Regards!