Resolving RBAC and SSO Issues in Argo Workflows with Azure AD and Dex

Problem:

The client, preparing to launch Argo Workflows v3.6.0 for production, faced a critical RBAC issue when enabling Single Sign-On (SSO) with Azure Active Directory (Entra ID) via Dex.

When users attempted to log in through SSO, Argo Workflows returned the error:

unknown name groups

This prevented role-based authorization through group membership, effectively blocking all group-based access controls. Although subject-based rules (usernames/emails) worked, group rules consistently failed.

This issue has been noted in the Argo Workflows community, and while some workarounds were suggested, they were not compatible with the client’s environment. Our team therefore stepped in to develop a tailored, effective solution.

The client confirmed that:

• The SSO integration with ArgoCD (using the same Dex server) worked correctly.
• The authenticated token contained the required group claims (e.g., Platform_Argo_Workflows-Admin).
• The problem only affected Argo Workflows, not ArgoCD.

Reverting to version 3.5.4 (before a breaking library change) was suggested as a temporary workaround, but the client rejected it since it would prevent applying critical security patches and CVE fixes available only in later versions.

Process:

Our expert team engaged in a series of live debugging sessions with the client, reviewing logs, Helm configuration values, and Azure AD integration details. The client also shared diagnostic artifacts, including:

• logs-snaphot-failed-RBAC.png
• argoworkflow-v3.6.0-server-log-rbac.txt
• helm-values.yaml
• token-getting-corrupted-post-rbac.txt
• argo-wf-serverlogs-success-authz.txt
• Email trace of Dex SSO setup with Azure AD.

Through analysis, the root cause was identified as a regression introduced between Argo Workflows v3.5.4 and v3.5.5, where the expression evaluation library was changed:

• Before (working): github.com/antonmedv/expr v1.15.5
• After (failing): github.com/expr-lang/expr v1.16.0

This regression caused Argo Workflows to misinterpret RBAC group expressions, leading to the unknown name groups error.

Solution:

The experts designed and tested a robust fix that allowed the client to continue using Argo Workflows v3.6.0+ with full SSO and RBAC functionality. The solution included:

Azure AD Application Registration

• Registered a new application in Azure AD for Dex.
• Configured permissions: User.Read, Group.Read.All, openid, profile, email, Directory.Read.All.
• Generated a client ID and client secret for Dex.
• Configured the redirect URI:
  https://argocd.your-domain.com/api/dex/callback

Kubernetes Secrets

• Created argo-workflows-sso secrets in both the argo and argocd namespaces to share the client credentials securely between Argo Workflows and Dex.
• Configured Argo server service account tokens.

Dex Configuration (via ArgoCD Helm values)

• Enabled Dex and configured Azure AD as an OIDC provider.
• Added static client configuration for Argo Workflows.
• Defined group mappings:

  g, Platform_Argo_Workflows-Admin, role:admin
  g, Platform_Argo_Workflows-RO, role:readonly
  g, Platform_Argo_Workflows-RW, role:readwrite

Argo Workflows Configuration

• Updated Helm values (argo-workflows-values.yaml) with SSO parameters:

issuer: https://argocd.your-domain.com/api/dex
redirectUrl: https://argo-workflows.your-domain.com/oauth3/callback
scopes: [openid, profile, email, groups]

• Enabled RBAC and set group-based rules:

  workflows.argoproj.io/rbac-rule: "'Platform_Argo_Workflows-Admin' in groups"
  workflows.argoproj.io/rbac-rule-precedence: "1"

Deployment & Verification

• Applied Helm upgrades for ArgoCD and Argo Workflows.
• Restarted argocd-dex-server and argo-server deployments.
• Validated end-to-end login:
  • User redirected from Argo Workflows → Dex → Azure AD.
  • Group claims correctly passed and mapped to RBAC policies.
  • Users successfully authorized with expected permissions.

Result:

The client tested the recommended solution on both AWS and Azure environments and confirmed that:

• SSO login using Azure AD via Dex worked seamlessly.
• Group-based RBAC rules were correctly evaluated.
• The unknown name groups error was fully resolved.
• They could remain on v3.6.0 GA release without downgrading, preserving access to security patches and fixes.

Conclusion:

Through detailed troubleshooting and targeted reconfiguration, we resolved a critical RBAC regression in Argo Workflows SSO. The expert’s fix ensured the client could proceed with their production rollout on v3.6.0, maintain compliance with enterprise security requirements, and avoid exposure to known vulnerabilities in older versions.