docs: add Google SAML integration example (#4816)

Signed-off-by: Seth Pellegrino <seth@verica.io>

docs/operator-manual/user-management/google.md

@@ -0,0 +1,73 @@
+# Google
+
+* [G Suite SAML App Auth using Dex](#g-suite-saml-app-auth-using-dex)
+
+Once you've set up one of the above integrations, be sure to edit `argo-rbac-cm` to configure permissions (as in the example below). See [RBAC Configurations](../rbac.md) for more detailed scenarios.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  namespace: argocd
+data:
+  policy.default: role:readonly
+```
+
+## G Suite SAML App Auth using Dex
+
+### Configure a new SAML App
+
+1. In the [Google admin console](https://admin.google.com), open the left-side menu and select `Apps` > `SAML Apps`
+
+    ![Google Admin Apps Menu](../../assets/google-admin-saml-apps-menu.png "Google Admin menu with the Apps / SAML Apps path selected")
+
+2. Under `Add App` select `Add custom SAML app`
+
+    ![Google Admin Add Custom SAML App](../../assets/google-admin-saml-add-app-menu.png "Add apps menu with add custom SAML app highlighted")
+
+3. Enter a `Name` for the application (eg. `Argo CD`), then choose `Continue`
+
+    ![Google Admin Apps Menu](../../assets/google-admin-saml-app-details.png "Add apps menu with add custom SAML app highlighted")
+
+4. Download the metadata or copy the `SSO URL`, `Certificate`, and optionally `Entity ID` from the identity provider details for use in the next section. Choose `continue`.
+    - Base64 encode the contents of the certificate file, for example:
+    - `$ cat ArgoCD.cer | base64`
+    - *Keep a copy of the encoded output to be used in the next section.*
+
+    ![Google Admin IdP Metadata](../../assets/google-admin-idp-metadata.png "A screenshot of the Google IdP metadata")
+
+5. For both the `ACS URL` and `Entity ID`, use your Argo Dex Callback URL, for example: `https://argocd.example.com/api/dex/callback`
+
+    ![Google Admin Service Provider Details](../../assets/google-admin-service-provider-details.png "A screenshot of the Google Service Provider Details")
+
+6. Finish creating the application.
+
+### Configure Argo to use the new Google SAML App
+
+Edit `argo-cm` and add the following `dex.config` to the data section, replacing the `caData`, `argocd.example.com`, `sso-url`, and optionally `google-entity-id` with your values from the Google SAML App:
+
+```yaml
+data:
+  url: https://argocd.example.com
+  dex.config: |
+    connectors:
+    - type: saml
+      id: saml
+      name: saml
+      config:
+        ssoURL: https://sso-url (eg. https://accounts.google.com/o/saml2/idp?idpid=Abcde0)
+        entityIssuer: https://argocd.example.com/api/dex/callback
+        caData: |
+          BASE64-ENCODED-CERTIFICATE-DATA
+        redirectURI: https://argocd.example.com/api/dex/callback
+        usernameAttr: name
+        emailAttr: email
+        # optional
+        ssoIssuer: https://google-entity-id (e.g. https://accounts.google.com/o/saml2?idpid=Abcde0)
+```
+
+### References
+
+- [Dex SAML connector docs](https://dexidp.io/docs/connectors/saml/)
+- [Google's SAML error messages](https://support.google.com/a/answer/6301076?hl=en)

docs/operator-manual/user-management/index.md

@@ -86,7 +86,7 @@ argocd account update-password \
 * Generate auth token
 ```bash
 # if flag --account is omitted then Argo CD generates token for current user
-argocd account generate-token --account <username> 
+argocd account generate-token --account <username>
 ```
 
 ### Failed logins rate limiting
@@ -106,7 +106,7 @@ regardless of the time frame they happened.
 cache. Default: 1000
 
 * `ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT`: Limits max number of concurrent login requests.
-If set to 0 then limit is disabled. Default: 50. 
+If set to 0 then limit is disabled. Default: 50.
 
 ## SSO
 
@@ -117,7 +117,8 @@ There are two ways that SSO can be configured:
   organizations and teams to OIDC groups claims).
 
 * [Existing OIDC provider](#existing-oidc-provider) - use this if you already have an OIDC provider which you are using (e.g.
-  [Okta](okta.md), [OneLogin](onelogin.md), [Auth0](auth0.md), [Microsoft](microsoft.md), [Keycloak](keycloak.md)), where you manage your users, groups, and memberships.
+  [Okta](okta.md), [OneLogin](onelogin.md), [Auth0](auth0.md), [Microsoft](microsoft.md), [Keycloak](keycloak.md),
+  [Google (G Suite)](google.md)), where you manage your users, groups, and memberships.
 
 ## Dex
 
@@ -192,8 +193,8 @@ After saving, the changes should take affect automatically.
 NOTES:
 
 * Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $),
-  to obtain the actual value. This allows you to store the `clientSecret` as a kubernetes secret. 
-  Kubernetes secrets must be base64 encoded. To base64 encode your secret, you can run 
+  to obtain the actual value. This allows you to store the `clientSecret` as a kubernetes secret.
+  Kubernetes secrets must be base64 encoded. To base64 encode your secret, you can run
   `printf RAW_STRING | base64`.
 * There is no need to set `redirectURI` in the `connectors.config` as shown in the dex documentation.
   Argo CD will automatically use the correct `redirectURI` for any OAuth2 connectors, to match the
@@ -228,7 +229,7 @@ data:
 ```
 
 !!! note
-    The callback address should be the /auth/callback endpoint of your Argo CD URL 
+    The callback address should be the /auth/callback endpoint of your Argo CD URL
     (e.g. https://argocd.example.com/auth/callback).
 
 ### Requesting additional ID token claims

mkdocs.yml

@@ -35,6 +35,7 @@ nav:
       - operator-manual/user-management/onelogin.md
       - operator-manual/user-management/keycloak.md
       - operator-manual/user-management/openunison.md
+      - operator-manual/user-management/google.md
       - operator-manual/rbac.md
     - operator-manual/security.md
     - operator-manual/cluster-bootstrapping.md