SSO authentication requires Email Domain Verification.
You must verify your organization’s email domain before users can log in via SSO.
Infisical offers Google SSO and GitHub SSO for free across both Infisical
Cloud and Infisical Self-hosted. Infisical also offers SAML SSO authentication
and OpenID Connect (OIDC) but as paid features that can be unlocked on
Infisical Cloud’s Pro tier or via enterprise license on self-hosted
instances of Infisical. On this front, we support industry-leading providers
including Okta, Azure AD, and JumpCloud; with any questions, please reach out
to support@infisical.com.
Identity providers
Infisical supports these and many other identity providers:- Google SSO
- GitHub SSO
- GitLab SSO
- Okta SAML
- Azure SAML
- JumpCloud SAML
- Keycloak SAML
- Google SAML
- Auth0 SAML
- Keycloak OIDC
- Auth0 OIDC
- General OIDC
For enhanced security, Infisical enforces PKCE (Proof Key for Code Exchange) with the OAuth 2.0-based SSO providers and OIDC. This provides additional protection against authorization code interception attacks and strengthens your authentication flow security.
SSO Enforcement
When you enforce SAML or OIDC SSO for your organization, members can only access Infisical by logging in through your identity provider. Enforcement has two additional effects tied to your verified email domain(s):- Email & password signup is blocked for your verified domain(s). Once SSO is enforced, new email/password accounts can no longer be created for addresses on your verified domain(s). The verified domain and IdP are authoritative, so allowing a competing password account would reopen an account-takeover vector.
- Email verification is skipped for SSO sign-ins. Because the verified domain and IdP already prove ownership of the email, Infisical skips the additional email-verification step that normally applies to SSO logins (see the FAQ below).
SSO Break Glass
In the event your SSO provider experiences downtime, and you need to access Infisical, Organization Admins can utilize the Admin Login Portal to bypass SSO enforcement. This portal is accessible at/login/admin (e.g., https://app.infisical.com/login/admin).
To bypass SSO for an organization, you must be an Organization Admin for that specific organization. This Organization Admin role is independent of Server Admin status. Being a Server Admin alone does not grant permission to use this bypass feature.
FAQ
Why does Infisical require additional email verification for users connected via SAML?
Why does Infisical require additional email verification for users connected via SAML?
By default, Infisical Cloud is configured to not trust emails from external
identity providers to prevent any malicious account takeover attempts via
email spoofing. Accordingly, Infisical creates a new user for anyone provisioned
through an external identity provider and requires an additional email
verification step upon their first login.If you’re running a self-hosted instance of Infisical and would like it to trust emails from external identity providers,
you can configure this behavior in the Server Admin Console.This additional verification step is also skipped when your organization enforces SSO for a verified email domain, since the verified domain and IdP are already authoritative for that email.
Why do I get redirected to SSO when trying to use the Admin Login Portal?
Why do I get redirected to SSO when trying to use the Admin Login Portal?
You are likely being redirected because you do not have email authentication mode enabled, or you’re not an Organization Admin. This portal requires Organization Admin status and direct credential login (email and password). Server Admin status alone is insufficient.