General OIDC

1.1. Register your application with the IdP to obtain a Client ID and Client Secret. These credentials are used by Infisical to authenticate with your IdP.

1.2. Configure Redirect URL to be https://app.infisical.com/api/v1/sso/oidc/callback. If you’re self-hosting Infisical, replace the domain with your own.

1.3. Configure the scopes needed by Infisical (email, profile, openid) and ensure that they are mapped to the ID token claims.

1.4. Access the IdP’s OIDC discovery document (usually located at https://<idp-domain>/.well-known/openid-configuration). This document contains important endpoints such as authorization, token, userinfo, and keys.

2.1. Back in Infisical, in the Organization settings > Security > OIDC, click Connect.

2.2. You can configure OIDC either through the Discovery URL (Recommended) or by inputting custom endpoints.

To configure OIDC via Discovery URL, set the Configuration Type field to Discovery URL and fill out the Discovery Document URL field.

To configure OIDC via the custom endpoints, set the Configuration Type field to Custom and input the required endpoint fields.

2.3. Optionally, you can define a whitelist of allowed email domains.

Finally, fill out the Client ID and Client Secret fields and press Update to complete the required configuration.

Enabling OIDC SSO allows members in your organization to log into Infisical via the configured Identity Provider

Enforcing OIDC SSO ensures that members in your organization can only access Infisical by logging into the organization via the Identity provider.

To enforce OIDC SSO, you’re required to test out the OpenID connection by successfully authenticating at least one IdP user with Infisical. Once you’ve completed this requirement, you can toggle the Enforce OIDC SSO button to enforce OIDC SSO.