SSO Overview
Learn how to log in to Infisical via SSO protocols.
Infisical offers Google SSO and GitHub SSO for free across both Infisical Cloud and Infisical Self-hosted. Infisical also offers SAML SSO authentication and OpenID Connect (OIDC) but as paid features that can be unlocked on Infisical Cloud’s Pro tier or via enterprise license on self-hosted instances of Infisical. On this front, we support industry-leading providers including Okta, Azure AD, and JumpCloud; with any questions, please reach out to [email protected].
You can configure your organization in Infisical to have members authenticate with the platform via protocols like SAML 2.0 or OpenID Connect.
Identity providers
Infisical supports these and many other identity providers:
- Google SSO
- GitHub SSO
- GitLab SSO
- Okta SAML
- Azure SAML
- JumpCloud SAML
- Keycloak SAML
- Google SAML
- Auth0 SAML
- Keycloak OIDC
- Auth0 OIDC
- General OIDC
If your required identity provider is not shown in the list above, please reach out to [email protected] for assistance.
For enhanced security, Infisical enforces PKCE (Proof Key for Code Exchange) with the OAuth 2.0-based SSO providers and OIDC. This provides additional protection against authorization code interception attacks and strengthens your authentication flow security.
SSO Break Glass
In the event your SSO provider experiences downtime, and you need to access Infisical, Organization Admins can utilize the Admin Login Portal to bypass SSO enforcement.
This portal is accessible at /login/admin
(e.g., https://app.infisical.com/login/admin).
To bypass SSO for an organization, you must be an Organization Admin for that specific organization. This Organization Admin role is independent of Server Admin status. Being a Server Admin alone does not grant permission to use this bypass feature.