-
Notifications
You must be signed in to change notification settings - Fork 746
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: added docs for general oidc configuration
- Loading branch information
1 parent
4a1a399
commit 0f36fc4
Showing
7 changed files
with
66 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
title: "General OIDC" | ||
description: "Learn how to configure OIDC for Infisical SSO with any OIDC-compliant identity provider" | ||
--- | ||
|
||
<Info> | ||
OIDC SSO is a paid feature. If you're using Infisical Cloud, then it is | ||
available under the **Pro Tier**. If you're self-hosting Infisical, then you | ||
should contact [email protected] to purchase an enterprise license to use | ||
it. | ||
</Info> | ||
|
||
You can configure your organization in Infisical to have members authenticate with the platform through identity providers via [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html). | ||
|
||
**Prerequisites:** | ||
|
||
- The identity provider (Okta, Google, Azure AD, etc.) should support OIDC. | ||
- Users in the IdP should have a configured email and given_name. | ||
|
||
<Steps> | ||
<Step title="Setup Identity Provider"> | ||
1.1. Register your application with the IdP to obtain a **Client ID** and **Client Secret**. These credentials are used by Infisical to authenticate with your IdP. | ||
|
||
1.2. Configure **Redirect URL** to be `https://app.infisical.com/api/v1/sso/oidc/callback`. If you're self-hosting Infisical, replace the domain with your own. | ||
|
||
1.3. Configure the scopes needed by Infisical (email, profile, openid) and ensure that they are mapped to the ID token claims. | ||
|
||
1.4. Access the IdP’s OIDC discovery document (usually located at `https://<idp-domain>/.well-known/openid-configuration`). This document contains important endpoints such as authorization, token, userinfo, and keys. | ||
</Step> | ||
<Step title="Finish configuring OIDC in Infisical"> | ||
2.1. Back in Infisical, in the Organization settings > Security > OIDC, click Manage | ||
![OIDC general manage org Infisical](../../../images/sso/general-oidc/org-oidc-manage.png) | ||
|
||
2.2. You can configure OIDC either through the Discovery URL (Recommended) or by inputting custom endpoints. | ||
- If you want to configure via Discovery URL, you will have to use the URL with the following format: `https://<idp-domain>/.well-known/openid-configuration` as input for the **Discovery Document URL** field. | ||
![OIDC general discovery config](../../../images/sso/general-oidc/discovery-oidc-form.png) | ||
|
||
- If you want to configure via the Custom option, you will have to define values for all the required endpoints. | ||
![OIDC general custom config](../../../images/sso/general-oidc/custom-oidc-form.png) | ||
|
||
2.3. Optionally, you can define a whitelist of allowed email domains. | ||
|
||
Fill up the **Client ID** and **Client Secret** fields and press **Update** to complete the required configuration. | ||
|
||
</Step> | ||
|
||
<Step title="Enable OIDC SSO in Infisical"> | ||
Enabling OIDC SSO allows members in your organization to log into Infisical via the configured Identity Provider | ||
|
||
![OIDC general enable OIDC](../../../images/sso/general-oidc/org-oidc-enable.png) | ||
|
||
</Step> | ||
|
||
</Steps> | ||
|
||
<Note> | ||
If you're configuring OIDC SSO on a self-hosted instance of Infisical, make | ||
sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to | ||
work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This | ||
can be a random 32-byte base64 string generated with `openssl rand -base64 | ||
32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should | ||
be an absolute URL including the protocol (e.g. https://app.infisical.com) | ||
</Note> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,6 +33,7 @@ Infisical supports these and many other identity providers: | |
- [Google SAML](/documentation/platform/sso/google-saml) | ||
- [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc) | ||
- [Auth0 OIDC](/documentation/platform/sso/auth0-oidc) | ||
- [General OIDC](/documentation/platform/sso/general-oidc) | ||
|
||
If your required identity provider is not shown in the list above, please reach out to [[email protected]](mailto:[email protected]) for assistance. | ||
|
||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters