SSO Support

[Huskydog9988]

Feature description

Allow users to sign in with any SSO provider via oAuth 2, OIDC, SAML, etc.

Why would it be useful?

Would allows teams to use SSO providers to easily login to Infisical using their existing auth infra.

Additional context

There is already #143, but that issue is exclusively for Google. Also, there should be some mechanism for not letting just anyone create an account, but I think that might be worthy of its own feature request.

[dangtony98]

Definitely.

This is on our roadmap, and we plan on supporting it soon next quarter!

[vl-kp]

without this feature, it almost can't be choosed even for POC by any company

[vv24ua]

@vl-kp we are trying to prioritize this right now. What SSO provider would you be interested in?

[spencerericfong]

Azure AD would be awesome to have!

[binaryben]

+1 for OIDC please, specifically for Authelia 🙏

EDIT: Just been reading comments on HN and Reddit. Has an official decision been reached on whether SSO will be an EE only feature?

[vl-kp]

we use okta

[haithem-souala]

Google

[NickStallman]

Standard SAML would tick a lot of boxes and work in a generic way for many providers.

[dangtony98]

We're prioritizing these very soon (next week or two) :)

[binaryben]

We're prioritizing these very soon (next week or two) :)

That's awesome. The team is making impressive headway. Any update on whether this will be an EE only feature or will that decision be part of the upcoming work?

[jbaggs62]

I also vote for Azure AD auth this would be a huge win!

[dangtony98]

Hi everyone!

Happy to update y'all that we've now released SAML support starting with 3 confirmed providers: Okta, Azure, and JumpCloud — docs available here. This is available on:

• Infisical Cloud: Under the Pro Tier (previously was Enterprise-only).
• Infisical Self-hosted: Under a EE license which can be obtained by contacting the team.

We've also released login with Google which is available for free regardless of plan or EE license.

Feel free to post any suggestions for more IdPs in this thread; we'll likely prioritize those that have the most demand since we're constrained on resources/manpower.

[Huskydog9988]

Hey, thanks for the update, I'm glad to see this get added! I do have a couple questions though. First, would you consider adding Github as a free SSO provider? Currently a FOSS team I'm on heavily utilizes Infisical and being able to manage access through org membership would be a huge boon. Second, do you plan on only supporting SAML, or are other options like OIDC on the roadmap? Finally, could you make it more clear in the docs what are paid features? With the current docs, I would be unaware you had a paid tier, which can be quite annoying when trying to scope whether you want to use a project or not.

[binaryben]

Devastated SSO is under EE license. Rules out Infisical for home lab use, and by extension, for my consideration in enterprise projects.

[dangtony98]

Hey @Huskydog9988,

So logging in via GitHub is coming soon and that feature will be free. Additionally, we do plan on supporting other options like OIDC on the roadmap — Features often get queued up on our priority list due to the number of other requested features ongoing at the moment.

And yea we'll definitely make it more clear on the docs (will add that to my TODO list); I realize we also need to be more clear on feature availability between Infisical Cloud and Self-Hosted as well.

[headstack]

Hi! I would like to request for an integration with Authentik https://goauthentik.io/

[adam-moss]

I'd like to request support for Gitlab CI OIDC tokens if possible.

[craxkumar]

Keycloak is the Open Source Identity and Access Management, as being an open source most of the people would be interested in integrating the Keycloak with infisical.

[MohammedNoureldin]

@craxkumar the most interesting part is to see a standard OIDC support, which implicit KeyCloak support, in the open source community edition, not the EE.

Hi, @dangtony98! Is there any official statement if a standard OIDC support will be available any soon under CE?

As I see that you are going in the direction that SAML in general is going to be a EE-only feature, but what about OIDC, is there a change that it is coming any soon to CE? Knowing that is going to be helpful. Thank you!

[CaptainStealthy]

Agreed with above comments - I just deployed Authentik in my homelab, and went looking for secret management solutions. SSO should be a standard feature, IMO, not hidden behind a paywall.

@dangtony98 With all due respect...I know you guys have to make money somehow. But I don't really understand why you're providing free access to Google and GitHub SSO, but not using the same underlying concepts to support other OAuth2 solutions? All you'd be doing is allowing the user to specify the variables that you're hardcoding for Google/GH.

I would like to go with Infisical, but only if a standard like SAML, OIDC or OAuth2 (and by extension, open-source projects like Authentik and Keycloak) is supported as a CE feature. 😕

[clarkmcc]

I totally get SAML being paywalled, but sadly, that's a non-starter for my company since we can do this with Vault for free.

[babs]

As lots of previous comment, I think It would be nice to see at least OIDC in CE. More and more users setup keycloak or authentik in their lab or small business (SSO is not reserved to large companies anymore). With OpenID Connect Discovery it should be pretty straightforward to allow user to confIgure everything (realm url, clientid and secret). Infisical is a very nice project, it's hard to show it/advocate/project it in SMB context without key feature like SSO.

Personnal opinion: I know a business has to emerge from it and you need to live but home labbers and SMB might look at way less appealing alternative due to that and therefore, keep using those alternatives while growing and persevere on this path because they "invested" time and effort on tooling and adapting those less interesting solutions. I don't want this project to appear on web list like https://sso.tax/ (not affiliated).

[Alveel]

There should be a way to configure your own IDP, independent of implementation. Self-hosted power users tend to have the desire to do this freely. Of course, with the caveat that doing this yourself may not be as safe or secure.

Be it premium or free, this should be a feature.

I only see it as a bonus that Infisical has pre-configured IDP's available, not a feature.

[CaptainStealthy]

The silence is deafening in this thread...

Echoing babs comments above - a business has to make money, but SSO should really be a standard feature.

And honestly, most experienced homelabbers tend to also...how do I put this...work for companies with money. And often, they're also the ones that make decisions (or at least have some influence) on what software to buy. Like, say, for instance...a secret management solution.

To put it bluntly, many homelabbers use their homelab to learn and evaluate tech that they want to then bring into the enterprise at work. But if you're going to hold back a feature like this that requires minimal code changes to include, you're not exactly giving people an incentive to evaluate your software at all.

@dangtony98 Are you able to comment on the subject?

[dangtony98]

Hi everyone,

Apologies for the delay in getting back to this thread - We’re doing our best to tackle a lot of ongoing initiatives at the moment, so there may be delays as a result.

To provide an update, we do plan to add support for more authentication methods to Infisical but this is a gradual roll-out throughout Q1-Q3 2024 since there are a few big prerequisite items in the pipeline. For instance, we are currently working on a database migration after which there is an initiative planned to unify/standardize identity-types and authentication methods accordingly in Infisical. Both of these are foundational changes that need to occur prior to tacking on more authentication methods to make sure we have a solid base moving forward - Adding support now would otherwise require us to duplicate a lot of logic post-migration and identity/auth-method unification which doesn’t make sense considering effort/efficiency.

Regarding the split for which types of methods will be available in CE / EE, this has not been deeply discussed yet as we have yet to first complete the prerequisite items above to begin this discussion. What I can say at the moment is that SAML SSO is intended to be an EE feature and, but as you see, we are pushing for many other SSO methods like Google, GitHub, GitLab existing ones to be available for all - likely OIDC once it comes out as well.

I understand the requests and concerns echoed in this thread and hope everyone understands the prerequisite work/steps we’re taking at the moment to get to this initiative. That said, I’m excited for what’s coming in 2024 for Infisical and, regarding this thread, have high hopes for many new supported authentication methods in CE to come.

Happy holidays!

[binaryben]

Thanks for the update @dangtony98! Can appreciate SAML being EE licensed. And glad to hear ODIC will likely be added. If ODIC could be confirmed as being CE licensed, I could start using this project immediately for a POC

[ikiris]

I've submitted this product for inclusion in the sso tax walls of shame based on the current paywalls around basic oidc etc.