Infisical SSO runbook

System: Infisical vault interactive SSO (self-hosted vault.raxx.app + Cloud SaaS app.infisical.com) Owner: Operator (Kristerpher) Issue: #963 Last reviewed: 2026-05-12 UTC ADR: docs/architecture/adr/0083-infisical-google-oidc-sso.md Related runbook: docs/ops/runbooks/infisical-cloud-config.md

STATUS — DEFERRED TO PHASE 2 (locked 2026-05-13 UTC)

Pre-launch posture is email-OTP at CF Access. Steps 1, 2, 3, and 4 of this runbook are NOT being executed pre-launch. Don't follow them.

Two operator decisions on 2026-05-13:

Infisical Org Settings → SSO → OIDC is NOT pursued. Discovered the Infisical OIDC config UI is paywalled behind Pro tier (~$18/identity/mo per docs/business-legal/infisical-pricing-2026-05-13.md). Not worth the spend for solo operator. This half is abandoned, not just deferred — unless Infisical changes tier gating.
CF Zero Trust Google IdP wiring is DEFERRED to phase 2 (post-launch). Pre-launch focus is shipping, not SSO polish. Email-OTP at CF Access is sufficient with operator's hardware-MFA-protected inbox.

Pre-launch operator login flow: browser → vault.raxx.app → CF Access email-OTP prompt → magic link to kris@moosequest.net → click → CF JWT → Infisical's own login form (username + password) → in. The strong factor is at the email inbox (hardware MFA on Google account). No passkey-at-CF, no SSO at Infisical.

State of the world that should NOT be touched pre-launch: - terraform/cf-access/terraform.tfvars → both cf_google_workspace_client_id and cf_google_idp_id are empty. - CF Zero Trust dashboard has a Google Workspace IdP registered (id 18c69c18-14db-4f12-94f6-6c69d27cb04b) but it is NOT referenced by any SSO policy. Leave it alone. - SSM /raxx/cf-access/google_oidc_client_secret is populated. Leave it. - Google Cloud Console OAuth client 326369637856-…apps.googleusercontent.com is minted. Leave it.

Phase-2 reactivation steps: see ~/.claude/projects/.../memory/project_infisical_sso_not_pursued.md for the 7-step sequence. Short version: terraform-import the existing Google IdP, set both tfvars, apply; operator enrolls passkey at Google.

Revisit triggers: team grows past 1 operator; operator UX pain with email-OTP; Infisical lowers tier gating; SOC2/compliance gate.

Summary

Interactive operator access to Infisical uses Google Workspace (moosequest.net) as the identity root. Cloudflare Access is the OIDC relying party — it registers the Google OAuth 2.0 client and issues a signed CF JWT to the downstream application (Infisical). Infisical is configured to accept CF as an upstream OIDC provider.

Machine identities (service tokens, universal auth) are not affected by this config. They authenticate directly against the Infisical API without SSO.

Trust chain:

Browser → vault.raxx.app
        → CF Access gate (requires Google Workspace login)
        → CF issues signed JWT
        → Infisical verifies CF JWT via OIDC discovery endpoint
        → Operator session established

Tier / license check

Before beginning, verify the Infisical tier:

Self-hosted (vault.raxx.app): SSO configuration via CF as upstream OIDC does not require a paid tier. The Infisical OIDC IdP settings are available on all self-hosted versions via Organization Settings → SSO.
Infisical Cloud SaaS (app.infisical.com): The native "Google SSO" button in Infisical's own login flow requires a Pro tier subscription. However, using Cloudflare Access as the OIDC gate (this runbook's approach) operates at the CF layer before Infisical's own login, making the Infisical tier irrelevant for the auth flow itself.

To check the current self-hosted plan: Infisical dashboard → Organization Settings → Billing. If the plan shows "Free" or "Starter", the CF OIDC path in this runbook is the correct one to follow.

Prerequisites

Before running setup:

CF_ACCESS_MGMT token in Infisical vault at /MooseQuest/cloudflare/ — scope: Account:Zero Trust:Edit (already present from #1076 work).
A Google Cloud project in the moosequest.net Google Workspace org. If one does not exist for Cloudflare OAuth, create one named raxx-cloudflare-access.
Google Workspace admin access to authorize the OAuth 2.0 client for the moosequest.net domain.
Terraform applied with cf_google_idp_id populated — see "Step 1: Register Google Workspace IdP in CF Zero Trust" below.

How to tell it's broken

Symptom: "Authentication failed" or redirect loop at vault.raxx.app

The operator browser hits vault.raxx.app, is redirected to cloudflareaccess.com, completes Google login, then returns to Infisical but sees an error page or is redirected back to the Google login prompt in a loop.

Diagnostic sequence:

Check that the CF Access policy for vault.raxx.app lists the Google IdP: ```bash export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \ --path /MooseQuest/cloudflare/ --plain) export ACCOUNT_ID=$(infisical secrets get CF_ACCESS_ACCOUNT_ID_MOOSEQUEST \ --path /MooseQuest/cloudflare/ --plain)

# List identity providers — confirm Google type appears curl -sS \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/identity_providers" \ | python3 -c " import sys, json for p in json.load(sys.stdin).get('result', []): print(p['type'], '|', p['name'], '|', p['id']) " # Expected: a line containing 'google' | 'Google Workspace — MooseQuest' | ```

Check that cf_google_idp_id is set in terraform/cf-access/terraform.tfvars and that terraform plan shows no diff.
Check Infisical Organization Settings → SSO → verify the OIDC issuer URL matches the CF Access team domain. Expected value: https://moosequest.cloudflareaccess.com

Symptom: "SSO is not configured" in Infisical UI

Infisical's SSO is not enabled. See "Step 3: Configure Infisical OIDC IdP" below. This is an operator action.

Symptom: CF Access passes but Infisical shows "Invalid credentials"

The OIDC Client ID / Client Secret registered in Infisical does not match the values generated when the CF Access OIDC app was created. Follow "Step 3: Configure Infisical OIDC IdP" to re-enter the correct values.

How to diagnose (in order)

Confirm Google IdP is registered in CF Zero Trust and the ID matches cf_google_idp_id in tfvars.
Run terraform plan from terraform/cf-access/ — expect zero diff.
Confirm Infisical Organization Settings → SSO shows OIDC enabled with https://moosequest.cloudflareaccess.com as issuer.
Verify the OIDC Client ID in Infisical matches the value from terraform output google_oidc_client_id (or the CF dashboard).
Check https://status.infisical.com and https://cloudflarestatus.com for upstream incidents.

Setup procedure (operator action required)

This is a one-time setup. Steps 1 and 2 are Terraform-managed; Step 3 is manual UI.

Step 1: Create Google OAuth 2.0 client for CF Zero Trust

This step registers the OAuth client that CF Zero Trust uses to verify Google Workspace identity.

1. Open: https://console.cloud.google.com/apis/credentials
   (Project: raxx-cloudflare-access, or create it under moosequest.net org)

2. Click "Create Credentials" → "OAuth client ID"
   - Application type: Web application
   - Name: Cloudflare Access — MooseQuest
   - Authorized redirect URIs:
       https://moosequest.cloudflareaccess.com/cdn-cgi/access/callback

3. Copy the Client ID and Client Secret.

4. Store the Client Secret in SSM (not in Infisical — bootstrap circularity prevention):
   aws ssm put-parameter \
     --name "/raxx/cf-access/google_oidc_client_secret" \
     --type "SecureString" \
     --value "<CLIENT_SECRET>" \
     --overwrite \
     --region us-east-1 >/dev/null 2>&1

5. Store the Client ID in terraform.tfvars (it is not sensitive):
   # In terraform/cf-access/terraform.tfvars, set:
   cf_google_workspace_client_id = "<CLIENT_ID>"
   cf_google_workspace_hd        = "moosequest.net"

Step 2: Apply Terraform to register the Google IdP in CF Zero Trust

cd terraform/cf-access

export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \
  --path /MooseQuest/cloudflare/ --plain)
export TF_VAR_cf_access_account_id=$(infisical secrets get CF_ACCESS_ACCOUNT_ID_MOOSEQUEST \
  --path /MooseQuest/cloudflare/ --plain)

# Read the client secret from SSM (not from vault — see [ADR-0083](https://internal-docs.raxx.app/architecture/adr/0083-infisical-google-oidc-sso.html) D5)
export TF_VAR_cf_google_oidc_client_secret=$(aws ssm get-parameter \
  --name "/raxx/cf-access/google_oidc_client_secret" \
  --with-decryption \
  --query "Parameter.Value" \
  --output text \
  --region us-east-1)

terraform plan
# Review: should create cloudflare_zero_trust_identity_provider.google_workspace
# and update vault_operator + infisical_cloud_operator policies to include the Google IdP.

terraform apply
# After apply, capture the new IdP ID:
terraform output google_idp_id
# Copy this value. Update terraform.tfvars: cf_google_idp_id = "<value>"
# Then re-apply to activate the IdP in the policies:
terraform apply

Step 3: Configure Infisical OIDC IdP (operator UI action — self-hosted)

This step connects the self-hosted Infisical instance (vault.raxx.app) to Cloudflare Access as its identity source. There is no Terraform equivalent for this step.

1. Navigate to: https://vault.raxx.app → Organization Settings → SSO

2. Select "OIDC" as the SSO provider.

3. Fill in the fields:
   - Issuer URL:     https://moosequest.cloudflareaccess.com
   - Authorization Endpoint:
       https://moosequest.cloudflareaccess.com/cdn-cgi/access/authorize
   - Token Endpoint:
       https://moosequest.cloudflareaccess.com/cdn-cgi/access/token
   - JWKS URI:
       https://moosequest.cloudflareaccess.com/cdn-cgi/access/certs
   - Client ID:      <the Application (Client) ID from the CF OIDC app>
   - Client Secret:  <the secret from the CF OIDC app — see note below>

NOTE on the OIDC Client ID / Secret for Infisical:
  These are NOT the same as the Google OAuth 2.0 client in Step 1.
  CF Access generates its own OIDC application credentials for the
  relying-party relationship with Infisical. To retrieve them:

  a. In CF Zero Trust dashboard → Access → Applications → find the vault.raxx.app app
  b. Under "Advanced settings" → OIDC, CF will show an Application ID and a Secret
     (or generate them on-demand). Copy both.
  c. Store the OIDC secret in SSM at /raxx/cf-access/infisical_oidc_client_secret
     for future reference (rotation runbook).

4. Set "Allowed email domains": moosequest.net

5. Save and test: click "Test SSO" or navigate to vault.raxx.app in a private window.
   The browser should redirect to Cloudflare → Google login → back to Infisical
   with a valid session.

6. Record the final configuration state:
   Update the table in docs/ops/runbooks/infisical-cloud-config.md under
   "Manual configuration → SSO" with: "Google Workspace via CF Access OIDC, enabled <date>"

Step 4: Configure Infisical OIDC IdP (Infisical Cloud SaaS)

Repeat Step 3 for app.infisical.com if the Cloud SaaS instance is the primary vault. The OIDC values are identical (CF Access is the issuer for both). The Cloud SaaS app has its own CF Access OIDC application credentials (from the infisical_cloud_saas CF Access application in Terraform).

Secret storage reference

Secret	Location	Notes
Google OAuth 2.0 Client Secret (Step 1)	SSM `/raxx/cf-access/google_oidc_client_secret`	Enables CF Zero Trust to verify Google identity
CF OIDC Client Secret for Infisical self-hosted (Step 3)	SSM `/raxx/cf-access/infisical_oidc_client_secret`	Enables Infisical to verify CF Access identity
Google OAuth 2.0 Client ID	`terraform/cf-access/terraform.tfvars` → `cf_google_workspace_client_id`	Not sensitive
CF Google IdP UUID	`terraform/cf-access/terraform.tfvars` → `cf_google_idp_id`	Not sensitive — set after first `terraform apply`

None of these values live in Infisical. This is the intentional bootstrap-circularity prevention from ADR-0083 D5.

Emergency stop

If SSO is broken and the operator cannot reach Infisical:

Option A — break-glass via direct Infisical credentials (preferred)

Infisical break-glass admin credentials are stored in the private Google Drive under the raxx-ops folder (same pattern as project_aws_iam_state.md). These bypass SSO entirely and use Infisical's local authentication. Use these to disable/reconfigure SSO.

Option B — disable CF Access gate temporarily

# Revert vault_operator policy to email OTP only (removes Google IdP requirement)
# In terraform/cf-access/terraform.tfvars:
#   cf_google_idp_id = ""   # empty = no Google IdP required, falls back to email OTP

cd terraform/cf-access
export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \
  --path /MooseQuest/cloudflare/ --plain)
export TF_VAR_cf_access_account_id=$(infisical secrets get CF_ACCESS_ACCOUNT_ID_MOOSEQUEST \
  --path /MooseQuest/cloudflare/ --plain)
terraform apply
# Operator can now reach Infisical via email OTP.
# Diagnose SSO issue, then re-enable Google IdP.

Escalation

Escalate to operator (Kristerpher) when:

Break-glass credentials are inaccessible (Google Drive unavailable + SSO broken). This is a full vault lockout requiring AWS Lightsail console access to restart/reconfigure the Infisical container.
Google Workspace admin changes have revoked the OAuth 2.0 client (e.g. project deletion). Requires re-registering in Google Cloud Console.
CF Access reports the Google IdP as unhealthy and it cannot be repaired via Terraform. Open a Cloudflare support ticket.

Refs

ADR: docs/architecture/adr/0083-infisical-google-oidc-sso.md
Setup script: scripts/vault/infisical-sso-setup.sh
Terraform: terraform/cf-access/vault_google_idp.tf
CF Access config runbook: docs/ops/runbooks/infisical-cloud-config.md
CF Zero Trust Google IdP docs: https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/google/
Infisical SSO docs: https://infisical.com/docs/documentation/platform/sso/overview
Infisical status: https://status.infisical.com