diff --git a/_articles/account/master-password.md b/_articles/account/master-password.md index de44d6d5..2e8807b7 100644 --- a/_articles/account/master-password.md +++ b/_articles/account/master-password.md @@ -14,9 +14,9 @@ redirect_from: Your Master Password is the primary method for accessing your Vault. It's critically important that your Master Password is: -- **Memorable**: Bitwarden is a Zero Knowledge/Zero Trust solution. This means that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. **Don't forget your Master Password!** Bitwarden won't be able to reset it or recover your Vault data if you do. +- **Memorable**: Bitwarden is a zero knowledge solution. This means that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. **Don't forget your Master Password!** Bitwarden won't be able to reset it or recover your Vault data if you do. - For our technically-inclined users, see the article on [Encryption]({% link _articles/security/what-encryption-is-used.md %}) to find out how we accomplish Zero Trust. + For our technically-inclined users, see the article on [Encryption]({% link _articles/security/what-encryption-is-used.md %}) to find out how we accomplish zero knowledge. - **Strong**: The longer, more complex, and less common your Master Password is, the safer your Vault data will be. Using something like `password` for your Master Password could let a capable attacker crack your Vault in **less than a second**! Use Bitwarden's free [**Password Strength Testing Tool**](https://bitwarden.com/password-strength){:target="\_blank"} to test the strength of some Master Passwords you'd consider using. diff --git a/_articles/getting-started/getting-started-organizations.md b/_articles/getting-started/getting-started-organizations.md index d18a293f..af5c601d 100644 --- a/_articles/getting-started/getting-started-organizations.md +++ b/_articles/getting-started/getting-started-organizations.md @@ -40,7 +40,7 @@ Bitwarden provides applications on lots of devices, including Browser Extensions [Create a Bitwarden account](https://vault.bitwarden.com/#/register){:target="\_blank"}, and make sure that you pick a strong and memorable [Master Password]({{site.baseurl}}/article/master-password/). We even recommend writing down your Master Password and storing it in a safe location. {% callout success %} -**Don't forget your Master Password!** Bitwarden is a Zero knowledge/Zero Trust solution, meaning that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. +**Don't forget your Master Password!** Bitwarden is a zero knowledge solution, meaning that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. {% endcallout %} Once your account is created, log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and verify your account's email address to unlock access to all features: diff --git a/_articles/getting-started/releasenotes.md b/_articles/getting-started/releasenotes.md index 26332d3c..b7a25e6c 100644 --- a/_articles/getting-started/releasenotes.md +++ b/_articles/getting-started/releasenotes.md @@ -107,7 +107,7 @@ The Bitwarden team is investigating these and will provide updates as things pro ## 2021-01-19 For the first major release of 2021, the Bitwarden team combined multiple major enhancements to address the critical needs of all users, including: -- **Emergency Access**: Bitwarden's new Emergency Access feature enables users to designate and manage trusted emergency contacts, who may request access to their Vault in a Zero Knowledge/Zero Trust environment (see [here]({% link _articles/security/emergency-access.md %}) for details). +- **Emergency Access**: Bitwarden's new Emergency Access feature enables users to designate and manage trusted emergency contacts, who may request access to their Vault in a zero knowledge environment (see [here]({% link _articles/security/emergency-access.md %}) for details). - **Encrypted Exports**: Personal users and Organizations can now export Vault data in an encrypted `.json` file (see [here]({% link _articles/importing/encrypted-export.md %}) for details). - **New Role**: A Custom role is now available to allow for granular control over user permissions (see [here](https://bitwarden.com/help/article/user-types-access-control/#custom-role) for details). - **New Enterprise Policy**: The Personal Ownership policy is now available for use by Enterprise Organization (see [here](https://bitwarden.com/help/article/policies/#personal-ownership) for details). diff --git a/_articles/login-with-sso/about-sso.md b/_articles/login-with-sso/about-sso.md index 4612510a..fa3dca57 100644 --- a/_articles/login-with-sso/about-sso.md +++ b/_articles/login-with-sso/about-sso.md @@ -16,7 +16,7 @@ Login with SSO separates user authentication from Vault decryption by leveraging Login with SSO currently supports SAML 2.0 and OpenID Connect authentication for customers on the current Enterprise Plan. -Users of Bitwarden authenticate into their vaults using the **Enterprise Single Sign-On** button located on the login screen of any Bitwarden client application. For more information, see [Access Your Vault Using SSO](https://bitwarden.com/help/article/sso-access-your-vault/). +Users of Bitwarden authenticate into their vaults using the **Enterprise Single Sign-On** button located on the login screen of any Bitwarden client application. For more information, see [Using Login with SSO]({{site.baseurl}}/article/using-sso/). Administrators can configure Login with SSO in the Business Portal. For more information, see [About the Business Portal](https://bitwarden.com/help/article/about-business-portal/). @@ -60,15 +60,3 @@ For information on updating your self-hosted instance, see [Updating your Self-H The following diagram is an overview of the workflow used by Bitwarden to authenticate using SSO: {%image /sso/sso-workflow.png Bitwarden SSO Workflow %} - -## Next Steps -For administrators configuring Login with SSO, see: -- [Configure Login with SSO (SAML 2.0)](https://bitwarden.com/help/article/configure-sso-saml/) -- [Configure Login with SSO (OIDC)](https://bitwarden.com/help/article/configure-sso-oidc) - -For existing users, see: -- [Link an Existing Account to SSO](https://bitwarden.com/help/article/link-to-sso/) -- [Access Your Vault Using SSO](https://bitwarden.com/help/article/sso-access-your-vault/) - -For more information, see: -- [SSO FAQs](https://bitwarden.com/help/article/sso-faqs) diff --git a/_articles/login-with-sso/configure-sso-oidc.md b/_articles/login-with-sso/configure-sso-oidc.md index 22695145..7da30c00 100644 --- a/_articles/login-with-sso/configure-sso-oidc.md +++ b/_articles/login-with-sso/configure-sso-oidc.md @@ -5,12 +5,12 @@ categories: [login-with-sso] featured: false popular: false tags: [sso, oidc, openid, idp, identity] -order: 04 +order: 03 --- ## Step 1: Set an Organization Identifier -Users who [authenticate their identity using SSO]({{site.baseurl}}/article/sso-access-your-vault) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. To set a unique Organization Identifier: +Users who [authenticate their identity using SSO]({{site.baseurl}}/article/using-sso/#login-using-sso) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. To set a unique Organization Identifier: 1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization. 2. Open the **Settings** tab and enter a unique **Identifier** for your Organization. diff --git a/_articles/login-with-sso/configure-sso-saml.md b/_articles/login-with-sso/configure-sso-saml.md index fcd8f42b..2878ef7d 100644 --- a/_articles/login-with-sso/configure-sso-saml.md +++ b/_articles/login-with-sso/configure-sso-saml.md @@ -5,12 +5,12 @@ categories: [login-with-sso] featured: false popular: false tags: [sso, saml, saml2.0, idp, identity] -order: 03 +order: 02 --- ## Step 1: Set an Organization Identifier -Users who [authenticate their identity using SSO]({{site.baseurl}}/article/sso-access-your-vault/) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. to set a unique Organization Identifier: +Users who [authenticate their identity using SSO]({{site.baseurl}}/article/using-sso/#login-using-sso) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. to set a unique Organization Identifier: 1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization. 2. Open the **Settings** tab and enter a unique **Identifier** for your Organizations. diff --git a/_articles/login-with-sso/link-to-sso.md b/_articles/login-with-sso/link-to-sso.md deleted file mode 100644 index 3c01a60d..00000000 --- a/_articles/login-with-sso/link-to-sso.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -layout: article -title: Link an Existing Account to SSO -categories: [login-with-sso] -featured: false -popular: false -tags: [] -order: 05 ---- - -Users with existing Bitwarden accounts will need to complete the following steps when their Organization applies Login with SSO: - -1. In the Web Vault, navigate to your **Settings** tab and open your **Organizations**. -2. Hover over the desired Organization and select the gear dropdown. - - {%image /sso/sso-link-button-overlay.png Link SSO Dropdown Option %} - -3. From the dropdown menu, select **Link SSO**. - - Selecting this option will initiate an authentication session to link your account. Successfully linking your account to SSO will allow you to use Login with SSO to authenticate into your Vault. - -### Next Steps -Now that you've linked your account, you can now: -- [Access your Vault Using SSO](https://bitwarden.com/help/article/sso-access-your-vault/) diff --git a/_articles/login-with-sso/sso-access-your-vault.md b/_articles/login-with-sso/sso-access-your-vault.md deleted file mode 100644 index a0e87497..00000000 --- a/_articles/login-with-sso/sso-access-your-vault.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -layout: article -title: Access Your Vault Using SSO -categories: [login-with-sso] -featured: false -popular: false -tags: [sso] -order: 06 ---- - -## Before You Begin -If you are an existing Bitwarden user, you must [Link an Existing Account to SSO](https://bitwarden.com/help/article/link-to-sso/) before authenticating into your Vault using Login with SSO. - -## Logging in with SSO - -Complete the following steps to use Login with SSO to authenticate into your Bitwarden Vault: - -1. Open your Bitwarden App or navigate to the Bitwarden Web Vault. -2. Select the **Enterprise Single Sign-On** button. - - {% image sso/sso-button-lg.png Enterprise Single Sign-On button %} - -3. Enter your **Organization Identifier** and select **Log In**. - - {% callout info %}We recommend bookmarking this page with your Organization Identifier included as a query string so that you don't have to enter it each time, for example `https://vault.bitwarden.com/#/sso?identifier=your-org-id` or `https://your.domain.com/#/sso?identifier=your-org-id`. - {% endcallout %} - - {% image sso/org-id-input.png Organization Identifier field %} - - A browser window will open prompting you to enter your SSO credentials or other required authentication mechanisms. - -Upon successful authentication: - -- **For existing accounts**, you will be re-directed to the Bitwarden login page and prompted to enter your Master Password to decrypt your Vault data. -- **For new accounts**, you will be prompted to create a Master Password and (optionally) provide a hint. Users with new accounts will need to have access confirmed for shared Organization items, including Collections and Groups. - -In both cases, your account now has an *accepted* status within your Organization. - - - - {% callout info %} - Users that are created via Login with SSO **will still be properly organized into their groups and collections** if leveraging the [Directory Connector](https://bitwarden.com/help/article/directory-sync/) utility. - {% endcallout %} diff --git a/_articles/login-with-sso/using-sso.md b/_articles/login-with-sso/using-sso.md new file mode 100644 index 00000000..933daaf7 --- /dev/null +++ b/_articles/login-with-sso/using-sso.md @@ -0,0 +1,52 @@ +--- +layout: article +title: Using Login with SSO +categories: [login-with-sso] +featured: false +popular: false +tags: [sso] +order: 04 +redirect_from: + - /article/link-to-sso/ + - /article/sso-access-your-vault/ +--- + +As an end-user of Bitwarden, you will need to [link your account to SSO](#link-your-account-to-sso) and get your [Organization identifier](#get-your-organization-identifier) before you can [login using SSO](#login-using-sso): + +## Link your Account + +To link your account: + +1. Open the Web Vault, navigate to your **Settings** tab and open your **Organizations**. +2. Hover over the desired Organization and select the {% icon fa-cog %} gear dropdown: + + {%image /sso/sso-link-button-overlay.png Link SSO Dropdown Option %} + +3. From the dropdown menu, select {% icon fa-link %} **Link SSO**. + +## Get your Organization Identifier + +Every Bitwarden Organization has a unique identifier specifically for Login with SSO. You'll need this value to login, so ask your manager or Bitwarden administrator to [retrieve it for you]({{site.baseurl}}/article/configure-sso-saml/#step-1-set-an-organization-identifier). + +## Login using SSO + +To login to Bitwarden using SSO: + +1. Open your Bitwarden Web Vault or App and select the **Enterprise Single Sign-On** button: + + {% image sso/sso-button-lg.png Enterprise Single Sign-On button %} + +2. Enter your **Organization Identifier** and select **Log In**: + + {% image sso/org-id-input.png Organization Identifier field %} + + {% callout success %}We recommend bookmarking this page with your Organization Identifier included as a query string so that you don't have to enter it each time, for example `https://vault.bitwarden.com/#/sso?identifier=YOUR-ORG-ID` or `https://your.domain.com/#/sso?identifier=YOUR-ORG-ID`.{% endcallout %} +3. Now that you've authenticated your identity using Login with SSO, enter your [Master Password]({{site.baseurl}}/article/master-password/) on the Login screen to **decrypt** your Vault. + +{% callout success %} +**Why is my Master Password still required?** + +All Vault data, including credentials [shared by your Organization]({{site.baseurl}}/article/sharing), is kept by Bitwarden **only** in its encrypted form. This means that in order to use any of those credentials, **you** need a way to decrypt that data (we can't). + +Your Master Password is the source of that decryption key. Even though you're authenticating (proving your identity) to Bitwarden using SSO, you still must use that decryption key (your Master Password) to see any meaningful data. +{% endcallout %} diff --git a/_articles/organizations/policies.md b/_articles/organizations/policies.md index 3f61db07..2e020810 100644 --- a/_articles/organizations/policies.md +++ b/_articles/organizations/policies.md @@ -87,7 +87,7 @@ Users who are removed as a result of this policy will be notified via email, and ### Single Sign-On Authentication -Enabling the **Single Sign-On Authentication** policy will require non-Owner/non-Admin users to log in with Enterprise Single Sign-On. For more information, see [Access Your Vault using SSO](https://bitwarden.com/help/article/sso-access-your-vault/). +Enabling the **Single Sign-On Authentication** policy will require non-Owner/non-Admin users to log in with Enterprise Single Sign-On. For more information, see [Using SSO]({{site.baseurl}}/article/using-sso/#login-using-sso). {% callout info %} The **Single Organization** policy must be enabled before activating this policy. diff --git a/_articles/security/emergency-access.md b/_articles/security/emergency-access.md index 1d184160..c9b3ab33 100644 --- a/_articles/security/emergency-access.md +++ b/_articles/security/emergency-access.md @@ -19,7 +19,7 @@ Establishing Emergency Access to a Vault is available for Premium users, includi ## How it Works -Emergency Access uses public key exchange and encryption/decryption to allow users to give a [trusted emergency contact](#trusted-emergency-contacts) permission to [access Vault data](#user-access) in a Zero Knowledge/Zero Trust environment: +Emergency Access uses public key exchange and encryption/decryption to allow users to give a [trusted emergency contact](#trusted-emergency-contacts) permission to [access Vault data](#user-access) in a zero knowledge environment: 1. A Bitwarden user (the *grantor*) [invites another Bitwarden user](#invite-a-trusted-emergency-contact) to become a trusted emergency contact (the *grantee*). The invitation (valid for only 5 days) specifies a [user access level](#user-access) and includes a request for the grantee's public key. 2. Grantee is notified of invitation via email and [accepts the invitation](#accept-an-invitation) to become a trusted emergency contact. On acceptance, the grantee's public key is stored with the invite. diff --git a/images/sso/sso-link-button-overlay.png b/images/sso/sso-link-button-overlay.png index 5536f42e..0d73eaa8 100644 Binary files a/images/sso/sso-link-button-overlay.png and b/images/sso/sso-link-button-overlay.png differ