bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-16 08:13:28 +00:00
Code Issues Releases Wiki Activity

Release Help Site Update (#167)

Browse Source 
* added new categories for SSO and FAQs, updated existing policies article to refelect business portal

* more details for SSO config

* updated formatting for config articles

* add/edits from @cscharf

* added categories list to category landing page

* added security FAQ

* updated pricing and feature comparison tables for subscription article
This commit is contained in:
Trey Greer
2020-09-05 21:32:07 -04:00
committed by GitHub
parent cac3fa9820
commit e38132bcda
21 changed files with 1018 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_articles/account/biometrics.md
View File

@@ -1,7 +1,7 @@
---
layout: article
title: Unlocking with biometrics
categories: [account-management, organizations]
categories: [account-management]
featured: false
popular: false
tags: [unlock, face id, touch id, hello, windows, mac, ios, android]

72
_articles/account/choosing-the-right-subscription-plan.md
View File

@@ -40,13 +40,48 @@ Premium Features include 1 GB of encrypted file storage, two-step authentication
The Families Plan includes 6 user seats for $40/year and all members automatically get Bitwarden Premium Features.
{% image /plans/families.png Families now includes premium features for up to 6 users %}
| | Classic Families Plan + Premium Features | Families Plan (includes premium) |
|:---|:---:|:---:|
| **Cost** | $52/year | $40/year |
| **Feature** | | |
| Base users | 5 | 6 |
| Max users | 5 | 6 |
| Max collections | Unlimited | Unlimited |
| Cloud-hosted | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Self-hosted | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| 1 GB encrypted file storage | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Bitwarden Authenticator (TOTP) | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Two-step login with YubiKey, U2F, Duo | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Vault health reports | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Priority customer support | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
*Pricing shown is based on an annual subscription*
## Teams Plan: Premium Features and more organizational features
Teams Plans get expanded Bitwarden access with more features for team members and each Team organization as a whole.
{% image /plans/teams.png Teams now has even more features to help you manage security and sharing %}
| | Classic Teams Plan | Teams Plan |
|:---|:---:|:---:|
| **Cost** | $2/User/Month (billed annually) | $3/User/Month (billed annually) |
| **Feature** | | |
| Base users | 5 | 1 |
| Max users | Unlimited | Unlimited |
| Max collections | Unlimited | Unlimited |
| Cloud-hosted | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Users get Premium features | - | <i class="fa fa-check" aria-hidden="true"></i> |
| 1 GB encrypted file storage for Org items| <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Bitwarden Authenticator (TOTP) for Org items | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Two-step login with YubiKey, U2F, Duo | - | <i class="fa fa-check" aria-hidden="true"></i> |
| Vault health reports for Org items | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Priority customer support | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Event Logs | - | <i class="fa fa-check" aria-hidden="true"></i> |
| User groups | - | <i class="fa fa-check" aria-hidden="true"></i> |
| API Access | - | <i class="fa fa-check" aria-hidden="true"></i> |
| Directory Connector | - | <i class="fa fa-check" aria-hidden="true"></i> |
*Pricing shown is based on an annual subscription*
## Enterprise Plan: Take advantage of Login with SSO
@@ -61,13 +96,42 @@ Login with SSO increases the value of Bitwarden for enterprises by bringing adva
Login with SSO also gives you ultimate flexibility, integrating with any existing identity management solution that uses SAML 2.0 or OpenID Connect. This feature is only available to organizations on the new Enterprise Plan, which is $5/user/month.
{% image /plans/enterprise.png Enterprise is now more powerful than ever, offering identity based SSO %}
| | Classic Enterprise Plan | Enterprise Plan |
|:---|:---:|:---:|
| **Cost** | $3/User/Month (billed annually) | $5/User/Month (billed annually) |
| **Feature** | | |
| Base users | 1 | 1 |
| Max users | Unlimited | Unlimited |
| Max collections | Unlimited | Unlimited |
| Login with SSO | - | <i class="fa fa-check" aria-hidden="true"></i> |
| Cloud-hosted | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Self-host option | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| 1 GB encrypted file storage | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Bitwarden Authenticator (TOTP) | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Two-step login with YubiKey, U2F, Duo | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Vault health reports | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Priority customer support | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Event Logs | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| User groups | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| API Access | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Directory Connector | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
| Enterprise Policies | <i class="fa fa-check" aria-hidden="true"></i> | <i class="fa fa-check" aria-hidden="true"></i> |
*Pricing shown is based on an annual subscription*
As our roadmap expands, we expect more enterprise capabilities to reside within this plan beyond Login with SSO and Enterprise Policies.
## Compare Teams and Enterprise Plans
{% image /plans/teams-enterprise.png Choose the plan that fits your organization the best %}
| | Bitwarden Teams | Bitwarden Enterprise |
|:---|:---:|:---:|
| **Cost** | $3/User/Month (billed annually) | $5/User/Month (billed annually) |
| **Feature** | | |
| Login with SSO | - | <i class="fa fa-check" aria-hidden="true"></i> |
| Enterprise Policies | - | <i class="fa fa-check" aria-hidden="true"></i> |
| Self-host option | - | <i class="fa fa-check" aria-hidden="true"></i> |
*Pricing shown is based on an annual subscription*
## Frequently Asked Questions

74
_articles/faqs/billing-faqs.md Normal file
View File

@@ -0,0 +1,74 @@
---
layout: article
title: Billing FAQs
categories: [faqs, miscellaneous]
featured: true
popular: false
hidden: false
tags: []
---
**Q: How can I add an extra user to my Families Plan?**
**A:** Bitwarden Family plans are currently capped at 6 users.
**Q: How do I add or remove a user seat from my organization?**
**A:** You can add or remove user seats at any time and the cost will be automatically pro-rated and debited/credited based on usage. In order to change your user seats, you will want to log into the Web Vault (<https://vault.bitwarden.com>) and go to Settings>Organizations>{Your Org Name}>Settings sub-tab (Gears Icon)>Subscription.
**Q: Can I pay with Bitcoin?**
**A:** Yes, please follow these steps:
1. If you havent already, create a free user account.
2. Once you do this, or if you already have a user account, navigate to Settings > Organizations > New Organization.
3. Create a free organization on <https://vault.bitwarden.com>.
4. Once that organization account is created, navigate to the admin area. Click on Settings (gear icon). Make sure it is the Settings under the Organization and not the Settings at the top.
5. Click on Billing, you can add Bitcoin credit to the account.
6. Once you have added the credit for the subscription amount, let us know, and we will generate and send you an invoice and activate the new account.
7. You will also receive an invoice from our payment processor (BitPay) at the time the Bitcoin is sent. After that, the Organization will be ready for use, you can also download a license file for your self-hosted installation, if you want to use that option.
**Q: How do I get started with my organization?**
**A:** If you are ready to activate the Organization plan, you will want to add a payment method to your account. In order to add a payment method for an Organization account:
Log into the Web Vault (<https://vault.bitwarden.com>)
Go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Billing.
Once you have configured a payment method, let us know and we will finalize the subscription activation for you.
Q: How do I enable self-hosting for my account?
A: Youll need to create an account in the Bitwarden cloud (<https://vault.bitwarden.com>) for billing purposes, and generating/downloading your license.
1. If you havent already, create a free user account.
2. Once you do this, or if you already have a user account, navigate to Settings > Organizations > New Organization.
3. Create a free organization on <https://vault.bitwarden.com>.
4. Once the new Organization account is created, you can then download a license file for your self-hosted installation.
Here are additional articles related to an on-premise configuration and installation: <https://help.bitwarden.com/hosting/>.
**Q: What payments do you accept for customers outside the US?**
**A:** We accept Credit/Debit Cards, PayPal, and Bitcoin. We also accept international Wire Transfers or Corporate Checks. Please contact support for payment options here: <https://bitwarden.com/contact>
**Q: What payments do you accept for customers based in the United States?**
**A:** We accept Credit/Debit Cards, PayPal, Bank Account (ACH), and Bitcoin. For business accounts, we can also accept wire transfers and corporate checks, please contact billing support regarding these payment options. <https://bitwarden.com/contact>
**Q: How do I update my Organization license for my upcoming renewal?**
**A:** You will want to log into the Web Vault (<https://vault.bitwarden.com>) and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Subscription. There you will be able to download your new license file. You will need to obtain your Installation Id from the `./bwdata/env/global.override.env` configuration file on your server in order to generate the file, or you can also get it from the Bitwarden System Administration Portal `(https://{YOUR URL}/admin)`.
Once you have the new license file then you can log into your self-hosted Web Vault and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Subscription and apply it there. After applying the new license file, you will want to log out and log back in to make sure the disabled message has cleared.
**Q: Where in my account do I enter tax information (VAT)?**
**A:** Web Vault (<https://vault.bitwarden.com>) and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > My Organization > Tax Information.
**Q: Where in my account can I view my subscription plan?**
**A:** Web Vault (<https://vault.bitwarden.com>) and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Subscription
Q: Where in my account can I view Billing information?
A: Web Vault (<https://vault.bitwarden.com>) and go to Settings > Organizations > {YOUR ORG NAME} > Settings sub-tab (Gears Icon) > Billing.
**Q: How do I delete my account?**
**A:** You can refer to the following help article for information on how to delete your Bitwarden account: <https://help.bitwarden.com/article/delete-your-account/>

214
_articles/faqs/hosting-faqs.md Normal file
View File

@@ -0,0 +1,214 @@
---
layout: article
title: Hosting FAQs
categories: [faqs, hosting]
featured: true
popular: true
hidden: false
tags: []
---
## Bitwarden Server service/user account and (optional: systemd service configuration)
{%note%}
You will want to configure the Bitwarden Server to use a `bitwarden` service account. $USER=bitwarden You will want to have your installation owned by the bitwarden service account, and you should be logged in as bitwarden.
After those are verified, you will want to make sure the UID and GID in the /bwdata/env/uid.env file are set to your bitwarden service account id numbers in Linux. When using the bitwarden service account you will also need to follow these steps:
1. Make sure the docker group has been created. sudo groupadd docker
2. Add the bitwarden account to the docker group sudo usermod -aG docker $USER
3. Create the bitwarden service file (may want to store it with your bitwarden installation) sudo vi bitwarden.service [Unit] Description=Bitwarden Requires=docker.service After=docker.service [Service] Type=oneshot User=bitwarden Group=bitwarden ExecStart={INSTALL_DIR}/bitwarden.sh start RemainAfterExit=true ExecStop= {INSTALL_DIR}/bitwarden.sh stop [Install] WantedBy=multi-user.target
4. Copy the bitwarden service file to systemd. sudo cp bitwarden.service /etc/systemd/system/bitwarden.service
5. Set permissions on bitwarden service file under systemd. sudo chmod 644 /etc/systemd/system/bitwarden.service
6. Optional (reload for testing) systemctl daemon-reload
7. Add service to start with system boot. sudo systemctl enable bitwarden.service
{%endnote%}
**Certificate Setup for Private CA, On-premises/self-hosted**
When configuring your server you will need to have three files, private key, server cert, and the CA cert then you will configure their path in the config.yml file in the Bitwarden installation directory.
The path that is defined in the `config.yml` is actually the location inside the NGINX container. The directory on the host is mapped to the container so you will actually want to make sure your correct certificate related files are under the `./bwdata/ssl/` directory.
You should only ever need to work with the files under `./bwdata/ssl/`, you do not want to work with files directly inside any container. It should line up like this (bitwarden.domain.local is only an example):
```
{ ./bwdata/config.yml }
ssl_certificate_path: /etc/ssl/bitwarden.domain.local/certificate.crt
ssl_key_path: /etc/ssl/bitwarden.domain.local/private.key
ssl_ca_path: /etc/ssl/bitwarden.domain.local/ca.crt
```
```
{ ./bwdata/ssl/bitwarden.domain.local }
ca.crt
certificate.crt
private.key`
```
Please make sure all of your CA certificates are all included in the CA certificate chain file if you have a Root CA and Intermediate CA certificate.
**Certificate Setup for Public CA, On-premises/self-hosted**
You will need to create a private key for the Bitwarden server. Then you can generate a CSR. You can use OpenSSL to accomplish this. Once you have generated the CSR then you can provide it to the Certificate Authority you are using to provide your server/site certificate. After you generate your key and certs, place them in the ./bwdata/ssl directory. Then you will need to map them in ./bwdata/config.yml. When configuring your server, you will need to have three files, private key, server cert, and the ca-cert then you will configure their path in the config.yml file in the Bitwarden installation directory. The path that is defined in the config.yml is actually the location inside the NGINX container. The directory on the host is mapped to the container so you will actually want to make sure your correct certificate related files are under the ./bwdata/ssl/ directory. You should only ever need to work with the files under ./bwdata/ssl/, you do not want to work with files directly inside any container. It should line up like this (bitwarden.domain.local is only an example):
```
{ ./bwdata/config.yml }
ssl_certificate_path: /etc/ssl/bitwarden.domain.local/certificate.crt
ssl_key_path: /etc/ssl/bitwarden.domain.local/private.key
ssl_ca_path: /etc/ssl/bitwarden.domain.local/ca.crt
```
```
{ ./bwdata/ssl/bitwarden.domain.local }
ca.crt
certificate.crt
private.key
```
Please make sure all of your CA certificates are all included in the CA certificate chain file if you have a Root CA and Intermediate CA certificate.
**Change Server Name**
In order to change the server name of your Bitwarden Server, you will need to configure the `url` in the `./bwdata/config.yml` with the new server name and the run the ./bitwarden.sh rebuild command. Next you will want to make sure the new name or FQDN has been set on all the `globalSettings__baseServiceUri__` variables in the `./bwdata/env/global.override.env` file. You will also need to make sure your certificate contains a Subject Alternative Name (SAN) with the new server FQDN.
If you are using a Let's Encrypt certificate, you can create a new one with the new server name by using these steps:
```
./bitwarden.sh stop
mv ./bwdata/letsencrypt ./bwadata/letsencrypt_backup
mkdir ./bwdata/letsencrypt
chown -R bitwarden:bitwarden ./bwdata/letsencrypt
chmod -R 740 ./bwdata/letsencrypt
docker pull certbot/certbot
docker run -i --rm --name certbot -p 443:443 -p 80:80 -v <Full Path from / >/bwdata/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --logs-dir /etc/letsencrypt/logs
Select 1, then follow instructions
openssl dhparam -out ./bwdata/letsencrypt/live/<your.domain.com>/dhparam.pem 2048
./bitwarden.sh rebuild
./bitwarden.sh start
```
**Gmail self-hosted config**
You can configure your Bitwarden Server to send email using your Gmail account by configuring these variable in the ./bwdata/env/global.override.env file. (Please note, with ssl=false it will default to use TLS)
```
globalSettings__mail__replyToEmail=no-reply@bitwarden.domain.com
globalSettings__mail__smtp__host=smtp.gmail.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false
globalSettings__mail__smtp__username=Gmail-username
globalSettings__mail__smtp__password=Gmail-password
```
If you are using Two-Step Authentication with your Gmail account then you will need to generate an app-specific password for use with Bitwarden. You can generate an app-specific password by signing in to your Google and following their instructions. Once you have the app-specific password, enter it into Bitwarden's SMTP configuration in the ./bwdata/env/global.override.env file.
**High Availability**
High availability can be achieved by either configuring multiple instances of the containers into a Docker Swarm, Kubernetes, etc. environment and/or you can point the database connection string that the containers reference to any MSSQL database or cluster. Then you would probably want to load balance the NGINX containers or however you choose to handle the front-end.
**Let's Encrypt Manual Update (issue or domain/server name change)**
```
./bitwarden.sh stop
mv ./bwdata/letsencrypt ./bwadata/letsencrypt_backup
mkdir ./bwdata/letsencrypt
chown -R bitwarden:bitwarden ./bwdata/letsencrypt
chmod -R 740 ./bwdata/letsencrypt
docker pull certbot/certbot
docker run -i --rm --name certbot -p 443:443 -p 80:80 -v <Full Path from / >/bwdata/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --logs-dir /etc/letsencrypt/logs
Select 1, then follow instructions
openssl dhparam -out ./bwdata/letsencrypt/live/<your.domain.com>/dhparam.pem 2048
./bitwarden.sh rebuild
./bitwarden.sh start
```
**Migrate cloud to on-premise**
In order to migrate your data from a Bitwarden Cloud account to a self-hosted Bitwarden Server, you will want to follow the on-premise installation instructions:
<https://help.bitwarden.com/article/install-on-premise/>
Once you have completed the installation, you will need to download your Enterprise Organization license (this is written for someone doing a clean installation, you will only need to download the license from your existing Organization: <https://help.bitwarden.com/article/licensing-on-premise/#organization-account-sharing>
After the server is running and the Organization has been created and licensed, you will need to export your data from our servers and import it to your server: <https://help.bitwarden.com/article/export-your-data/>
Once you have completed the import, which will include the Collections, Items and their associations, you will need to set up the groups and users (there are several options so please check the relative links): <https://help.bitwarden.com/organizations/>
Please take note of the backup procedure: https://help.bitwarden.com/article/backup-on-premise/
**Restore Bitwarden Server Detailed (Restore Backup)**
Do you have a full backup of the entire Bitwarden Server directory (bwdata)? If so you can simply copy that back to the server and run the normal start command.
If you need to restore from a SQL backup then you will want to first log into the mssql container.
In order to log into the container you will first need to figure out the CONTAINER ID.
`docker ps`
Note the CONTAINER ID for the bitwarden/mssql container and then log in by running:
`docker exec -it {CONTAINER ID} /bin/bash`
Once you are in the container, you will want to find the name of the latest backup file under /etc/bitwarden/mssql/backups/ and note the name of the BAK file. Now you can make a new backup file just in case. To do this you will simply run ./backup-db.sh found on the root "/" of the container
Now you will need to log into the mssql instance.
`/opt/mssql-tools/bin/sqlcmd -S localhost -U sa`
Password: (Please note, you will want to get the database sa password from the /bwdata/env/global.override.env file on your host.)
```
1> use master
2> GO
1> alter database vault set offline with rollback immediate
2> GO
1> restore database vault from disk='/etc/bitwarden/mssql/backups/vault_FULL_{Backup File Name}.BAK' with replace
2> GO
1> alter database vault set online
2> GO
1> exit
```
You can now exit the container and then you will not need to restart the Bitwarden Server as normal.
**Custom Server Ports**
To use custom ports instead of 80 and 443, you will need to set the new ports in the config.yml and then run the rebuild command (./bitwarden.sh rebuild). Next you will want to make sure the custom https port has been set on all the globalSettings__baseServiceUri__ variables in the ./bwdata/env/global.override.env file.
**SMTP Config w/ Mail Service Options**
- Have you already configured an SMTP server in your Bitwarden's ./bwdata/env/global.override.env file? You will want to check the post-install steps which cover SMTP configuration:
<https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration>
If you edit the ./bwdata/env/global.override.env file on your server, you will want to set the globalSettings__mail__smtp__ variables.
- Do you currently have a mail server or a mail service you currently use which can relay email from your Bitwarden server? If you don't then you may want to consider a service such as Mailgun (<https://www.mailgun.com/>) or SparkPost (<https://www.sparkpost.com/>) which allows for many relayed emails for free per month.
**Trust a private CA issued or Self-signed certificate for Bitwarden Client**
When using a self-signed certificate, you will need to add the certificate to your OS's Trusted Root Certification Authorities Store. Are you running the Directory Connector on Windows or Linux? If you are using Windows then you can simply run certmgr.msc and then import the certificate into the correct store/folder. If you are using Linux then you will want to add the certificate to these directories:
/usr/local/share/ca-certificates/
/usr/share/ca-certificates/
Then run these commands:
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Once you have trusted the certificate then you will need to close the client/app and relaunch it.
The CLI and BWDC CLI are written in Node.js, a private CA certificate or self-signed certificate, if being used, will need to be trusted using one of the following environment variables:
Linux:
export `NODE_EXTRA_CA_CERTS=/path/to/cert/ca.crt`
Windows:
`NODE_EXTRA_CA_CERTS | C:\path\to\cert\ca.crt`
**When does an Organization Invitation expire?**
**A:** 5 days (If self-hosting it can be configured with globalSettings__organizationInviteExpirationHours=120)
**When does an Offline Vault session expire:**
**A:** 30 days except for mobile is 90 days
**When does a “Remember Me” 2FA selection:**
**A:**30 days
**How long are Event Logs stored:**
**A:** A retention policy is not configurable at this time.

282
_articles/faqs/product-faqs.md Normal file
View File

@@ -0,0 +1,282 @@
---
layout: article
title: Feature FAQs
categories: [faqs, features]
featured: true
popular: true
hidden: false
tags: []
---
**Q: How do I change a collection via the CLI?**
**A:** In order to change a Collection, you will use a dedicated command (bw edit item-collections).
e.g., $ echo '["a17a5b7f-66b8-4980-91a1-aaac005df696"]' | bw encode | bw edit item-collections ee9f9dc2-ec29-4b7f-9afb-aac8010631a1
You can add multiple Collection IDs at the same time by using a comma to separate them.
**Q: Can I install Bitwarden without Google Play?**
**A:** Yes! You can download directly from GitHub <https://github.com/bitwarden/mobile/releases> or via F-Droid by adding our repo <https://mobileapp.bitwarden.com/fdroid/>
**Q: How do I enable Autofill in Android?**
**A:** There are two services that need to be enabled on Android to cover all Auto-fill scenarios, AUTO-FILL SERVICE and AUTO-FILL ACCESSIBILITY SERVICE. These services can be enabled from within the Bitwarden App under Settings.
When configured, you should see "Enabled" in green text. Double-check under the AUTO-FILL ACCESSIBILITY SERVICE that the Permission shows "Granted" in green text as well. https://help.bitwarden.com/article/auto-fill-android/
One last thing you will want to check is the battery optimization settings on your phone and make sure it is turned off for Bitwarden. Often, Android Battery Optimization will turn off services to save battery and in turn kill the auto-fill services.
**Q: How do I view attachments?**
**A:** If you are using the mobile app then you will select an item to view it and then select the "3 dots" menu at the top right of the app window to download and view the attachment.
**A:** Here you can see the ways to attach a file in all other clients: <https://help.bitwarden.com/article/attachments/>
**Q: What events are audited in my organization?**
**A:** You can check to see what events are captured in this article: <https://bitwarden.com/help/article/event-logs/>
**Q: Can Bitwarden restore my individual vault?**
Bitwarden is unable to restore user vaults. We recommend everyone make regular backups (via export) of their vault data. You can learn more about backing up your vault here:
<https://bitwarden.com/help/article/export-your-data/>
**Q: How do I backup my self-hosted server?**
**A:** Please see this helpful article regarding backup procedures for your self-hosted server: <https://help.bitwarden.com/article/backup-on-premise/>
**Q: I have invited a user to my organization but they cannot see shared items**
**A:** Once a user has accepted the invitation, an Organization Owner or Admin will need to go to the People management page and "Confirm" the user. This is a very important step as it completes the public-key exchange allowing for the sharing of encrypted information.
**Q: My organization owner is no longer with the company, how can a new owner be created?**
**A:** We recommend having multiple and dedicated owner accounts to prevent this situation, however, if you need assistance with this, please contact customer success here: <https://bitwarden.com/contact>
**Q: How do I configure custom fields?**
**A:** Here is an example of how to configure a Custom Field:
1. Right-click the field you want to fill and select "Inspect". The HTML element will appear highlighted in a console window.
2. Find the element id. You are looking for what comes after id=" ". Copy what is in between the " ". It needs to be exactly the same.
3. Open the website, login into your vault, and edit it.
4. Select "Hidden" and then press the blue "+" icon
5. In the "Name" field paste the element ID
6. In the "Value" field enter your info you want auto-filled.
7. Save.
Now when you auto-fill, the additional field should be there. Please see this help article for more information: <https://help.bitwarden.com/article/custom-fields/>
**Q: How do I import my data if I dont see my service on the import options?**
**A:** If we do not have support for the service you are using, then you will have the option of creating a generic CSV to fit our format. We have detailed info on this format and a template file you can use located here, <https://help.bitwarden.com/article/import-data/#generic-csv-format-individual-account>.
You can also generate a dummy JSON export file from Bitwarden to use as a template if you prefer working with JSON.
**Q: How do I delete an item?**
**A:** In order to delete an item, you will first need to edit the item and then go to the bottom of the edit page. You can then select Delete. Once deleted, the item will be in the trash. In order to permanently delete, you will need to remove it from the trash.
To learn more about managing items, check out this article: <https://bitwarden.com/help/article/managing-items/>
**Q: Can I use Directory connector to sign into Bitwarden?**
**A:** The Directory Connector tool provides the functions to automatically provision and deprovision users, groups, and group associations from your user directory (LDAP, Active Directory, G Suite, Azure AD, or Okta).
To use an existing identity provider for authentication, youll need to subscribe to our enterprise plan and configure it.
**Q: How can I disable Firefox Autofill?**
You will want to check the settings of the browser. First, you will select the Options Menu in the top right corner of the window. It is the 3 line icon or "hamburger button" as some people call it. Then select Logins and Passwords. A small window will open and you will uncheck the box for Autofill logins and passwords. Then you can close the small Logins windows and go back to the Options Menu and select Options. Now find the section in my image provided and uncheck those boxes.
**Q: Does Bitwarden have a way for me to let someone into my account if I am unable to log in?**
**A:** This is what we call Emergency Access feature, and it is one of our most requested according to our community. We have added this feature to our product road map and intend to bring it into the platform soon.
**Q: How can I enable Auto-fill On Page Load?**
**A:** In order to perform an autofill when a website or page loads, you will want to go to Settings > Options and select "Enable Auto-fill On Page Load".
If you do not want to enable autofill when a page loads and still want the ability to autofill easily and quickly then you may want to try using the keyboard shortcuts or one of the other autofill methods shown here: <https://help.bitwarden.com/article/auto-fill-browser/>
**Q: Does Bitwarden have an Encrypted Export File?**
**A:** Currently Bitwarden doesnt have a native encrypted export, but it is on our roadmap for 2020.
Alternatively, we recommend using something like PeaZip to create an encrypted archive of the file after you have exported your data from Bitwarden.
You can learn more about PeaZip here:
- <http://www.peazip.org/>
- <https://github.com/giorgiotani/PeaZip >
{%warning%}
Disclaimer: Please note that PeaZip is a third party program and is not supported by Bitwarden. These links were shared with you as an option for you to use at your own risk.
{%endwarning%}
**Q:Can I download Bitwarden on F-Droid? I cannot find it.**
**A:** Yes, by adding our official private repo which removes all non-approved libraries: <https://mobileapp.bitwarden.com/fdroid/>
Unfortunately, F-Droid can not compile our app from source as it is based on Xamarin and it is not supported by F-Droid's current compiler methods, so we must use a separate repo.
**Q:How do I rename a folder?**
**A:** From your Web Vault, in the left-hand column labeled "Filters", find the folder you would like to change and select it. Once the folder is open you will see a "Pencil" icon next to the name that you just selected. Click that icon and a pop-up will appear allowing you to edit the name.
**Q: I have forgotten my master password, what can I do?**
**A:** Please see our article here:
<https://bitwarden.com/help/article/forgot-master-password/>
**Q: How do I hide passwords from users?**
**A:** You can enable the hiding of passwords by enabling “hide passwords” on the collection assignment page.
You can learn more about access control here: <https://bitwarden.com/help/article/user-types-access-control>
**Q: How can I see the history of a password that has been changed?**
The ability to view the password history of a Login Item is available. You can open the item in question and select the "1" next to Password History near the bottom of the window.
{%warning%}
Clicking on the number will expose the historical password values in plain text immediately.
{%endwarning%}
**Q: Can I see the history of the passwords I have generated?**
**A:** You can view the history of the Password Generator but please note that is a separate history per app/client. This information is not synchronized between devices.
**Q: Can I export/import from iCloud/Mac Keychain?**
**A:** There isn't an official way to export the data from iCloud, Mac Keychain or Safari as Apple doesn't provide this ability.
Here are some third-party programs available to export this data:
- <https://gist.github.com/rmondello/b933231b1fcc83a7db0b>
- <https://github.com/lifepillar/CSVKeychain>
{%warning%}
Please note that these 3rd party scripts/programs are unsupported by Bitwarden and Apple and are used at your own risk.
{%endwarning%}
Once you have exported your data, here is a helpful article for importing your data from the two mentioned programs: <https://help.bitwarden.com/article/import-data/>
**Q: How do I enable iOS AutoFill?**
**A:** Make sure Bitwarden is set to your AutoFill app by going to your iOS Settings > Passwords & Accounts > AutoFill Passwords > Bitwarden.
While testing Bitwarden, it is best to only have Bitwarden enabled to avoid any conflicts. You can always set the Keychain or any other app back as an active option at any time if you choose to do so. Once you have that set, you can go to an app or site to log in and when you select the username or password field, the keyboard will display and the Passwords option will be selectable at the top of the keyboard.
You can see more about Bitwarden for iOS here: <https://bitwarden.com/help/article/getting-started-ios/>
**Q: Why does something I shared with the organization stay after I leave?**
**A:** When a user shares an item with an Organization, the Organization takes over ownership of the item. Even if the user account has its association with the Organization removed or if the user account is deleted, the item will remain with the Organization.
**Q: Why am I getting a New Device Email Message?**
**A:** Typically this occurs for users that have a setting on their browser which clears their local storage and/or cookies whenever they close the browser or while they are using the browser. There are extensions that perform these actions. If this happens, you lose the indicator which tells our servers that it is an existing device. New device notification messages are not contingent on the IP address, only the device itself. We use local storage in the browser or client to label the device with an id. If that id has never logged in before then you will get an email. If a user clears this local storage, a new id is generated for that device and it will get a new email.
You may need to make an exception for Bitwarden or configure your whitelist to keep the cookie or local storage from being cleared for Bitwarden. This could also happen if you have your browser set to never remember history.
**Q: Can I use SMS 2FA?**
**A:** We do not support SMS 2FA due to vulnerabilities including SIM hijacking. We also do not recommend SMS 2FA for other accounts unless it is the only available method, as any second factor is recommended over having none.
**Q Do I need premium and families?**
**A:** The legacy Families plan only provided one user premium features, and the other 4 users would need to upgrade to premium individually, or the family organization owner could upgrade them all.
Currently, the Families plan introduced in September 2020, supports premium features for up to 6 users.
**Q: How do I install the Safari Extension?**
**A:** The new Safari extension is now packaged with the Bitwarden Desktop App. You can download the latest app here: https://vault.bitwarden.com/download/?app=desktop&platform=macos. You can also use the App Store version.
Be sure to run the application once. If the extension still does not appear, it may just need to be enabled. In Safari, check under Preferences > Extensions
**Q: How do I share items with Organization ?**
**A:** You will want to log into the Web Vault (<https://vault.bitwarden.com>) and select the small gear menu that appears to the right of an item when mouse over it and select share.
After an item is shared, if you want to adjust the Collections the item is shared with then use the same menu and select Collections.
You can bulk share items by checking the box next to multiple items and then selecting the gear menu at the top next to My Vault and then select Share.
**Q: How can I start Bitwarden when Windows starts?**
In order to set Bitwarden Desktop to startup, please follow these steps:
1. Select the Start (Windows Logo) button, select All apps, and scroll to find the Bitwarden Desktop app/shortcut.
2. Right-click the Bitwarden Desktop app, select More, and then select Open file location.
3. With the file location open, press the Windows logo key + R, type shell:startup, then select OK. This opens the Startup folder.
4. Copy and paste the shortcut to the Bitwarden Desktop app from the file location to the Startup folder.
**Q: How do I perform a sync on my application?**
**A:** You can find more on vault syncing here: <https://bitwarden.com/help/article/vault-sync/>.
**Q: What is TOTP and how can I use it?**
**A:** Time-based One-time Password (TOTP) - <https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm>
Each website that supports TOTP or 2FA with an "Authenticator" calls it differently and each handles the procedure of setting up a little differently. You will need to start the set up from each individual web site that you are accessing. (e.g. google.com, amazon.com).
1. You will want to edit any item that you wish to use TOTP with.
2. Populate the "Authenticator Key (TOTP)" field with the seed key you are provided with. *You can also use the Bitwarden mobile application to directly scan QR codes and it will populate automatically.
3. Save the changes.
Now, Bitwarden will store and generate the timed code that you will be asked for when logging into services with TOTP 2FA enabled. Here is a handy website that you can use to test this feature: <https://totp.danhersam.com/>
Whenever you auto-fill a website that has TOTP attached, the code will automatically be copied to your device's system clipboard. Now you can quickly paste the code into the field when challenged.
**Q: Why is U2F Not Supported on my iOS or Android App?**
**A:** At this time, due to platform/OS limitations, FIDO U2F cannot be used with all Bitwarden applications. You should enable another two-step login provider so that you can access your account when FIDO U2F cannot be used. We are expanding our U2F capabilities
**Q: How do I unshare an item?**
**A:** At this time there isn't an "unshare" option. You will need to manually create or clone the item back into your personal vault and then delete the item from the Organization. You can also use an export/import method if you ever need to move multiple items back to a personal vault.
Alternatively if you want to 'unshare' it just from non-admin users, you can create a collection for admin-owned items and assign the item to *only* that collection.
**Q: How do I use the web browser extension?**
**A:** Using the Bitwarden Web Browser Extension is a good way to add your passwords to your vault. Anytime it detects a password field on a website that it doesn't have in its database, it will ask to save.
For updating, anytime there is a password field detected, when you enter a password if it doesn't detect the same password as what it has in its database then it will ask you to update it. You will see a banner at the top of the web page that will prompt you to save or update.
Please see this helpful article regarding interacting with a web page to fill your Login Item information:
- <https://help.bitwarden.com/article/auto-fill-browser/>
Bitwarden Web Browser Extension video on YouTube:
- <https://youtu.be/dBPfr7Jiddw>
More helpful videos from the Bitwarden Community on YouTube:
- <https://youtu.be/L1BNrVrvWw4>
- <https://youtu.be/TREdS8iq6Qg>
- <https://youtu.be/uF6tzGYaIxg>
**Q: How do I add attachments?**
**A:** Support for attachments require:
- A premium individual membership
- An organization that offers attachments in the organization vault
- Being a member of an enterprise organization that gives premium features to its users
If you have a personal premium membership or are a member of an enterprise organization and receive premium features, you can add attachments by:
1. Create the item in which you wish to save the attachment
2. Once the item is save, you can then edit the item and add your file attachments
If you are a member of an organization that offers attachments, youll need to create the item *within the organization vault* - and then proceed to edit the item and add the attachment. Please note that personal items within this configuration will not support attachments.
**Q: I am asked for my master password even though I have PIN unlock enabled on iOS / Android**
**A:** When you enable PIN unlock, you are prompted if youd like to use your Master Password after an application restarted (closed). If you select yes, if the app is closed or backgrounded, the PIN will be prompted.
To reset this:
- Disable PIN Unlock
- Enable PIN Unlock
- Select No when prompted about using the Master Password after application restart.

81
_articles/faqs/security-faqs.md Normal file
View File

@@ -0,0 +1,81 @@
---
layout: article
title: Security FAQs
categories: [faqs, security]
featured: false
popular: false
hidden: false
tags: []
---
## Compliance General
### Current Certifications
- GDPR
- CCPA
- SOC 2 Type 2
- SOC 3
### GDPR
You can read more about Bitwardens data protection and privacy policies here:
<https://bitwarden.com/privacy/>
### SOC Certifications
You can find more about our SOC certifications on our blog [here.](https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/)
## Desktop Electron Backdoor Concern
The often shared article suggests an attack that requires a user to have a compromised machine, which of course would allow a malicious attacker to compromise data on that machine. As long as you have no reason to believe the device you are using has been compromised, your data is safe.
## Duo MFA / 2FA / Two-step Login Requirement
The ability to enforce 2FA is made possible using an [Enterprise Policy](https://bitwarden.com/help/article/policies/) included with an Enterprise Organization subscription. As an additional option, you can enable Duo MFA integration to enforce 2FA/MFA for your Organization.
## New Device Not Recognized
Do you recognize the IP address as a home or work IP address? If you Google "my ip" it will show the current IP address of your current connection. Make sure you check the IP of your mobile network as well. You will want to check if the IP shown in the notification is similar or not. If the IP isn't recognizable then it is recommended for you to change your password and make sure Two-step Login is configured on your Bitwarden account. You will also want to log into the Web Vault (https://vault.bitwarden.com) and go to Settings > My Account. Scroll to the bottom of the page and select Deauthorize Sessions. After Bitwarden has been updated with the new password and sessions have been reauthorized, you may want to change any accounts you have configured in Bitwarden. This is mainly precautionary steps, it doesn't mean someone has definitely logged into your account without permission. Are you sure the email on the message was to the right email address and not another account you may have? This notification could be a false positive or a fake/joke message but if you cannot determine why it was sent then you may want to be sure you are safe. It is better safe than sorry. Remember, access only is possible with your username, password, and alongside your Two-step Login if configured. The only way someone could access your account is if you do not have a Two-step Login configured and they guess your password if it doesnt happen to be strong enough or a simple phrase.
## Master Password Stored Locally?
We do not keep the master password stored locally or in memory. Your encryption key (which is derived from the master password) is kept in memory while the app is unlocked. This is needed to decrypt data in your vault. When the vault is locked, this data is purged from memory. We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are also purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application to be completely safe while in a locked state.
## Third party scripts, libraries, and services
Currently, we load third-party payment scripts from Stripe and PayPal on payment pages in the Web Vault. In the mobile app, the Firebase script is used for push notifications. The HockeyApp is used for crash reporting. Please note, Firebase and HockeyApp are removed completely from the F-Droid build if you are interested in using that option. Turning off push notifications on a Bitwarden server will disable using the push relay server if you want to self-host.
## Security General (Whitepaper, Audit report, etc.)
- Assessment Report: [Available here](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf)
- Additional Reading (Security): <https://help.bitwarden.com/security/>
- HackerOne: <https://hackerone.com/bitwarden>
- GitHub Project: <https://github.com/bitwarden>
## Self-signed Certificate Setup, On-premises/self-hosted
When configuring your server with a self-signed certificate you will need to have two files, a private key and a server cert, then you will configure their path in the config.yml file in the Bitwarden installation directory. You can see an example of how to create a self-signed cert by referring to #6 here: https://help.bitwarden.com/article/install-on-premise/#manual-docker-installations The path that is defined in the config.yml is actually the location inside the NGINX container. The directory on the host is mapped to the container so you will actually want to make sure your correct certificate related files are under the ./bwdata/ssl/ directory. You should only ever need to work with the files under ./bwdata/ssl/, you do not want to work with files directly inside any container. It should line up like this (bitwarden.domain.local is only an example):
```
{ ./bwdata/config.yml }
ssl_certificate_path: /etc/ssl/bitwarden.domain.local/certificate.crt
ssl_key_path: /etc/ssl/bitwarden.domain.local/private.key
Ssl_ca_path:
```
```
{ ./bwdata/ssl/bitwarden.domain.local }
certificate.crt
Private.key
```
## Web Browser Extension Security/Safety Concern
Extensions are safe to use if they are developed correctly. Due to the nature of how browser extensions work there is always a chance for a bug to arise. We take extreme care and caution when we are developing our extensions and add-ons, we keep our eyes and ears out for anything going on in the industry, and we conduct security audits for many more eyes on everything.
## Web Browser Permission Request
Users now have the ability to schedule their clipboard to be cleared of any Bitwarden entries made when filling forms or any other activity they may perform with Bitwarden which uses the clipboard. The permission requested by the extension is asking for an allowance for the app to do this. We need to read the clipboard value to ensure that we don't clear it out if it isn't a value you copied from the Bitwarden app itself. We keep track of the last copied Bitwarden value when we go to clear the clipboard N seconds later, we read the clipboard and then check it against the last copied value from Bitwarden, if it is the same, we clear it, if not, we leave it alone. This way we don't overwrite any important information you may have in your clipboard. This option is disabled by default and will only become active if you choose to set a schedule.

40
_articles/login-with-sso/configure-sso-oidc.md Normal file
View File

@@ -0,0 +1,40 @@
---
layout: article
title: Open ID Connect (OIDC) Configuration
categories: [login-with-sso]
featured: false
popular: false
tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
---
## OpenID Connect Configuration
### Callback Path
URL for Bitwarden authentication redirect (automatically generated). Configure this in your identity provider for the login redirect URI.
### Signed Out Callback Path
URL for Bitwarden sign-out redirect (automatically generated). Configure this value in your identity provider for the logout redirect URI.
### Authority
*Required* Your Identity Provider URL or Authority that Bitwarden will perform Authentication against.
### Client ID
*Required* for Bitwarden messages to be identified by your Identity Provider
Your Identity Provider's client ID for Bitwarden. You will need to configure this before enabling SSO.
### Client Secret
In conjunction with your Client ID for authentication against your Identity Provider, this value may be required depending on your identity providers configuration, needs, or requirements.
### Metadata Address
Provides Identity Provider information back to Bitwarden. This is required if the Authority is not a valid URL.
### Other OIDC Options
- Get Claims From User Info Endpoint (*Boolean*) - Check this value if you start receiving URL too long errors (HTTP 414), truncated URLs, and/or failures during SSO.

110
_articles/login-with-sso/configure-sso-saml.md Normal file
View File

@@ -0,0 +1,110 @@
---
layout: article
title: SAML 2.0 Configuration
categories: [login-with-sso]
featured: false
popular: false
tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
---
## Key Terms and Definitions
- SP - Service Provider, this is your Bitwarden instance
- IdP - Identity Provider, this is your identity server, provider, or federated identity service.
- Name ID - This is a value provided by the IdP that identifies the user claim represented by the assertion; a Name ID may be transient (different every time) or persistent (the same every time).
- Authn Request - A request created by the SP and sent to the IdP to initiate the authentication.
- Assertion - A response to the Authn Request from the IdP to the SP that contains any number of claims and attributes for use by the SP in return.
- Entity ID - This is a unique identifier, commonly a URL, and also commonly = to the base URI for each SP and IdPs respective service endpoints (but not necessarily, it could be any string).
- Signing - This is a digital signature created using a partys private signing certificate and then verified by the relaying party using the source public key.
## SAML *Service Provider* Configuration
### SP Entity ID
Bitwarden Login with SSO endpoint (automatically generated)
### Name ID Format
Options:
- Unspecified (default)
- Email Address
- X.509 Subject Name
- Windows Domain Qualified Name
- Kerberos Principal Name
- Entity Identifier
- Persistent
- Transient
### Outbound Signing Algorithm
Options:
- <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
- **<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)**
- <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
- <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
### Signing Behavior
Options:
- If IdP Wants Authn Requests Signed (*default*)
- Always
- Never
### Other Service Provider Options
- Want Assertions Signed (Boolean)
- Validate Certificates (Boolean)
- (check only when using trusted and valid certificates from your IdP through a trusted CA, self-signed certificates may fail unless proper trust chains are configured within the Bitwarden SSO docker image; that is outside of the scope of this article)
## SAML *Identity Provider* Configuration
### Entity ID (*Required*)
The address or URL of your Identity Server or IdP Entity ID as configured in your identity provider service.
### Binding Type
Options:
- HttpRedirect
- HttpPost (recommended)
- Artifact
### Single Sign-On Service URL
*Required if IdP Entity is not a URL*
### Single Log Out Service URL
URL for SLO messages. This functionality is not yet available for Bitwarden, however you can preconfigure this URL.
### Artifact Resolution Service URL
*Required if Binding type = Artifact*
### X509 Public Certificate
Only include the X.509 Base-64 encoded certificate body and not the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.
*Required if Signing behavior != Never*
### Outbound Signing Algorithm
Options:
- <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
- **<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)**
- <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
- <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
### Other Identity Provider Options
- Allow Unsolicited Authentication Response (*Boolean*)
- Disable Outbound Logout Requests (*Boolean*)
- Want Authentication Requests Signed (*Boolean*)

109
_articles/login-with-sso/getting-started-with-sso.md Normal file
View File

@@ -0,0 +1,109 @@
---
layout: article
title: Getting started with Login with SSO
categories: [login-with-sso]
featured: true
popular: false
tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
---
## What is Login with SSO?
The Login with SSO feature allows you to use your existing Identity Provider to authenticate into Bitwarden. Login with SSO is available on the current Enterprise Plan.
### Identity Server Requirements
- Support for SAML 2.0
- Support for OpenID Connect
### Bitwarden API/ Server Requirements
- Bitwarden Cloud services
- Self-hosted Bitwarden Server v1.37+
### Client requirements
- Desktop version 1.21+
- Browser extension version 1.46+
- Mobile version 2.6+
- Web version 2.16+
- CLI version 1.12+ (CLI applications leveraging Login with SSO must run on systems with an available web browser)
## Workflow
{%image /sso/sso-workflow.png Overview of Bitwarden Single Sign-On Workflow %}
## General settings and configuration
To enable Login with SSO, youll need to log into the Bitwarden Web Vault and access your Organization.
### Organization Identifier
When enabling Login with SSO, youll create an organization identifier, unique to your organization, that will allow the client to identify and connect to the right identity servers. This will be entered upon login.
Define the Organization Identifier inside the Organization Vault: Settings > My Organization.
{%image /sso/sso-orgid.png Overview of Bitwarden Single Sign-On Workflow %}
Once you have created your Organization Identifier from the Organization Settings page, youll
select the link to the Business Portal.
{%image /sso/sso-business-portal.png Enter the new Business Portal to manage Organization settings %}
Within the Business Portal, youll see the option to enable and configure Login with SSO.
{%image /sso/sso-select.png Select your protocol %}
Click the checkbox to enable Single Sign-On and select the protocol for your Identity Provider.
{%note%}
Depending on your Identity Provider and configuration, you may need to perform the creation of an additional API key or Application ID within the Identity service prior to enabling and configuring your Bitwarden Organization.
We recommend you maintain a distinct application ID or reference for Bitwarden within your Identity Server.
{%endnote%}
### SAML 2.0 Configuration
Bitwarden Login with SSO is configurable to work with your SAML 2.0 IdP - for details on configuration please use [this article.](https://bitwarden.com/help/article/configure-sso-saml/)
{%image /sso/sso-saml.png SAML 2.0 Configuration Options %}
### Open ID Connect (OIDC) Configuration
Bitwarden Login with SSO is configurable to work with your OIDC IdP - for details on configuration please use [this article.](https://bitwarden.com/help/article/configure-sso-oidc/)
{%image /sso/sso-oidc.png Open ID Connect Configuration Options %}
## Logging In with SSO
Logging into your Bitwarden client using Login with SSO is accomplished by a few steps.
1. Once your Bitwarden client app is installed, navigate to the login screen or window.
2. Click or tap the **Enterprise Single Sign-On** button.
3. Enter your Organization Identifier.
4. A browser window will open, allowing you to enter your Single-Sign-On credentials and any other required authentication mechanisms.
5. Upon successful login:
- For existing accounts, you will be brought back into the Bitwarden application and prompted for your Master Password.
- For new accounts, you will be prompted to create your Master Password and provide a password hint if desired.
- The user is now logged into their Bitwarden account and is in *accepted* status within their organization.
{%note%}
Users that register “Just-In-Time” or “on the fly” for their Organization will still need to be confirmed to access any shared Organization Items. For more information about managing and confirming users, visit our article [here.](https://bitwarden.com/help/article/managing-users/)
Users will also need to be assigned to any Groups and Collections.
Users that are created via Login with SSO **will still be properly organized into their groups and collections** if leveraging the [Directory Connector.](https://bitwarden.com/help/article/directory-sync/) utility.
{%endnote%}
## FAQs
**Q: What Plans offer Login with SSO?**
**A:** Current Enterprise plans offer this feature. To upgrade from a Classic Enterprise plan to a current Enterprise offering, please [contact us](https://bitwarden.com/contact)
**Q: Will changing my SSO password affect my Master Password?**
**A:** No, your Master Password will remain the same unless changed within the web Vault.
**Q: Will this work with a self-hosted instance of Bitwarden?**
**A:** Yes! It will work with self-hosted regardless of whether it is on-premise or in your own cloud, as long as your Identity server is reachable from the Bitwarden instance.
**Q: Do I still need to use Bitwarden Directory Connector?**
**A:** If you manually manage your Bitwarden Group and Collection assignments, there is no need to leverage the Directory Connector. However, if you would like to have Groups and users automatically synchronized, we recommended leveraging Login with SSO with Directory Connector for the most complete solution.

16
_articles/organizations/policies.md
View File

@@ -43,6 +43,14 @@ Bitwarden currently supports the following Organization Policies
{% image policies/policies-enable.png %}
{%note%}
For Bitwarden server versions 1.37+ you will use the business portal to configure policies.
{%endnote%}
{% image policies/policies-business-portal.png Enter the business portal to manage policies %}
{% image policies/policies-menu-business-portal.png Choose Policies to enable and configure enterprise policies %}
## Two-Step Login
When this policy is set, members will need to have two-step login configured on their user account in order to join the organization.
@@ -54,10 +62,10 @@ When this policy is set, members will need to have two-step login configured on
Ideally, this policy is set before any users are invited to join an organization. The following events will occur when an Organization enabled the two-step policy for the first time:
- The administrator will receive a warning that Organization members, in confirmed status, who dont have two-step for their account will be removed from the organization and will receive an email notifying them about the change.
- If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.
- Members who lose access to an organization will receive an email informing them of such.
- If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.
- Members who lose access to an organization will receive an email informing them of such.
- Once the user enables two-step login on their account they can then be re-join to the organization through a new invite.
- Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.
- Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.
- If a newly invited member currently has a Bitwarden account using the invited email address, they will be notified and must enable two-step login before accepting their invitation.
- If a newly invited member does not have an account, they will default to using email-based two-step login but will be able to change this configuration at any time.
- If a member of the organization later disables two-step login on their account, they will be removed from the organization.
@@ -109,4 +117,4 @@ When this policy is set, organization administrators can choose and permanently
Ideally, this policy is set before any users are invited to join an organization.
If users have already joined an organization or already have a Bitwarden account, their master password - regardless of complexity - will remain in place unless it is changed, at which point it will need to conform with the policy.
If users have already joined an organization or already have a Bitwarden account, their master password - regardless of complexity - will remain in place unless it is changed, at which point it will need to conform with the policy.

5
_categories/faqs.md Normal file
View File

@@ -0,0 +1,5 @@
---
layout: category
title: FAQs
featured: true
---

5
_categories/login-with-sso.md Normal file
View File

@@ -0,0 +1,5 @@
---
layout: category
title: Login with SSO
featured: true
---

18
_layouts/category.html
View File

@@ -21,6 +21,22 @@ layout: default
</div>
<div class="col-md-4">
{% include contact.html %}
<div class="panel panel-default articles" style="margin-bottom: 0;">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-list-alt"></i> Categories</h3>
</div>
<div class="panel-body small">
<ul>
{% for category in site.categories %}
{% if category.hidden != true %}
<li>
<a href="{{site.baseurl}}{{category.url}}">{{category.title}}</a>
</li>
{% endif %}
{% endfor %}
</ul>
</div>
</div>
</div>
</div>
</div>
</div>

BIN
images/policies/policies-business-portal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
images/policies/policies-menu-business-portal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
images/sso/sso-business-portal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
images/sso/sso-oidc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
images/sso/sso-orgid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
images/sso/sso-saml.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
images/sso/sso-select.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
images/sso/sso-workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB