--- layout: article title: SAML 2.0 Configuration categories: [login-with-sso] featured: false popular: false tags: [sso, saml, oidc, openid, saml2.0, idp, identity] --- ## Key Terms and Definitions - SP - Service Provider, this is your Bitwarden instance - IdP - Identity Provider, this is your identity server, provider, or federated identity service. - Name ID - This is a value provided by the IdP that identifies the user claim represented by the assertion; a Name ID may be transient (different every time) or persistent (the same every time). - Authn Request - A request created by the SP and sent to the IdP to initiate the authentication. - Assertion - A response to the Authn Request from the IdP to the SP that contains any number of claims and attributes for use by the SP in return. - Entity ID - This is a unique identifier, commonly a URL, and also commonly = to the base URI for each SP and IdPs respective service endpoints (but not necessarily, it could be any string). - Signing - This is a digital signature created using a party’s private signing certificate and then verified by the relaying party using the source public key. {%note%} Login with SSO currently **does not** support unsolicited SSO assertions (IdP initiated login). {%endnote%} ## SAML *Service Provider* Configuration ### SP Entity ID Bitwarden Login with SSO endpoint (automatically generated from the Bitwarden instance URL) {https://bitwarden.yourdomain.com/}/sso/saml/ ### SP ACS URL The SP ACS URL will be your Entity ID followed by `/Acs` and is automatically generated. For example: - Cloud Instances: `https://sso.bitwarden.com/saml/Acs` - Self-hosted Instances: `https://bitwarden.yourdomain.com/sso/saml/Acs` ### SSO URL or Login URL If your IdP Supports a Login URL for your SSO Application, this is the URL of your Bitwarden Web Vault and `/#/sso` For example: - Cloud Instances: `https://vault.bitwarden.com/#/sso` - Self-hosted Instances: 'https://bitwarden.yourdomain.com/#/sso' ### Name ID Format Options: - Unspecified (default) - Email Address - X.509 Subject Name - Windows Domain Qualified Name - Kerberos Principal Name - Entity Identifier - Persistent - Transient ### Outbound Signing Algorithm Options: - - ** (*default*)** - - ### Signing Behavior Options: - If IdP Wants Authn Requests Signed (*default*) - Always - Never ### Other Service Provider Options - Want Assertions Signed (Boolean) - Validate Certificates (Boolean) - (check only when using trusted and valid certificates from your IdP through a trusted CA, self-signed certificates may fail unless proper trust chains are configured within the Bitwarden SSO docker image; that is outside of the scope of this article) ## SAML *Identity Provider* Configuration ### Entity ID (*Required*) The address or URL of your Identity Server or IdP Entity ID as configured in your identity provider service. ### Binding Type Options: - HttpRedirect - HttpPost (recommended) - Artifact ### Single Sign-On Service URL *Required if IdP Entity is not a URL* ### Single Log Out Service URL URL for SLO messages. This functionality is not yet available for Bitwarden, however you can preconfigure this URL. ### Artifact Resolution Service URL *Required if Binding type = Artifact* ### X509 Public Certificate Only include the X.509 Base-64 encoded certificate body and not the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate. *Required if Signing behavior != Never* {%warning%} Please note, any extra spaces, carriage returns, etc. inside this field will cause certificate validation failure. Please copy **only** the certificate data into this field. {%endwarning%} ### Outbound Signing Algorithm Options: - - ** (*default*)** - - ### Other Identity Provider Options - Allow Unsolicited Authentication Response (*Boolean*) - Disable Outbound Logout Requests (*Boolean*) - Want Authentication Requests Signed (*Boolean*)