8.4 KiB
layout, title, categories, featured, popular, tags
| layout | title | categories | featured | popular | tags | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| article | Getting started with Login with SSO |
|
true | true |
|
What is Login with SSO?
The Login with SSO feature allows you to use your existing Identity Provider to authenticate into Bitwarden. Login with SSO is available on the current Enterprise Plan.
Trialing Login with SSO
We understand that security requirements and Identity providers can vary greatly between Organizations. Classic 2019 Enterprise Plan customers are encouraged to trial Login with SSO before upgrading to the new Enterprise Plan and deploying globally.
To Trial our new Enterprise Plan, we recommend creating a new Trial Organization.
Navigate to your Web Vault and select "New Organization"
{%image /sso/trial-new-org.png Add a New Organization %}
Select Enterprise as your plan, and remember to add as many seats as you'll need to test with. You will automatically get 7 free days, but you may also leverage our monthly billing option to allow for extended testing if you need.
{%image /sso/trial-new-plan.png Select Enterprise to try Login with SSO %}
You can now begin using your new organization to test Login with SSO. For self-hosted and on-premise users, you will need to do this as well to generate a new license file. We recommend using a separate Bitwarden instance for testing Login with SSO for self-hosted and on-premise users.
Once you have completed your Trial and testing, contact customer success to upgrade your current Enterprise Plan. You can also cancel your Trial Organization subscription via the Bitwarden Web Vault.
For more information on Plan comparisons, please visit our plan comparison article here.
Identity Server Requirements
- Support for SAML 2.0
- Support for OpenID Connect
Bitwarden API/ Server Requirements
- Bitwarden Cloud services
- Self-hosted Bitwarden Server v1.37+
Client requirements
- Desktop version 1.21+
- Browser extension version 1.46+
- Mobile version 2.6+
- Web version 2.16+
- CLI version 1.12+ (CLI applications leveraging Login with SSO must run on systems with an available web browser)
Workflow
{%image /sso/sso-workflow.png Overview of Bitwarden Single Sign-On Workflow %}
General settings and configuration
To enable Login with SSO, you’ll need to log into the Bitwarden Web Vault and access your Organization.
Organization Identifier
When enabling Login with SSO, you’ll create an organization identifier, unique to your organization, that will allow the client to identify and connect to the right identity servers. This will be entered upon login.
Define the Organization Identifier inside the Organization Vault: Settings > My Organization.
{%image /sso/sso-orgid.png Overview of Bitwarden Single Sign-On Workflow %}
Once you have created your Organization Identifier from the Organization Settings page, you’ll select the link to the Business Portal.
{%image /sso/sso-business-portal.png Enter the new Business Portal to manage Organization settings %}
Within the Business Portal, you’ll see the option to enable and configure Login with SSO.
{%image /sso/sso-select.png Select your protocol %}
Click the checkbox to enable Single Sign-On and select the protocol for your Identity Provider.
{%note%} Depending on your Identity Provider and configuration, you may need to perform the creation of an additional API key or Application ID within the Identity service prior to enabling and configuring your Bitwarden Organization.
We recommend you maintain a distinct application ID or reference for Bitwarden within your Identity Server. {%endnote%}
SAML 2.0 Configuration
Bitwarden Login with SSO is configurable to work with your SAML 2.0 IdP - for details on configuration please use this article.
{%image /sso/sso-saml.png SAML 2.0 Configuration Options %}
Open ID Connect (OIDC) Configuration
Bitwarden Login with SSO is configurable to work with your OIDC IdP - for details on configuration please use this article.
{%image /sso/sso-oidc.png Open ID Connect Configuration Options %}
Logging In with SSO
Logging into your Bitwarden client using Login with SSO is accomplished by a few steps.
- Once your Bitwarden client app is installed, navigate to the login screen or window.
- Click or tap the Enterprise Single Sign-On button.
- Enter your Organization Identifier.
- A browser window will open, allowing you to enter your Single-Sign-On credentials and any other required authentication mechanisms.
- Upon successful login:
- For existing accounts, you will be brought back into the Bitwarden application and prompted for your Master Password.
- For new accounts, you will be prompted to create your Master Password and provide a password hint if desired.
- The user is now logged into their Bitwarden account and is in accepted status within their organization.
{%note%} Users that register “Just-In-Time” or “on the fly” for their Organization will still need to be confirmed to access any shared Organization Items. For more information about managing and confirming users, visit our article here.
Users will also need to be assigned to any Groups and Collections.
Users that are created via Login with SSO will still be properly organized into their groups and collections if leveraging the Directory Connector. utility. {%endnote%}
Linking an existing user
Organizations with existing Bitwarden users that are deploying Login with SSO will need to have their users link their existing account to an SSO authentication.
To do this, the user will need to log into their Web Vault using their email and Master Password.
- Then navigate to Settings > Organizations where they will see a list of all Organizations they belong to.
- Hovering over the Organization to be linked will display the gear icon to the right.
- Click the gear icon and select "Link SSO". This will initiate an authentication session link the user, allowing them to authenticate using just SSO in the future.
{%image /sso/trial-org-link.png Users with existing Bitwarden accounts will need to Link their account to SSO for the Organization%}
FAQs
Q: What Plans offer Login with SSO?
A: Current Enterprise plans offer this feature. To upgrade from a Classic Enterprise plan to a current Enterprise offering, please contact us
Q: Does SSO Replace my Master Password and Email?
A: No, SSO is meant to be an easier way for Organizations to maintain control of Organization users, allow just-in-time new user provisioning, centralized MFA, and in the near future, improved employee succession management.
Logging in with SSO will authenticate your Bitwarden session and allow you to use an existing IdP session if it exists, and leverage any currently implemented MFA rules as well.
Once logged in, after providing (or creating) your Master Password will perform the encryption/decryption of your Vault data, just as it always has, keeping the audited Bitwarden security model intact.
Q: Will changing my SSO password affect my Master Password?
A: No, your Master Password will remain the same and will still be used to decrypt your Vault data. You can change your Master Password in the Web Vault.
Q: Can I still log in with my Master Password if my Organization has SSO enabled?
A: Currently, yes. In the near future we will be enabling Enterprise Policies to allow Organizations to control authentication mechanisms for their users.
Q: Will this work with a self-hosted instance of Bitwarden?
A: Yes! It will work with self-hosted regardless of whether it is on-premise or in your own cloud, as long as your Identity server is reachable from the Bitwarden instance.
Q: Do I still need to use Bitwarden Directory Connector?
A: If you manually manage your Bitwarden Group and Collection assignments, there is no need to leverage the Directory Connector. However, if you would like to have Groups and users automatically synchronized, we recommended leveraging Login with SSO with Directory Connector for the most complete solution.