82ecf7def2
* initial draft * codeblock e.g.'s * initial draft of f4e end-user doc * first round of feedback * feedback round 2 * feedback round 3 * update screenshots * safari/macos import guide sketch * adios, friendly name * cli note * fix typo * finish import from macos/safari * feedback round 4 * more feedback * updated diagrams * fix typo * linked custom fields & more release note items * new auto-fill unlock behavior for context menu & keyboard! * release notes - autofill unlock * new events * fixes to 'using sso' * updated KC screenshot & test step * KC URL * send extension & release notes * hide ios extension * updates to sso faqs * SEO desc's & tags * Key Connector > Impact on Unlock > Add a note for online dependency * clarify "account is lost" * add some references to CME * final edits * f4e * quick edit to RN
3.8 KiB
layout, title, categories, featured, popular, tags, order, redirect_from, description
| layout | title | categories | featured | popular | tags | order | redirect_from | description | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| article | About Login with SSO |
|
true | true |
|
01 |
|
Bitwarden enterprise plan users can take advantage of Single Sign On (SSO). Find out more about Login with SSO and how it works with Bitwarden in this useful article. |
What is Login with SSO?
Login with SSO is the Bitwarden solution for Single Sign-On. Using Login with SSO, Enterprise Organizations can leverage their existing Identity Provider to authenticate users with Bitwarden using the SAMl 2.0 or Open ID Connect (OIDC) protocols.
What makes Login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your Vault data and, similarly, neither should your Identity Provider. That's why Login with SSO decouples authentication and decryption. In all Login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt Vault data.
In most scenarios, that decryption key is the user's Master Password, which they retain sole responsibility for, however Organizations self-hosting Bitwarden can use Key Connector as an alternative means of decrypting Vault data.
{% image sso/sso-workflow-2.png Login with SSO & Master Password Decryption %}
Why use Login with SSO?
Login with SSO is a flexible solution that can fit your enterprise's needs. Login with SSO includes:
- SAML 2.0 and OIDC configuration options that support integration with a wide variety of Identity Providers.
- An Enterprise Policy to optionally require non-Owner/non-Admin users to log in to Bitwarden with Single Sign-On.
- Two distinct Member Decryption Options for safe data access workflows.
- "Just-in-time" end-user onboarding via SSO.
How do I start using Login with SSO?
Login with SSO is available for all customers with an Enterprise Organization. If you're new to Bitwarden, we'd love to help you through the process of setting up an account and starting your 7 Day Free Trial Enterprise Organization with our dedicated signup page:
Start your Enterprise Free Trial
Once you have an Enterprise Organization, deployment should include the following steps:
- Follow one of our SAML 2.0 or OIDC Implementation Guides to configure and deploy Login with SSO with Master Password decryption.
- Test the end-user Login with SSO experience using Master Password decryption.
- (If self-hosting) Review our different Member Decryption Options to determine whether using Key Connector might be right for your Organization.
- (If self-hosting) If you're interested in implementing Key Connector, Contact Us and we'll help you get started deploying Key Connector.
- Educate your Organization members on how to use Login with SSO.