bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-22 11:13:14 +00:00
Code Issues Releases Wiki Activity
Files
82ecf7def2989c6cc931767b3cedcdc777102f12
help/_articles/login-with-sso/sso-decryption-options.md
fred_the_tech_writer 82ecf7def2 KC (#805) 
* initial draft

* codeblock e.g.'s

* initial draft of f4e end-user doc

* first round of feedback

* feedback round 2

* feedback round 3

* update screenshots

* safari/macos import guide sketch

* adios, friendly name

* cli note

* fix typo

* finish import from macos/safari

* feedback round 4

* more feedback

* updated diagrams

* fix typo

* linked custom fields & more release note items

* new auto-fill unlock behavior for context menu & keyboard!

* release notes - autofill unlock

* new events

* fixes to 'using sso'

* updated KC screenshot & test step

* KC URL

* send extension & release notes

* hide ios extension

* updates to sso faqs

* SEO desc's & tags

* Key Connector > Impact on Unlock > Add a note for online dependency

* clarify "account is lost"

* add some references to CME

* final edits

* f4e

* quick edit to RN
2021-12-08 07:53:03 -05:00

25 lines
2.0 KiB
Markdown
Raw Blame History

---
layout: article
title: Member Decryption Options
categories: [login-with-sso]
featured: false
popular: false
tags: [key connector, customer-managed encryption, login with sso, master password decryption]
order: "04"
description: "This article covers the Vault decryption options available for Enterprise Organizations leveraging Login with SSO."
---
What makes Login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your Vault data and, similarly, **neither should your Identity Provider**. That's why Login with SSO **decouples authentication and decryption**. In all Login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt Vault data.
**Member Decryption Options** are used to determine what decryption key will be used to decrypt Vault data in scenarios where Login with SSO is handling authentication. Options include:
- **Master Password**: Once authenticated, Organization members will decrypt Vault data using their [Master Passwords]({{site.baseurl}}/article/master-password/).
- **Key Connector**: Connect Login with SSO to your self-hosted decryption key server. Using this option, Organization members won't need to use their Master Passwords to decrypt Vault data. Instead, [Key Connector]({{site.baseurl}}/article/about-key-connector/) will retrieve a decryption key securely stored in a database owned and managed by you.
{% callout success %}
Due to the sensitivity of storing decryption keys, the **Key Connector** option is **disabled by default** and currently **only available to Organizations self-hosting Bitwarden**.
If you're interesting in using Key Connector, check out the [About Key Connector]({{site.baseurl}}/article/about-key-connector/) and [Deploy Key Connector]({{site.baseurl}}/article/deploy-key-connector/) articles and [Contact Us](https://bitwarden.com/contact/) to setup a time for us to help you get started.
{% endcallout %}
Reference in New Issue View Git Blame Copy Permalink