906e2ca0dd
* initial commit
* adding quotes for the array error
* Create Gemfile
* Create Gemfile.lock
* add .nvmrc and .node-version
* removed /article from URL
* update links to work with netlify
* more fixed links
* link fixes
* update bad links
* Update netlify.toml
toml test for redirects
* article redirect
* link fixes
* Update index.html
* Update netlify.toml
* Update _config.yml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* add article back into URL for launch
* Update netlify.toml
* Update netlify.toml
* add order to categories front matter
* Update netlify.toml
* update
* sidemenu update
* Revert "sidemenu update"
This reverts commit 5441c3d35c.
* update order prop
* Navbar updates per Gary and compiler warnings
* font/style tweaks
* Update sidebar.html
* Stage Release Documentation (#739)
* initial drafts
* rewrite Custom Fields article to prioritize new context-menu option & better organize ancillary information
* edit
* edit
* Custom Field Context Menu & CAPTCHA item in release notes
* SSO relink event
* update rn
* small edits
* improve release notes titles
* fix side menu
* Edits courtest of mportune!
* update order
* link fixes
* link cleanup
* image updates and a link
* fix trailing slash
Co-authored-by: DanHillesheim <79476558+DanHillesheim@users.noreply.github.com>
8.9 KiB
layout, title, categories, featured, popular, tags, order
| layout | title | categories | featured | popular | tags | order | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| article | SAML 2.0 Configuration |
|
false | false |
|
03 |
Step 1: Set an Organization Identifier
Users who authenticate their identity using SSO will be required to enter an Organization Identifier that indicates the Organization (and therefore, the SSO integration) to authenticate against. to set a unique Organization Identifier:
-
Log in to your Web Vault{:target="_blank"} and open your Organization.
-
Open the Settings tab and enter a unique Identifier for your Organizations.
{% image sso/org-id.png Enter an Identifier %}
-
Save your changes before exiting this page.
{% callout success %} You'll need to share this value with users once the configuration is ready to be used. {% endcallout %}
Step 2: Enable Login with SSO
Once you have your Organization Identifier, you can proceed to enabling and configuring your integration. To enable Login with SSO:
-
From the Organization Vault, navigate to the Business Portal:
{% image organizations/business-portal-button-overlay.png Business Portal %}
-
From the Business Portal menu bar, check that the correct Organization is listed and select the Single Sign-On button:
{% image sso/sso-bp-1.png Business Portal Menu %}
-
Check the Enabled checkbox.
-
From the Type dropdown menu, select the SAML 2.0 option. If you intend to use OIDC instead, switch over to the OIDC Configuration Guide.
Step 3: Configuration
From this point on, implementation will vary provider-to-provider. Jump to one of our specific Implementation Guides for help completing the configuration process:
| Provider | Guide |
|---|---|
| AD FS | AD FS Implementation Guide |
| Auth0 | Auth0 Implementation Guide |
| AWS | AWS Implementation Guide |
| Azure | Azure Implementation Guide |
| Duo | Duo Implementation Guide |
| Google Implementation Guide | |
| JumpCloud | JumpCloud Implementation Guide |
| Keycloak | Keycloak Implementation Guide |
| Okta | Okta Implementation Guide |
| OneLogin | OneLogin Implementation Guide |
| PingFederate | PingFederate Implementation Guide |
Configuration Reference Materials
The following sections will define fields configured in the Bitwarden Business Portal, agnostic of which IdP you're integration with. Fields that must be configured will be marked (Required).
{% callout success %} Unless you're comfortable with SAML 2.0, we recommend using one of the above Implementation Guides instead of the following generic material. {% endcallout %}
The Business Portal separates configuration into two sections:
- SAML Service Provider Configuration will determine the format of SAML requests.
- SAML Identity Provider Configuration will determine the format to expect for SAML responses.
Service Provider Configuration
| Field | Description |
|---|---|
| SP Entity ID | (Automatically generated) The Bitwarden endpoint for authentication requests. For Cloud-hosted customers, this is always https://sso.bitwarden.com/saml2. For self-hosted instances, this is determined by your configured Server URL, for example https://your.domain.com/sso/saml2. |
| SAML 2.0 Metadata URL | (Automatically generated) Metadata URL for the Bitwarden endpoint. For Cloud-hosted customers, this is always https://sso.bitwarden.com/saml2/your-org-id. For self-hosted instances, this is determined by your configured Server URL, for example https://your.domain.com/sso/saml2/your-org-id. |
| Assertion Consumer Service (ACS) URL | (Automatically generated) Location where the SAML assertion is sent from the IdP. For Cloud-hosted customers, this is always https://sso.bitwarden.com/saml2/your-org-id/Acs. For self-hosted instances, this is determined by your configured Server URL, for example https://your.domain.com/sso/saml2/your-org-id/Acs. |
| Name ID Format | Format Bitwarden will request of the SAML assertion. Options include: -Unspecific (default) -Email Address -X.509 Subject Name -Windows Domain Qualified Name -Kerberos Principal Name -Entity Identifier -Persistent -Transient |
| Outbound Signing Algorithm | The algorithm Bitwarden will use to sign SAML requests. Options include: -http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 (default) -http://www.w3.org/2000/09/xmldsig#rsa-sha1 -http://www.w3.org/2000/09/xmldsig#rsa-sha384 -http://www.w3.org/2000/09/xmldsig#rsa-sha512 |
| Signing Behavior | Whether/when SAML requests will be signed. Options include: -If IdP Wants Authn Requests Signed (default) -Always -Never |
| Minimum Incoming Signing Algorithm | Minimum strength of the algorithm that Bitwarden will accept in SAML responses. |
| Want Assertions Signed | Check this checkbox if Bitwarden should expect responses from the IdP to be signed. |
| Validate Certificates | Check this box when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden Login with SSO docker image. |
Identity Provider Configuration
| Field | Description |
|---|---|
| Entity ID | (Required) Address or URL of your Identity Server or the IdP Entity ID. |
| Binding Type | Method used by the IdP to respond to Bitwarden SAML requests. Options include: -Redirect (Recommended) -HTTP POST -Artifact |
| Single Sign On Service URL | (Required if Entity ID is not a URL) SSO URL issued by your IdP. |
| Single Log Out Service URL | Login with SSO currently does not support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field. |
| Artifact Resolution Service URL | (Required if Binding Type is Artifact) URL used for the Artifact Resolution Protocol. |
| X509 Public Certificate | (Required unless Signing Behavior is Never) The X.509 Base-64 encoded certificate body. Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines or portions of the CER/PEM formatted certificate.Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy only the certificate data into this field. |
| Outbound Signing Algorithm | The algorithm your IdP will use to sign SAML responses/assertions. Options include: -http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 (default) -http://www.w3.org/2000/09/xmldsig#rsa-sha1 -http://www.w3.org/2000/09/xmldsig#rsa-sha384 -http://www.w3.org/2000/09/xmldsig#rsa-sha512 |
| Allow Unsolicited Authentication Response | Login with SSO currently does not support unsolicited (IdP-Initiated) SSO assertions. This checkbox is planned for future use. |
| Disable Outbound Logout Requests | Login with SSO currently does not support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field. |
| Want Authentication Requests Signed | Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed. |
SAML Attributes & Claims
An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.
A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:
| Value | Claim/Attribute | Fallback Claim/Attribute |
|---|---|---|
| Unique ID | NameID (when not Transient) urn:oid:0.9.2342.19200300.100.1.1 Sub UID UPN EPPN |
|
| Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress urn:oid:0.9.2342.19200300.100.1.3 EmailAddress |
Preferred_Username Urn:oid:0.9.2342.19200300.100.1.1 UID |
|
| Name | Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name urn:oid:2.16.840.1.113730.3.1.241 urn:oid:2.5.4.3 DisplayName CN |
First Name + “ “ + Last Name (see below) |
| First Name | urn:oid:2.5.4.42 GivenName FirstName FN FName Nickname |
|
| Last Name | urn:oid:2.5.4.4 SN Surname LastName |