mirror of
https://github.com/bitwarden/help
synced 2025-12-06 00:03:30 +00:00
906e2ca0dd
* initial commit
* adding quotes for the array error
* Create Gemfile
* Create Gemfile.lock
* add .nvmrc and .node-version
* removed /article from URL
* update links to work with netlify
* more fixed links
* link fixes
* update bad links
* Update netlify.toml
toml test for redirects
* article redirect
* link fixes
* Update index.html
* Update netlify.toml
* Update _config.yml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* Update netlify.toml
* add article back into URL for launch
* Update netlify.toml
* Update netlify.toml
* add order to categories front matter
* Update netlify.toml
* update
* sidemenu update
* Revert "sidemenu update"
This reverts commit 5441c3d35c.
* update order prop
* Navbar updates per Gary and compiler warnings
* font/style tweaks
* Update sidebar.html
* Stage Release Documentation (#739)
* initial drafts
* rewrite Custom Fields article to prioritize new context-menu option & better organize ancillary information
* edit
* edit
* Custom Field Context Menu & CAPTCHA item in release notes
* SSO relink event
* update rn
* small edits
* improve release notes titles
* fix side menu
* Edits courtest of mportune!
* update order
* link fixes
* link cleanup
* image updates and a link
* fix trailing slash
Co-authored-by: DanHillesheim <79476558+DanHillesheim@users.noreply.github.com>
113 lines
8.9 KiB
Markdown
113 lines
8.9 KiB
Markdown
---
|
|
layout: article
|
|
title: SAML 2.0 Configuration
|
|
categories: [login-with-sso]
|
|
featured: false
|
|
popular: false
|
|
tags: [sso, saml, saml2.0, idp, identity]
|
|
order: "03"
|
|
---
|
|
|
|
## Step 1: Set an Organization Identifier
|
|
|
|
Users who [authenticate their identity using SSO]({{site.baseurl}}/article/using-sso/#login-using-sso) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. to set a unique Organization Identifier:
|
|
|
|
1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization.
|
|
2. Open the **Settings** tab and enter a unique **Identifier** for your Organizations.
|
|
|
|
{% image sso/org-id.png Enter an Identifier %}
|
|
3. **Save** your changes before exiting this page.
|
|
|
|
{% callout success %}
|
|
You'll need to share this value with users once the configuration is ready to be used.
|
|
{% endcallout %}
|
|
|
|
## Step 2: Enable Login with SSO
|
|
|
|
Once you have your Organization Identifier, you can proceed to enabling and configuring your integration. To enable Login with SSO:
|
|
|
|
1. From the Organization Vault, navigate to the **Business Portal**:
|
|
|
|
{% image organizations/business-portal-button-overlay.png Business Portal %}
|
|
2. From the Business Portal menu bar, check that the correct Organization is listed and select the **Single Sign-On** button:
|
|
|
|
{% image sso/sso-bp-1.png Business Portal Menu %}
|
|
3. Check the **Enabled** checkbox.
|
|
4. From the **Type** dropdown menu, select the **SAML 2.0** option. If you intend to use OIDC instead, switch over to the [OIDC Configuration Guide]({{site.baseurl}}/article/configure-sso-oidc/).
|
|
|
|
## Step 3: Configuration
|
|
|
|
From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the configuration process:
|
|
|
|
|Provider|Guide|
|
|
|--------|-----|
|
|
|AD FS|[AD FS Implementation Guide]({{site.baseurl}}/article/saml-adfs/)|
|
|
|Auth0|[Auth0 Implementation Guide]({{site.baseurl}}/article/saml-auth0/)|
|
|
|AWS|[AWS Implementation Guide]({{site.baseurl}}/article/saml-aws/)|
|
|
|Azure|[Azure Implementation Guide]({{site.baseurl}}/article/saml-azure/)|
|
|
|Duo|[Duo Implementation Guide]({{site.baseurl}}/article/saml-duo/)|
|
|
|Google|[Google Implementation Guide]({{site.baseurl}}/article/saml-google/)|
|
|
|JumpCloud|[JumpCloud Implementation Guide]({{site.baseurl}}/article/saml-jumpcloud/)|
|
|
|Keycloak|[Keycloak Implementation Guide]({{site.baseurl}}/article/saml-keycloak/)|
|
|
|Okta|[Okta Implementation Guide]({{site.baseurl}}/article/saml-okta/)|
|
|
|OneLogin|[OneLogin Implementation Guide]({{site.baseurl}}/article/saml-onelogin/)|
|
|
|PingFederate|[PingFederate Implementation Guide]({{site.baseurl}}/article/saml-pingfederate/)|
|
|
|
|
### Configuration Reference Materials
|
|
|
|
The following sections will define fields configured in the [Bitwarden Business Portal]({{site.baseurl}}/article/about-business-portal/), agnostic of which IdP you're integration with. Fields that must be configured will be marked (**Required**).
|
|
|
|
{% callout success %}
|
|
**Unless you're comfortable with SAML 2.0**, we recommend using one of the [above Implementation Guides](#step-3-configuration) instead of the following generic material.
|
|
{% endcallout %}
|
|
|
|
The Business Portal separates configuration into two sections:
|
|
|
|
- **SAML Service Provider Configuration** will determine the format of SAML requests.
|
|
- **SAML Identity Provider Configuration** will determine the format to expect for SAML responses.
|
|
|
|
#### Service Provider Configuration
|
|
|
|
|Field|Description|
|
|
|-----|-----------|
|
|
|SP Entity ID|(**Automatically generated**) The Bitwarden endpoint for authentication requests. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2`.|
|
|
|SAML 2.0 Metadata URL|(**Automatically generated**) Metadata URL for the Bitwarden endpoint. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2/your-org-id`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2/your-org-id`.|
|
|
|Assertion Consumer Service (ACS) URL|(**Automatically generated**) Location where the SAML assertion is sent from the IdP. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2/your-org-id/Acs`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2/your-org-id/Acs`.|
|
|
|Name ID Format|Format Bitwarden will request of the SAML assertion. Options include:<br>-Unspecific (*default*)<br>-Email Address<br>-X.509 Subject Name<br>-Windows Domain Qualified Name<br>-Kerberos Principal Name<br>-Entity Identifier<br>-Persistent<br>-Transient|
|
|
|Outbound Signing Algorithm|The algorithm Bitwarden will use to sign SAML requests. Options include:<br>-<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)<br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha1><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha384><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha512>|
|
|
|Signing Behavior|Whether/when SAML requests will be signed. Options include:<br>-If IdP Wants Authn Requests Signed (*default*)<br>-Always<br>-Never|
|
|
|Minimum Incoming Signing Algorithm|Minimum strength of the algorithm that Bitwarden will accept in SAML responses.|
|
|
|Want Assertions Signed|Check this checkbox if Bitwarden should expect responses from the IdP to be signed.|
|
|
|Validate Certificates|Check this box when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden Login with SSO docker image.|
|
|
|
|
#### Identity Provider Configuration
|
|
|
|
|Field|Description|
|
|
|-----|-----------|
|
|
|Entity ID|(*Required*) Address or URL of your Identity Server or the IdP Entity ID.|
|
|
|Binding Type|Method used by the IdP to respond to Bitwarden SAML requests. Options include:<br>-Redirect (*Recommended*)<br>-HTTP POST<br>-Artifact|
|
|
|Single Sign On Service URL|(*Required if Entity ID is not a URL*) SSO URL issued by your IdP.|
|
|
|Single Log Out Service URL|Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.|
|
|
|Artifact Resolution Service URL|(*Required if Binding Type is Artifact*) URL used for the Artifact Resolution Protocol.|
|
|
|X509 Public Certificate|(*Required unless Signing Behavior is Never*) The X.509 Base-64 encoded certificate body. Do not include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.<br><br>Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy **only** the certificate data into this field.|
|
|
|Outbound Signing Algorithm|The algorithm your IdP will use to sign SAML responses/assertions. Options include:<br>-<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)<br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha1><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha384><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha512>|
|
|
|Allow Unsolicited Authentication Response|Login with SSO currently **does not** support unsolicited (IdP-Initiated) SSO assertions. This checkbox is planned for future use.|
|
|
|Disable Outbound Logout Requests|Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.|
|
|
|Want Authentication Requests Signed|Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed.|
|
|
|
|
#### SAML Attributes & Claims
|
|
|
|
An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table.
|
|
|
|
A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
|
|
|
|
Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:
|
|
|
|
|Value|Claim/Attribute|Fallback Claim/Attribute|
|
|
|-----|---------------|------------------------|
|
|
|Unique ID|NameID (when not Transient)<br>urn:oid:0.9.2342.19200300.100.1.1<br>Sub<br>UID<br>UPN<br>EPPN|
|
|
|Email|Email<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress<br>urn:oid:0.9.2342.19200300.100.1.3<br>Mail<br>EmailAddress|Preferred_Username<br>Urn:oid:0.9.2342.19200300.100.1.1<br>UID|
|
|
|Name|Name<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name<br>urn:oid:2.16.840.1.113730.3.1.241<br>urn:oid:2.5.4.3<br>DisplayName<br>CN|First Name + “ “ + Last Name (see below)|
|
|
|First Name|urn:oid:2.5.4.42<br>GivenName<br>FirstName<br>FN<br>FName<br>Nickname|
|
|
|Last Name|urn:oid:2.5.4.4<br>SN<br>Surname<br>LastName|
|