help/_articles/login-with-sso/configure-sso-oidc.md

layout, title, categories, featured, popular, tags, order

layout	title	categories	featured	popular	tags	order
article	OIDC Configuration	login-with-sso	false	false	sso oidc openid idp identity	03

Step 1: Set an Organization Identifier

Users who authenticate their identity using SSO will be required to enter an Organization Identifier that indicates the Organization (and therefore, the SSO integration) to authenticate against. To set a unique Organization Identifier:

1. Log in to your Web Vault and open your Organization.

2. Open the Settings tab and enter a unique Identifier for your Organization.

   {% image sso/org-id.png Enter an Identifier %}

3. Save your changes before exiting this page.

{% callout success %} You'll need to share this value with users once the configuration is ready to be used. {% endcallout %}

Step 2: Enable Login with SSO

Once you have your Organization Identifier, you can proceed to enabling and configuring your integration. To enable Login with SSO:

1. From the Organization Vault, navigate to the Manage tab and select Single Sign-On from the left-hand menu:

   {% image sso/manage-sso.png Enable SSO %}

2. On the Single Sign-On Screen, check the Enabled checkbox.

3. From the Type dropdown menu, select the OpenID Connect option. If you intend to use SAML instead, switch over the the SAML Configuration Guide.

Step 3: Configuration

From this point on, implementation will vary provider-to-provider. Jump to one of our specific Implementation Guides for help completing the configuration process:

Provider	Guide
Azure	Azure Implementation Guide
Okta	Okta Implementation Guide

Configuration Reference Materials

The following sections will define fields configured on the Single Sign-On configuration screen, agnostic of which IdP you're integration with. Fields that must be configured will be marked (Required).

{% callout success %} Unless you're comfortable with OpenID Connect, we recommend using one of the above Implementation Guides instead of the following generic material. {% endcallout %}

Field	Description
Callback Path	(Automatically generated) The URL for authentication automatic redirect. For Cloud-hosted customers, this is always https://sso.bitwarden.com/oidc-signin. For self-hosted instances, this is determined by your configured server URL, for example https://your.domain.com/sso/oidc-signin.
Signed Out Callback Path	(Automatically generated) The URL for sign-out automatic redirect. For Cloud-hosted customers, this is always https://sso.bitwarden.com/oidc-signedout. For self-hosted instances, this is determined by your configured server URL, for example https://your.domain.com/sso/oidc-signedout.
Authority	(Required) The URL of your Authorization Server ("Authority"), which Bitwarden will perform authentication against. For example, https://your.domain.okta.com/oauth2/default or https://login.microsoft.com/<TENANT_ID>/v2.0.
Client ID	(Required) An identifier for the OIDC Client. This value is typically specific to a constructed IdP App Integration, for example an Azure App Registration or Okta Web App.
Client Secret	(Required) The client secret used in conjunction with the Client ID to exchange for an access token. This value is typically specific to a constructed IdP App Integration, for example an Azure App Registration or Okta Web App.
Metadata Address	(Required if Authority is not valid) A Metadata URL where Bitwarden can access Authorization Server metadata as a JSON object. For example, https://your.domain.okta.com/oauth2/default/.well-known/oauth-authorization-server.
OIDC Redirect Behavior	(Required) Method used by the IdP to response to authentication requests from Bitwarden. Options include Form POST and Redirect GET.
Get Claims From User Info Endpoint	Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO.
Additional/Custom Scopes	Define custom scopes to be added to the request (comma-delimited).
Additional/Custom User ID Claim Types	Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Additional/Custom Email Claim Types	Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Additional/Custom Name Claim Types	Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Requested Authentication Context Class Reference values	Define Authentication Context Class Reference identifiers (acr_values) (space-delimited). List acr_values in preference-order.
Expected "acr" Claim Value in Response	Define the acr Claim Value for Bitwarden to expect and validate in the response.

OIDC Attributes & Claims

An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.

A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.

Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:

Value	Claim/Attribute	Fallback Claim/Attribute
Unique ID	Configured Custom User ID Claims NameID (when not Transient) urn:oid:0.9.2342.19200300.100.1.1 Sub UID UPN EPPN
Email	Configured Custom Email Claims Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress urn:oid:0.9.2342.19200300.100.1.3 Mail EmailAddress	Preferred_Username Urn:oid:0.9.2342.19200300.100.1.1 UID
Name	Configured Custom Name Claims Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name urn:oid:2.16.840.1.113730.3.1.241 urn:oid:2.5.4.3 DisplayName CN	First Name + “ “ + Last Name (see below)
First Name	urn:oid:2.5.4.42 GivenName FirstName FN FName Nickname
Last Name	urn:oid:2.5.4.4 SN Surname LastName