Bitwarden Password Manager and Bitwarden Secrets Manager are zero knowledge, end-to-end encrypted, meaning that only the customer can ever access their encrypted data. This provides total security, and as a result, Bitwarden applications behave differently than other SSO-enabled business apps.
When logging in there is both an authentication process, and a decryption process. These are handled simultaneously, but separately when a user logs in. When set up with an identity provider (IdP) service, it authenticates the user through SSO. Then the data is separately decrypted with the account encryption key and made available to the user.
SSO with trusted devices provides a passwordless login experience for users on registered, trusted devices. Now, all a user needs to access their encrypted data is to simply be authenticated with their SSO provider. An encryption key used as part of the decryption process is securely stored on the device, so once the SSO service authenticates the user, the device is able to decrypt the data without additional user input. For more information read: About Trusted Devices
If your organization is already using the Login with SSO function with Bitwarden (IdP authenticates, users enter Bitwarden password), then turning on SSO with trusted devices is as simple as selecting Trusted devices on the Single sign-on configuration window in Settings in the web app. If you have never enabled SSO before, you’ll need to set it up using the guides on the Bitwarden help center. A few enterprise policies are required to be activated before setup. Detailed instructions are available here: Setup SSO with Trusted Devices.
With SSO with trusted devices, there is a workflow where it is possible for employees to create accounts without ever setting a Bitwarden password. This can be easier for onboarding purposes, but note that doing so limits account recovery options.
Once SSO with trusted devices has been turned on, all you need to do as a user is log into Bitwarden through SSO. You will be redirected to your SSO login, and once authenticated, the device that you logged into will become your first trusted device. You can confirm other devices with the mobile app or desktop app. For this reason it is recommended that you start with either of those two first before the web app or browser extension. Otherwise you can request an admin to approve your device as trusted. More information for getting started is available here: Add a Trusted Device
Using Bitwarden with SSO extends the added control and protection to every item in your Bitwarden vault, which may include non-SSO enabled applications. With SSO with trusted devices, users are able to access their vaults quickly, removing passwords and authentication as a barrier to productivity. If you’re looking to bring easy SSO integration to your business, visit bitwarden.com today to start a 7-day trial or reach out to the business sales team to discuss your needs!