System for cross-domain identity management (SCIM) can be used to automatically provision members and groups in your Bitwarden organization.
Bitwarden servers provide a SCIM endpoint that, with a valid SCIM API Key, will accept requests from your identity provider (IdP) for user and group provisioning and de-provisioning.
SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.
Bitwarden supports SCIM v2 using standard attribute mappings and offers official SCIM integrations for:
To set up SCIM, your IdP will need a SCIM URL and API key to make authorized requests to the Bitwarden server. These values are available from your organization's Settings → SCIM provisioning page:
Bitwarden uses standard SCIM v2 attribute names, listed here, however each IdP may use alternate names which are mapped to Bitwarden during provisioning.
For each user, Bitwarden will use the following attributes:
An indication that the user is
ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the
value of the object which contains
For each group, Bitwarden will use the following attributes:
members is an array of objects, each object representing a user in that group.
Once users are provisioned in Bitwarden using SCIM, you can temporarily revoke their access to your organization and its vault items. When a user is temporarily suspended/de-activated in your IdP, their access to your organization will automatically be revoked.
Only owners can revoke and restore access to other owners.
Users with revoked access are listed in the Revoked tab of the organization's Members screen and will:
Not have access to any organization vault items, collections.
Not be subject to your organization's policies.
Not occupy a license seat.
For those accounts that do not have master passwords as a result of SSO with trusted devices, removing them from your organization or revoking their access will cut off all access to their Bitwarden account unless:
You assign them a master password using account recovery beforehand.
The user logs in at least once post-account recovery in order to fully complete the account recovery workflow.
Your organization will capture event logs for actions taken by SCIM integrations, including inviting users and removing users, as well as creating or deleting groups. SCIM-derived events will register
SCIM in the Member column.
Organizations with users and groups that were onboarded before activating SCIM, either manually or using Directory Connector, should note the following:
If you are using Directory Connector, make sure to turn syncing off before activating SCIM.