Login with SSO FAQs
This article contains frequently asked questions (FAQs) regarding login with SSO.
For more high-level information about login with SSO, refer to about login with SSO
A: Login with SSO allows your employees to use your existing identity provider (IdP) to authenticate their identities. What makes login with SSO unique compared to other tools is that it retains our end-to-end zero knowledge encryption model. Nobody at Bitwarden should have access to your vault data and, importantly, neither should your identity provider.
That’s why the Bitwarden login with SSO offering decouples authentication and decryption. Your IdP can confirm that Alice is, in fact, Alice, but cannot and should not have the tools to decrypt Alice’s vault. Only Alice can have that tool and, conveniently, it’s her master password!
In practice, that means that anytime an employee logs in to Bitwarden using SSO, they will need to use their master password to decrypt their vault, protecting your businesses’ critical credentials and secrets.
Bitwarden offers two solutions for organizations that will allow approved organization members to access their Bitwarden account without using a master password:
SSO with trusted device Is a feature that allows organizations using login with SSO to create and store member device encryptions keys, eliminating the need to enter a master password. Learn more about SSO with trusted devices.
Organizations self-hosting Bitwarden can leverage Key Connector to serve decryption keys to Bitwarden clients instead of requiring users to decrypt vault data with their master passwords. Learn more here and here.
A: No, your master password will remain the same. Unless your organization is using Key Connector to self-host decryption keys, your master password must be used to decrypt vault data.
A: No. Login with SSO leverages your existing identity provider (IdP) to authenticate you into Bitwarden, however your master password and email must still be entered in order to decrypt your vault data unless your organization is using Key Connector to self-host decryption keys.
A: By default, yes, you can use your email address and master password to login to Bitwarden. However, if your organization enables both the single organization and Single sign-on authentication policies, or if your organization uses Key Connector, all non-administrator users will be required to login with SSO.
A: New users who select Log in → Enterprise SSO from the organization invite will be placed in the
Accepted status of their organization until they are confirmed by an administrator. When that user is assigned to a group manually or via Directory Connector, they will receive access to the appropriate shared items. JIT provisioning is recommended if your desired outcome is to have members without master passwords who can only used trusted devices.
A: If you manage your Bitwarden group and collection assignments directly within Bitwarden, there is no need to leverage the Directory Connector. However, if you would like to have groups and users automatically synchronized with your organizations directory, we recommend using login with SSO in conjunction with Directory Connector for the most complete solution.
A: Nope! If your organization is using domain verification you won't need to enter this identifier. Otherwise, bookmarking the Enterprise Single Sign-On page with your SSO identifier included as a query string will save you the trouble of entering it each time. For example:
https://vault.bitwarden.com/#/sso?identifier=your-org-idfor cloud-hosted instances
https://your.domain.com/#/sso?identifier=your-org-idfor self-hosted instances
A: Pre-generated SSO configuration values including SP Entity ID, SAML 2.0 Metadata URL, ACS URL, and Callback Path can be changed in self-hosted environments by changing the
url: value in
.bwdata/config.yml and running the
./bitwarden.sh rebuild command to apply your change.
A: Bitwarden login with SSO & master password only performs user authentication and does not decrypt user data. Adding SSO functionality does not introduce any further individually identifiable information into the Bitwarden database.
A: Only our current Enterprise plan offers this feature. For more information, see here.
Q: I would like to test login with SSO. If I decide I don't need it, can I revert to my Classic 2019 plan?
A: Unfortunately, we aren't able to revert you back to a Classic 2019 plan once you've upgraded. We recommend creating a new organization to start a 7 Day Enterprise Free Trial to test login with SSO outside of your primary organization.
A: Bitwarden supports OpenID Connect, but does not support OAuth at this time.
A: Yes! Login with SSO will work with self-hosted instances regardless of whether they are on-premises or in your own cloud, as long as your identity server is reachable from the instance.
A: Yes! Login with SSO only requires the ability to connect to your identity provider from your instance of Bitwarden. It can be used with cloud or on-premises identity providers, as well as cloud or self-hosted Bitwarden instances.
Q: If my identity provider is offline, can users user login with SSO to authenticate into Bitwarden?
A: If your identity provider is offline, users must log in using their email and master password. This may change in the future as we enable further authentication control mechanisms for organizations.