About Login with SSO
Login with SSO is the Bitwarden solution for single sign-on. Using login with SSO, Enterprise organizations can leverage their existing Identity Provider to authenticate users with Bitwarden using the SAML 2.0 or Open ID Connect (OIDC) protocols.
What makes login with SSO unique is that it retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your vault data and, similarly, neither should your Identity Provider. That's why login with SSO decouples authentication and decryption. In all login with SSO implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt vault data.
In most scenarios, that decryption key is the user's master password, which they retain sole responsibility for, however organizations self-hosting Bitwarden can use Key Connector as an alternative means of decrypting vault data.
Login with SSO does not replace the master password and Email requirement for logging in. Login with SSO leverages your existing identity provider (IdP) to authenticate you into Bitwarden, however, your master password and email must still be entered in order to decrypt your vault data.
Login with SSO is a flexible solution that can fit your enterprise's needs. Login with SSO includes:
An enterprise policy to optionally require non-owner/non-admin users to log in to Bitwarden with single sign-on.
Two distinct member decryption options for safe data access workflows.
"Just-in-time" end-user onboarding via SSO.
Login with SSO is available for all customers with an Enterprise organization. If you are new to Bitwarden, we would love to help you through the process of setting up an account and starting your seven day Free trial Enterprise organization with our dedicated signup page:
Once you have an Enterprise organization, deployment should include the following steps:
Test the end-user login with SSO experience using master password decryption.
Educate your organization members on how to use login with SSO.