ADFS OIDC Implementation
This article contains Active Directory Federation Services (AD FS)-specific help for configuring login with SSO via OpenID Connect (OIDC). For help configuring login with SSO for another OIDC IdP, or for configuring AD FS via SAML 2.0, see OIDC Configuration or ADFS SAML Implementation.
Configuration involves working simultaneously within the Bitwarden web vault and the AD FS Server Manager. As you proceed, we recommend having both readily available and completing steps in the order they are documented.
Open SSO in the web vault
Navigate to your organization's Manage → Single Sign-On screen:
You don't need to edit anything on this screen yet, but keep it open for easy reference.
If you are self-hosting Bitwarden, you can use alternative Member Decryption Options. This feature is disabled by default, so continue with Master Password decryption for now and learn how to get started using Key Connector once your configuration is complete and successfully working.
Create an application group
In Server Manager, navigate to AD FS Management and create a new application group:
In the console tree, select Application Groups and choose Add Application Group from the Actions list.
On the Welcome screen of the wizard, choose the Server application accessing a web API template.
On the Server application screen:
Give the server Application a Name.
Take note of the Client Identifier. You will need this value in a subsequent step.
Specify a Redirect URI. For cloud-hosted customers, this is always
https://sso.bitwarden.com/oidc-signin. For self-hosted instances, this is determined by your configured Server URL, for example
On the Configure Application Credentials screen, take note of the Client Secret. You will need this value in a subsequent step.
On the Configure Web API screen:
Give the Web API a Name.
Add the Client Identifier and Redirect URI (see step 2B. & C.) to the Identifier list.
On the Apply Access Control Policy screen, set an appropriate Access Control Policy for the Application Group.
On the Configure application permissions screen, permit the scopes
Finish the Add Application Group Wizard.
Add a transform claim rule
In Server Manager, navigate to AD FS Management and edit the created application group:
In the console tree, select Application Groups.
In the Application Groups list, right-click the created application group and select Properties.
In the Applications section, choose the Web API and select Edit... .
Navigate to the Issuance Transform Rules tab and select the Add Rule... button.
On the Choose Rule Type screen, select Send LDAP Attributes as Claims.
On the Configure Claim Rule screen:
Give the rule a Claim rule name.
From the LDAP Attribute dropdown, select E-Mail-Addresses.
From the Outgoing Claim Type dropdown, select E-Mail Address.
Back to the web vault
At this point, you have configured everything you need within the contest of the AD FS Server Manager. Return to the Bitwarden web vault to configure the following fields:
|Authority||Enter the hostname of your AD FS Server with
|Client ID||Enter the retreived Client ID.|
|Client Secret||Enter ther retrieved Client Secret.|
|Metadata Address||Enter the specified Authority value with
|OIDC Redirect Behavior||Select Redirect GET.|
|Get claims from user info endpoint||Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO.|
|Custom Scopes||Define custom scopes to be added to the request (comma-delimited).|
|Customer User ID Claim Types||Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.|
|Email Claim Types||Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.|
|Custom Name Claim Types||Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.|
|Requested Authentication Context Class References values||Define Authentication Context Class Reference identifiers (
|Expected "acr" Claim Value In Response||Define the
When you are done configuring these fields, Save your work.
You can require users to log in with SSO by activating the single sign-on authentication policy. Please note, this will require activating the single organization policy as well. Learn more.
Test the configuration
Once your configuration is complete, test it by navigating to https://vault.bitwarden.com or your self-hosted domain and selecting the Enterprise Single Sign-On button:
Enter the configured Organization ID and select Log In. If your implementation is successfully configured, you'll be redirected to the AD FS SSO login screen. After you authenticate with your AD FS credentials, enter your Bitwarden master password to decrypt your vault!