Configure Login with SSO (OIDC)
This article will guide you through the steps required to configure Login with SSO for OpenID Connect (OIDC) authentication.
Configuration will vary provider-to-provider. Refer to the following Provider Samples as you configure Login with SSO:
Step 1: Enabling Login with SSO
Complete the following steps to enable Login with SSO for OIDC authentication:
- In the Web Vault, navigate to your Organization and open the Settings tab.
In the Identifier field, enter a unique identifier for your Organization:
Don’t forget to Save your identifier. Users will be required to enter this Identifier upon login.
Navigate to the Business Portal.
- Select the Single Sign-On button.
- Check the Enabled checkbox.
- From the Type dropdown menu, select the OpenID Connect option.
After selecting OpenID Connect, this page will display a list of configuration fields you will need to configure.
Keep this page on-hand, as you will need the values of Callback Path and Signed Out Callback Path to complete Step 2.
Step 2: Configure Your IdP
Before you can complete your configuration settings, you must configure your IdP to receive requests from and send responses to Bitwarden.
When you’ve successfully set your IdP, return to the Bitwarden Business Portal to complete your OIDC configuration.
Step 3: OpenID Connect Configuration
Fields in this section should come from the configured values in Step 2: Configure your IdP.
Required fields will be marked. Failing to provide a value for a required field will cause your configuration to be rejected.
The URL for Bitwarden authentication automatic redirect. This value will be automatically generated. For all Cloud-hosted instances,
https://sso.bitwarden.com/oidc-signin. For self-hosted instances, domain is based on your configured Server URL.
Signed Out Callback Path
The URL for Bitwarden sign-out automatic redirect. This value will be automatically generated. For all Cloud-hosted instances,
https://sso.bitwarden.com/oidc-signedout. For self-hosted instances, domain is based on your configured Server URL.
Your Identity Provider URL or the Authority that Bitwarden will perform authentication against.
Client ID (Required)
The Client identifier used for Bitwarden, as configured in your Identity Provider.
Client Secret (Required)
May be required depending on your IdP’s configuration, needs, or requirements
A secret used in conjunction with Client ID to exchange for an authentication token.
Metadata Address (Required if Authority is not a valid URL)
Identity Provider information which Bitwarden will perform authentication against (e.g. Okta Metadata URI).
OIDC Redirect Behavior
Method used by the IdP to respond to Bitwarden authentication requests. Options include:
- Form POST
- Redirect GET
Get Claims From User Info Endpoint
Check this checkbox if you receive
URI Too Long (HTTP 414) errors, truncated URLs, or failures during SSO.
OIDC Attributes & Claims
An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.
A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:
|Unique ID||Configured Custom User ID Claims
NameID (when not Transient)
|Configured Custom Email Claims
|Name||Configured Custom Name Claims
|First Name + “ “ + Last Name (see below)|