Configure Login with SSO (OIDC)

Category: Login with SSO
On this page:

    This article will guide you through the steps required to configure Login with SSO for OpenID Connect (OIDC) authentication.


    Configuration will vary provider-to-provider. Refer to the following Provider Samples as you configure Login with SSO:

    Step 1: Enabling Login with SSO

    Complete the following steps to enable Login with SSO for OIDC authentication:

    1. In the Web Vault, navigate to your Organization and open the Settings tab.
    2. In the Identifier field, enter a unique identifier for your Organization:

      Enter an Identifier
      Enter an Identifier

      Don’t forget to Save your identifier. Users will be required to enter this Identifier upon login.

    3. Navigate to the Business Portal.

      Business Portal button
      Business Portal button
    4. Select the Single Sign-On button.
    5. Check the Enabled checkbox.
    6. From the Type dropdown menu, select the OpenID Connect option.

    After selecting OpenID Connect, this page will display a list of configuration fields you will need to configure.

    Keep this page on-hand, as you will need the values of Callback Path and Signed Out Callback Path to complete Step 2.

    Step 2: Configure Your IdP

    Before you can complete your configuration settings, you must configure your IdP to receive requests from and send responses to Bitwarden.

    When you’ve successfully set your IdP, return to the Bitwarden Business Portal to complete your OIDC configuration.

    Step 3: OpenID Connect Configuration

    Fields in this section should come from the configured values in Step 2: Configure your IdP.

    Required fields will be marked. Failing to provide a value for a required field will cause your configuration to be rejected.

    OpenID Connect Configuration screen
    OpenID Connect Configuration screen

    Callback Path

    The URL for Bitwarden authentication automatic redirect. This value will be automatically generated. For all Cloud-hosted instances, For self-hosted instances, domain is based on your configured Server URL.

    Signed Out Callback Path

    The URL for Bitwarden sign-out automatic redirect. This value will be automatically generated. For all Cloud-hosted instances, For self-hosted instances, domain is based on your configured Server URL.

    Authority (Required)

    Your Identity Provider URL or the Authority that Bitwarden will perform authentication against.

    Client ID (Required)

    The Client identifier used for Bitwarden, as configured in your Identity Provider.

    Client Secret (Required)

    May be required depending on your IdP’s configuration, needs, or requirements

    A secret used in conjunction with Client ID to exchange for an authentication token.

    Metadata Address (Required if Authority is not a valid URL)

    Identity Provider information which Bitwarden will perform authentication against (e.g. Okta Metadata URI).

    OIDC Redirect Behavior

    Method used by the IdP to respond to Bitwarden authentication requests. Options include:

    • Form POST
    • Redirect GET

    Get Claims From User Info Endpoint

    Check this checkbox if you receive URI Too Long (HTTP 414) errors, truncated URLs, or failures during SSO.

    OIDC Attributes & Claims

    An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.

    A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.

    Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:

    Value Claim/Attribute Fallback Claim/Attribute
    Unique ID Configured Custom User ID Claims
    NameID (when not Transient)
    Email Configured Custom Email Claims
    Name Configured Custom Name Claims
    First Name + “ “ + Last Name (see below)
    First Name urn:oid:
    Last Name urn:oid: