SAML 2.0 Configuration

Key Terms and Definitions

  • SP - Service Provider, this is your Bitwarden instance

  • IdP - Identity Provider, this is your identity server, provider, or federated identity service.

  • Name ID - This is a value provided by the IdP that identifies the user claim represented by the assertion; a Name ID may be transient (different every time) or persistent (the same every time).

  • Authn Request - A request created by the SP and sent to the IdP to initiate the authentication.

  • Assertion - A response to the Authn Request from the IdP to the SP that contains any number of claims and attributes for use by the SP in return.

  • Entity ID - This is a unique identifier, commonly a URL, and also commonly = to the base URI for each SP and IdPs respective service endpoints (but not necessarily, it could be any string).

  • Signing - This is a digital signature created using a party’s private signing certificate and then verified by the relaying party using the source public key.

Note

Login with SSO currently does not support unsolicited SSO assertions (IdP initiated login).

SAML Service Provider Configuration

SP Entity ID

Bitwarden Login with SSO endpoint (automatically generated from the Bitwarden instance URL) {https://bitwarden.yourdomain.com/}/sso/saml/

SP ACS URL

The SP ACS URL will be your Entity ID followed by /Acs and is automatically generated.

For example:

  • Cloud Instances: https://sso.bitwarden.com/saml/Acs
  • Self-hosted Instances: https://bitwarden.yourdomain.com/sso/saml/Acs

SSO URL or Login URL

If your IdP Supports a Login URL for your SSO Application, this is the URL of your Bitwarden Web Vault and /#/sso

For example:

  • Cloud Instances: https://vault.bitwarden.com/#/sso
  • Self-hosted Instances: ‘https://bitwarden.yourdomain.com/#/sso’

Name ID Format

Options:

  • Unspecified (default)
  • Email Address
  • X.509 Subject Name
  • Windows Domain Qualified Name
  • Kerberos Principal Name
  • Entity Identifier
  • Persistent
  • Transient

Outbound Signing Algorithm

Options:

Signing Behavior

Options:

  • If IdP Wants Authn Requests Signed (default)
  • Always
  • Never

Other Service Provider Options

  • Want Assertions Signed (Boolean)
  • Validate Certificates (Boolean) - (check only when using trusted and valid certificates from your IdP through a trusted CA, self-signed certificates may fail unless proper trust chains are configured within the Bitwarden SSO docker image; that is outside of the scope of this article)

SAML Identity Provider Configuration

Entity ID (Required)

The address or URL of your Identity Server or IdP Entity ID as configured in your identity provider service.

Binding Type

Options:

  • HttpRedirect
  • HttpPost (recommended)
  • Artifact

Single Sign-On Service URL

Required if IdP Entity is not a URL

Single Log Out Service URL

URL for SLO messages. This functionality is not yet available for Bitwarden, however you can preconfigure this URL.

Artifact Resolution Service URL

Required if Binding type = Artifact

X509 Public Certificate

Only include the X.509 Base-64 encoded certificate body and not the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines or portions of the CER/PEM formatted certificate.

Required if Signing behavior != Never

Warning

Please note, any extra spaces, carriage returns, etc. inside this field will cause certificate validation failure. Please copy only the certificate data into this field.

Outbound Signing Algorithm

Options:

Other Identity Provider Options

  • Allow Unsolicited Authentication Response (Boolean)
  • Disable Outbound Logout Requests (Boolean)
  • Want Authentication Requests Signed (Boolean)

Was this helpful?

Rate this article:

Email Us

Want to talk to a human?

Send Us An Email