Users who authenticate their identity using SSO will be required to enter an SSO identifier that indicates the organization (and therefore, the SSO integration) to authenticate against. To set a unique organization identifier:
Log in to your web vault and open your organization.
Open the Settings tab, select Single sign-on, and enter a unique SSO identifier for your organization:
Save your changes before exiting this page.
You will need to share this value with users once the configuration is ready to be used.
Once you have your SSO identifier, you can proceed to enabling and configuring your integration. To enable login with SSO:
From the organization vault, navigate to the Settings tab and select Single sign-on from the left-hand menu:
On the Single sign-on screen, check the Allow SSO authentication checkbox.
From the Type dropdown menu, select the OpenID Connect option. If you intend to use SAML instead, switch over the the SAML Configuration guide.
If you are self-hosting Bitwarden, you can use alternative Member Decryption Options. This feature is disabled by default, so continue with master password decryption for now and learn how to get started using Key Connector once your configuration is complete and successfully working.
From this point on, implementation will vary provider-to-provider. Jump to one of our specific implementation guides for help completing the configuration process:
The following sections will define fields available during single sign-on configuration, agnostic of which IdP you are integration with. Fields that must be configured will be marked (required).
Unless you are comfortable with OpenID Connect, we recommend using one of the above implementation guides instead of the following generic material.
(Automatically generated) The URL for authentication automatic redirect. For cloud-hosted customers, this is always
Signed Out Callback Path
(Automatically generated) The URL for sign-out automatic redirect. For cloud-hosted customers, this is always
(Required) The URL of your authorization server ("Authority"), which Bitwarden will perform authentication against. For example,
(Required) An identifier for the OIDC client. This value is typically specific to a constructed IdP app integration, for example an Azure app registration or Okta web app.
(Required) The client secret used in conjunction with the client ID to exchange for an access token. This value is typically specific to a constructed IdP app integration, for example an Azure app registration or Okta Web App.
(Required if Authority is not valid) A Metadata URL where Bitwarden can access authorization server metadata as a JSON object. For example,
OIDC Redirect Behavior
(Required) Method used by the IdP to respond to authentication requests from Bitwarden. Options include Form POST and Redirect GET.
Get claims from user info endpoint
Enable this option if you receive URL too long errors (HTTP 414), truncated URLS, and/or failures during SSO.
Define custom scopes to be added to the request (comma-delimited).
Additional/custom user id claim types
Define custom claim type keys for user identification (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Additional/custom email claim types
Define custom claim type keys for users' email addresses (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Additional/custom name claim types
Define custom claim type keys for users' full names or display names (comma-delimited). When defined, custom claim types are searched for before falling back on standard types.
Requested authentication context class reference values
Define authentication context class reference identifiers (
Expected "acr" Claim Value in Response
An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.
A unique user identifier is also highly recommended. If absent, email will be used in its place to link the user.
Attributes/claims are listed in order of preference for matching, including fallbacks where applicable:
Configured Custom User ID Claims
Configured Custom Email Claims
Configured Custom Name Claims
First Name + “ “ + Last Name (see below)