About Single Sign-On
Using single sign-on (SSO), Enterprise organizations can leverage their existing Identity Provider (IdP) to authenticate members with Bitwarden. SSO for Enterprise organizations include:
SAML 2.0 and OIDC configuration options that support integration with a wide variety of IdPs.
An enterprise policy to optionally require non-administrative members to log in to Bitwarden with SSO.
An enterprise policy to optionally allow easier auto-fill in non-SSO apps launched from your IdP.
Several distinct member decryption options for safe data access workflows.
Just-In-Time (JIT) provisioning of members via SSO.
tip
Using SSO with Bitwarden retains our zero-knowledge encryption model. Nobody at Bitwarden has access to your data and, similarly, neither should your Identity Provider. That's SSO decouples authentication and decryption. In all implementations, your Identity Provider cannot and will not have access to the decryption key needed to decrypt vault data.
While authentication is handled via your IdP, decryption of your data is controlled by one of several decryption methods.
If you're new to Bitwarden, start a 7-day Enterprise free trial to begin testing SSO. We recommend this following steps when testing SSO:
Configure your SSO integration using one of the SSO Guides for your chosen IdP. If your IdP isn't listed, you can use the generic SAML or generic OIDC guide.
Test the member login experience using master password decryption.
Assess whether a different member decryption options would fit your implementation, and if so begin configuration of that decryption option.
Provide information to members, based on the specifics of your implementation, about how to log in with SSO.