JIT Provisioning
Enterprise organizations using SSO support Just-In-Time (JIT) provisioning of members. No extra configuration, beyond the SAML or OIDC setup processes documented in the SSO Guides, is required to support JIT.
Recommended JIT strategy
An optimized JIT provisioning strategy can make for one of the simplest signup processes available for your members. As an administrator, help your members join quickly and easily by noting the following:
Do issue email invitations to members with SCIM, with Directory Connector, or manually.
An added benefit of using SCIM or Directory Connector is that groups and group membership can be synced to your organization, which JIT on its own does not support, automatically assigning members to groups for streamlined collection assignment.
Do not allow members to preemptively create Bitwarden accounts before being invited to the organization.
tip
Invitation-initiated JIT provisioning of new accounts bypasses a few steps that admins or members might otherwise need to take (see Non-standard signup). This strategy also ensures that members who should not have master passwords, as a result of a trusted devices or Key Connector implementation, will not have one set on their accounts.
Member signup process
Members provisioned with the Recommended JIT strategy will only need to:
Select the Finish account setup button contained in the organization invitation email.
When prompted, log in to their IdP with their SSO credentials. If they have an active session with the IdP, this step is skipped.
Depending on your organization's chosen decryption method:
If master password decryption, create a master password.
If trusted device decryption, choose whether to remember the device.
Once complete, members will be moved to the Accepted state. At that time, they will need to be confirmed by an administrator.
Non-standard signup
In cases that deviate from the Recommended JIT strategy, the signup process for members will be somewhat different:
In cases where invitations were not sent to members, the organization can still be joined with relative ease. Instruct members to follow these instructions, unless they need to join with a pre-existing Bitwarden account, in which case refer to the Pre-existing account tab.
tip
Unless your organization has already claimed a domain, an administrator will need to provide the SSO identifier to members. They'll need to enter it during the signup process.