Enterprise passwordless SSO brings better productivity and user sign in experience for employees

Bitwarden Password Manager and Bitwarden Secrets Manager are zero knowledge, end-to-end encrypted, meaning that only the customer can ever access their encrypted data. This provides total security, and as a result, Bitwarden applications behave differently than other SSO-enabled business apps.

When logging in there is both an authentication process, and a decryption process. These are handled simultaneously, but separately when a user logs in. When set up with an identity provider (IdP) service, it authenticates the user through SSO. Then the data is separately decrypted with the account encryption key and made available to the user.

SSO with trusted devices provides a passwordless login experience for users on registered, trusted devices. Now, all a user needs to access their encrypted data is to simply be authenticated with their SSO provider. An encryption key used as part of the decryption process is securely stored on the device, so once the SSO service authenticates the user, the device is able to decrypt the data without additional user input. For more in-depth technical information read: About Trusted Devices

If your organization is already using the Login with SSO function with Bitwarden (IdP authenticates, users enter Bitwarden password), then turning on SSO with trusted devices is as simple as selecting Trusted devices on the Single sign-on configuration window in Settings in the Admin Console in the web app. If you have never enabled SSO before, you’ll need to set it up using the guides on the Bitwarden help center. A few enterprise policies are required to be activated before setup. Detailed instructions are available here: Setup SSO with Trusted Devices.

With SSO with trusted devices, there is a workflow where it is possible for employees to create accounts without ever setting a Bitwarden password. This can be easier for onboarding purposes, but note that doing so limits account recovery options.

Once SSO with trusted devices has been turned on, all you need to do as a user is log into Bitwarden through the Enterprise single sign-on button. Once you've gone through the SSO process, the device that you logged into will become your first trusted device. You can confirm other devices as trusted using the notification in the mobile app and desktop app, or from the Security > Devices window in the web app. Otherwise you can request an admin to approve your device or enter your master password if you created one. More information on getting started is available here: Add a Trusted Device

Note: When requesting approval for a login for the browser extension, the extension window must remain open until the process is completed. This will be improved in a later release.

Using Bitwarden with SSO extends the added control and protection of Single Sign-On to every item in your Bitwarden vault, which may include non-SSO enabled applications. With SSO with trusted devices, users are able to access their vaults quickly, removing passwords and authentication as a barrier to productivity. If you’re looking to bring easy SSO integration to your business, visit bitwarden.com today to start a 7-day trial or reach out to the business sales team to discuss your needs!

Editor's note January 23, 2025: Updated to include the ability to approve new devices from the Bitwarden web app.