Enterprise Reference Guide to Bitwarden Authentication

Outlining critical capabilities and features around Bitwarden authentication

Background pattern

Authentication type

What is it?

Deployment considerations
All authentication deployment options align with the Bitwarden end-to-end, zero knowledge encryption model

Login with Bitwarden

This enables employees to use their email and master password to login and decrypt their Bitwarden vault.

For companies that want to get started quickly, Login with Bitwarden allows employees to use their unique email and master password to access their vault. It is perfect for companies that do not yet centrally manage authentication or use an identity profiver. Administrators can manually invite employees into Organizations and shared Collections, or use the Bitwarden Directory Connector to synchronize LDAP groups

Additional resources:

Five Best Practices for Password Management

Getting Started with Bitwarden

Login with SSO

This separates user authentication from vault decryption by leveraging your company’s identity provider to authenticate users into their Bitwarden vault and using master passwords for decryption of vault data.

This option supports identity providers using SAML 2.0 or OpenID Connect standards.

Selecting this option means that anytime an employee logs in to Bitwarden using SSO, they’ll need to use their master password to decrypt their vault, protecting your businesses’ critical credentials and secrets.

Additional resources:

Configure Your Organization Using Login with SSO

Setting up Login with SSO

Login with SSO and customer-managed encryption

Employees use their SSO credentials to authenticate and decrypt all in a single step. This option shifts retention of the users master passwords to companies requiring the business to deploy a key connector to store the user keys.

For companies with widely adopted SSO implementations, and the desire to integrate authentication and decryption, Bitwarden offers Login with SSO and customer-managed encryption.

In this scenario, companies manage a key connector agent. This requires a connection to a database that stores encrypted user keys, and an RSA key pair to encrypt and decrypt those keys.

This approach maintains a zero knowledge encryption architecture because no decryption keys pass through Bitwarden servers at any point.

Management of cryptographic keys is incredibly sensitive and is only recommended for enterprises with a team and utilizing infrastructure that has already securely deployed and managed a key server. Login with SSO and customer-managed key encryption is available for customers self-hosting Bitwarden.

Additional resources:
Whitepaper: Choose the Right SSO Login Strategy
Help article: Login with SSO and Customer Managed Encryption - deploying the key connector

Explore the right Bitwarden authentication option for your company with a free 7-day trial today

Secure Your Business Data with End-to-End Encryption

Choose the right Bitwarden plan for your business and start your free 7-day trial today.

For Teams & Business
Unlimited Users
Upgrade anytime
$
3
per user/month
  • All Premium Features, Plus:
  • Unlimited Collections & Items
  • Directory Connector
  • API access
  • 24/7 Priority Tech Support
For Enterprise
Unlimited Users
Expand anytime
$
5
per user/month
  • All Teams Features, Plus:
  • Self-Hosting Deployment Option
  • SSO Authentication
  • Enterprise Policies
For Teams & Business
Free for Everyone
Every Wednesday at 12 pm ET
See a Live Demo
Join us to see Bitwarden in action.

Pricing shown is based on an annual subscription.

© 2023 Bitwarden, Inc.
TermsPrivacySitemap