Missing Confirm Selected option

We’re using the latest version of Vaultwarden in a docker container on a Synology NAS. After creating an organization and inviting a user, I cannot confirm her as that option is not available. The user has accepted the invitation and her emailadress is verified.

At the organizations tab however, it’s stated that there are 2 users for this organization, which should indicate that she’s added to this organization. However, she can’t see it.

I’ve searched on the internet and the Bitwarden site, but I’ve no idea why this doesn;t work. Anyone any clue?

Just wanted to get some more specifics here, are you looking within the organization on the main webpage, or within the “organizations” tab in the /admin page?

Please see the provided link on how to invite, and accept users added to an organization via the webpage.

Thanks for the link, but I know how to invite a user.and have done that accordingly. It’s just that on the admin panel you see she’s verified and on the “normal” organization page you see her as a user, but you cannot select confirm in the dropdown (it isn’t there).

I’ll try creating some images to clarify and post them later.

If with admin panel you mean /admin, that has nothing to do with the org. Only if the email is verified.

On that same row you should also see if that person is part of an org at all.

You need to still invite a user to an org, that user needs to accept. And after that you should verify it via the org tab interface within the web-vault, not via /admin.

While preparing a test case I found the problem. I think it has to do with the email verification:

  • Invite a user that doesn’t exist yet in Vaultwarden.
  • The user gets an email inviting him/her for the organization and clicks on the link.
  • User creates a new account and gets a welcome email with a link for verifying his/her email.
  • After verifying, the user can login

At this moment the organization admin should be able to accept the user. However, that option is not available. Only after the user clicks again on the invitation link, that option will become visible.

I thought of disabling the verification of the email addresses, but that will still show a remark about verification on the right side when a user logs on.

When tested on my instance

  1. test-user is invited or Org.

  2. Invite successful.

  3. test-user gets invite email to Org.

  4. Invite URL clicked, and account created.

  5. Initial sign in after successful account creation.

  6. Email verification require error prevents sign on.

  7. test-user has received verification email, and selects to verify email via link.

  8. test-user signs in after verifying email.

  9. test-user successfully signed in to web vault, but unable to see Org.
    Does not get Org invite confirmation

  10. Org admin is able to see test-user is in Invited status, and can only resend invite.
    Org admin does not receive email verification of test-user being accepted to Org.

  11. /admin page shows test-user verified, but not within any Orgs.

Just a note here, unfortunately as I only have the family plan for Bitwarden as of now I cannot determine if this is specific to Bitwarden’s own mechanisms or particular to Vaultwarden.

It seems regardless for now some process may need to be set up for this, and possibly end user training would be helpful.

Works as expected when user verifies email prior to initial login

  1. test-user created again by Org admin

  2. test-user invited

  3. test-user receives email invite to join Org

  4. test-user creates new account

  5. test-user account created successfully

  6. test-user gets verification email before first initial sign in.

  7. test-user verifies email, and signs in

  8. test-user gets successful Org invite acceptance banner

  9. test-user now shows Accepted status and Confirm option can be selected by Org admin

  10. test-user confirmed to Org

  11. test-user sign in

  12. test-user is now a part of the Org

  13. test-user can access vault items stored in Org

Possible work arounds

If the user does not automatically get accepted into the Org due to initial login issue with email verification, user can select Org invite link from email after email successfully verified and account login successful.

  1. User has already verified email address, and has selected Org invite email link again.
    User will chose to Log in as account is already successfully created

  2. test-user will login

  3. test-user receives Org invite accepted confirmation message

  4. Org admin will receive invite confirmation email

  5. Org admin can now see test-user in Accepted status, and user can be confirmed

  6. test-user confirmed to Org

  7. test-user receives Org invite confirmation email

  8. test-user can now access Org and al vault items.

2FA workaround

Having 2FA enterprise policy enabled on the Org also helps as it provides some end user error message that prompts a user to interact with the user account and then re-click the Org invite email.

Plus you get the added benefit of ensuring 2FA for your users, which is just another additional step in the security space :slight_smile:

  1. Enable 2FA Enterprise Policies for the Org.

  2. Invite test-user as standard

  3. test-user receives Org invite and creates new account

  4. test-user logs in, and receives error message stating account is is required to enable 2FA prior to joining Org.

  5. test-user selects account settings and Two-step Login option

  6. test-user enables 2FA login on account

  7. test-user is now able to join Org after enabling 2FA methods, and should hopefully more intuitively direct users back to Org invite email

  8. Once Org invite email is selected again, confirmation prompt shows for user
    and Org admin can confirm user to Org

Thanks for your elaborate answer. I had made many (simular) screen shots, but thought it would be too extensive here :sweat_smile:.2FA is definitely something to activate for all users, but I was first trying to get those invitations work. For which 2FA comes in handy as it seems!