SSO using SAML keycloak

soap · March 22, 2023, 4:11am

Hello All, I’m new here and going try Vaultwarden.

Can I check something? I’m aware that Bitwarden is able to integrate with keycloak. But, for Vaultwarden, is it able to integrate with keycloak too? If not, what are the other alternatives?

stefan0xC · March 22, 2023, 6:24am

SSO integration is not implemented yet. There have been a couple of pull requests but I don’t know if any of them are ready to be merged or actively worked on.

The only alternative I’m currently aware of is using a third-party LDAP connector to invite users to vaultwarden. If you need SSO you should consider using the self-hosting option of the official Bitwarden server (or maybe try the new unified beta?)

soap · March 22, 2023, 9:24am

Seems like it only the Bitwarden enterprise license is only capable of doing the SSO. I’m not so sure with the new unified beta? Can provide me more information regards to that?

stefan0xC · March 22, 2023, 10:01am

Yeah, the enterprise license will probably also be required for SSO in the beta (which is apparently not enabled by default) but I don’t really have more infos regarding this. I suggest you talk to Bitwarden directly or ask in their community forum.

Avsynthe · April 7, 2023, 3:35am

It’s coming along. You can follow the work here:

github.com/dani-garcia/vaultwarden

Sso Support based off existing PR's

dani-garcia:main ← bmunro-peralex:sso-support

opened 02:33PM - 19 Jan 23 UTC

bmunro-peralex

+838 -52

Based off previous work by @pinpox and @m4w0lf https://github.com/dani-garcia/v…aultwarden/pull/2787 https://github.com/dani-garcia/vaultwarden/pull/2449 All config is now done in the environment variables, removed all unneeded calls. Bitwarden removed the identify payload from the client so the first organization is always used when using a domain_hint Currently Working: - Login from all web clients using sso - Creating MasterPassword on new SSO Login when no user exists. Not Working: - Joining Organization link never fires accept so user never accepts invite during SSO login, normal login after the first SSO login that creates the account works *The above has a workaround that can be enabled to accept all invites on login* How to test: Add the following environment variables and have at least one organization created in your instance ` SSO_ENABLED: "true" SSO_CLIENT_ID: "111111111111111111111111111111111" SSO_CLIENT_SECRET: "222222222222222222222222222222222222222222222" SSO_AUTHORITY: "https://auth.example.com" //Optional SSO_ACCEPTALL_INVITES: "true" ` The callback url currently is always: Replace example.com with your vaultwarden domain. https://example.com/identity/connect/oidc-signin

Topic		Replies	Views
Vaultwarden for MSP	3	546	August 22, 2023
Confirmation on OpenID?	2	1941	August 12, 2021
Directory Connector support Feature Requests	4	3376	July 21, 2021
Improvements to the LDAP Directory Connector support Feature Requests	22	6505	August 2, 2022
Login via External Application	1	564	October 15, 2021

SSO using SAML keycloak

Related Topics