Admin ConsoleSingle Sign-OnSSO Guides

Generic OIDC

Step 1: Set an SSO identifier

Users who authenticate their identity using SSO will be required to enter an SSO identifier that indicates the organization (and therefore, the SSO integration) to authenticate against. To set a unique SSO Identifier:

  1. Log in to the Bitwarden web app and open the Admin Console using the product switcher:

    Product switcher
    Product switcher
  2. Navigate to SettingsSingle sign-on, and enter a unique SSO Identifier for your organization:

    Enter an identifier
    Enter an identifier
  3. Proceed to Step 2: Enable login with SSO.

tip

You will need to share this value with users once the configuration is ready to be used.

Step 2: Enable login with SSO

Once you have your SSO identifier, you can proceed to enabling and configuring your integration. To enable login with SSO:

  1. On the SettingsSingle sign-on view, check the Allow SSO authentication checkbox:

    OIDC configuration
    OIDC configuration
  2. From the Type dropdown menu, select the OpenID Connect option. If you intend to use SAML instead, switch over the the SAML Configuration guide.

tip

There are alternative Member decryption options. Learn how to get started using SSO with trusted devices or Key Connector.

Step 3: Configuration

From this point on, implementation will vary provider-to-provider. Jump to one of our specific implementation guides for help completing the configuration process:

Configuration reference materials

The following sections will define fields available during single sign-on configuration, agnostic of which IdP you are integration with. Fields that must be configured will be marked (required).

tip

Unless you are comfortable with OpenID Connect, we recommend using one of the above implementation guides instead of the following generic material.

OIDC attributes & claims

An email address is required for account provisioning, which can be passed as any of the attributes or claims in the below table.

A unique user identifier is also highly recommended. If absent, email will be used in its place to link the user.

Attributes/claims are listed in order of preference for matching, including fallbacks where applicable: