Log In With SSO

If you're a member of an Enterprise organization, you may be required or permitted to log in to Bitwarden using single sign-on, similarly to how you log in to other work-related applications:

1. Open the Bitwarden app, enter your email address, and select Use single sign-on:

   

2. Your organization may require you to enter an SSO identifier. If you see the following screen, enter your organization's SSO identifier or ask a manager or administrator to retrieve it for you if you don't know it.

   

   tip

   Organization Members: Bookmark this page with your identifier included in the URL, for examplehttps://vault.bitwarden.com/#/sso?my-identifierso that you don't have to enter it each time you log in.

   Organization Admins: Setting up a claimed domain will automatically bypass this step for your members if they have an email address with a matching domain.

3. Once you're redirected to your IdP (for example, Microsoft Azure, Duo, or OneLogin), enter your SSO credentials to log in as you would with other apps. Often, at this stage, your IdP will require you to complete 2FA.

4. What happens next depends on your organization's chosen decryption option:

   Master passwordDevice approval Key Connector

   Enter your master password or, if your account is new, create a master password in order to complete your log in:

   

   tip

   Why is my master password still required?

   All item data, including credentials shared by your organization, is stored by Bitwarden only in its encrypted form. This means that in order to use any of those credentials, you need a way to decrypt that data. We can't.

   Your master password is the source of that decryption key. Even though you are authenticating (proving your identity) to Bitwarden using SSO, you still need to use a decryption key (in this case, your master password) to unscramble vault data.

   Choose an option for establishing trust with the device you're logging in on in order to complete your log in:

   

   tip

   If it's your first time logging in, you'll be allowed to automatically designate this app as a trusted device instead of being required to use one of the above methods:

   

   If your organization uses Key Connector, you can most likely skip ahead to the next step. If your account was made prior to Key Connector being rolled out, you may be required to enter a master password. Doing so will remove master password from your account.

   note

   We encourage you to read about Key Connector to understand the implications of removing a master password from your account.

5. Last, you may be asked to complete two-step login using the option you've setup in Bitwarden. You typically won't be required to use Bitwarden two-step login if your IdP requires it (Step 3).