Bitwarden’s native authentication via Master Password cannot be disabled when SSO is enabled so 2FA must be configured to achieve the desired security level since users can just skip SSO after the initial provisioning.
Bitwarden currently prompts for 2FA after SSO is performed, which is redundant when the IdP already prompted for 2FA.
SSO is typically used to circumvent vendor-specific authentication mechanisms. The Identity Provider (IdP) should be expected to perform their own authentication and the Service Provider (SP) should accept what is given. As an example, I have ADFS configured with ADFS MFA to enable passwordless login via Security Key or TOTP/PIN for my users on other services. If I configure FIDO2 U2F in Bitwarden, I’ll be prompted for my key twice (once by the IdP and once afterward by Bitwarden). Skipping 2FA during SSO would avoid this problem and still allow the user to login natively with Master Password and 2FA.
Related topics + references
Other SSO implementations I’ve encountered (e.g. Nextcloud) do not force additional 2FA after the IdP has authenticated the user. Nextcloud enforces 2FA for native authentication and skips 2FA for SSO. This allows for an admin to enable native authentication if/when the IdP is unavailable.
Our goal is to implement an enterprise policy that will allow you to specify if users can access Bitwarden via our identity or just through SSO, that way you can safely disable the Bitwarden two-step policy.
Allow policy to enforce 2fa policy only when not using Enterprise SSO
Feature function
Allow clients to bypass 2FA when using enterprise SSO. Many enterprise SSO/identity providers have their own 2FA, and requiring 2FA in bitwarden ontop of the enterprise 2FA results in a tedious and redundant login process. DUO is an example of an identity provider that has it’s own 2FA built in.
What benefits will this feature bring?
This feature reduces login complexity and redundancy for accounts that either belong to multiple organizations (such as a work and family organization) or otherwise can’t enable Enterprise SSO only logins. As it stands today, if an organization uses Duo as their identity provider via SAML 2.0, and use Enterprise SSO in bitwarden, they are redirected to Duo’s SAML process, verify with Duo with their designated 2FA methods, then are redirected back to bitwarden and have to do 2FA again, potentially ALSO with Duo, and then subsequently have to enter their vault password. However, if 2FA isn’t required, then users in the org who do not use Enterprise SSO (because of multiple organization membership) are not required to enable to 2FA and are left with a less secure posture.
Having a policy that allows for requiring 2FA only when NOT using Enterprise SSO eliminates this complexity, redundancy, and ultimately, pain, enhancing the user experience and easing adoption/buy in.
So it’s been nearly two years, is this now possible with a selfhosted enterpise instance of Bitwarden? We’re currently evaluating with our 7 day trial and this is a crucial requirement for us, as SAML-SSO with 2FA is more than enough security for us and we don’t want to irritate the users with another password they have to set…
So additionally to this post I have contacted bitwarden support, and there seems to be a feature that can be manually enabled by bitwarden only upon request and it’s called “Key Connector”.
