Our organization has the below enabled.
Single organization
Require single sign-on authentication (Okta MFA)
Vault timeout: 4hrs
I have one user that has the Bitwarden Chrome extension. This user in not an Admin or Owner yet he can log in via the Chrome extension with is master password and doesn’t get redirected to Okta, which from my understanding should not be possible.
What am I missing?
Thanks,
Jeremy
cksapp
(Kent)
March 31, 2023, 3:14pm
2
Sounds like the browser extension is locking, rather than logging out as the default.
Locking only requires master password, or either PIN or Biometrics to unlock and decrypt the locked encrypted local vault.
Login though requires you to authenticate with the Bitwarden server, requiring SSO, MFA, or any conditional access you may have to get the copy of the local vault cached to the device.
Indeed, that is what it is. Is there a policy setting that will force web and the extension to “log out” instead of the default “lock” option?
cksapp
(Kent)
March 31, 2023, 3:49pm
4
Not yet , but something that the team is working on adding.
bitwarden:master
← bitwarden:ec-1045-vault-timeout-action-policy
opened 02:46PM - 16 Feb 23 UTC
## Type of change
```
- [ ] Bug fix
- [x] New feature development
- [ … ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```
## Objective
The intention here is to add an action to the vault timeout policy. Managers can select either "user preference", "lock", or "logout" when setting the vault timeout policy and it will lock in this selection for members. Members cannot change this unless set to "user preference".
Note that to avoid making the PR even larger, the vault timeout policy always requires a timeout to be set. While you can have a timeout without an action, you can't have an action without a timeout. I've included code in the settings pages for the future when we get a chance to remove this requirement.
I have also refactored the preference and settings pages to use reactive forms. This is what the bulk of the changes are.
## Code changes
- **\*/preferences or settings.component.html:** add reactive forms to settings; include policy callout
- **\*/preferences or settings.component.ts:** add reactive forms; create observable for policy callout
- **\*/vault-timeout-input.component.html/ts:** rename vault options and remove policy callout
- **bitwarden_license/bit-web/src/app/policies/maximum-vault-timeout.component.html/ts:** allow setting an action with the vault timeout policy
- **libs/common/src/services/policy/policy.service.ts:** add `get$` that returns an observable containing the first policy found that matches the criteria provided
- **libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts:** add `getVaultTimeoutAction` so when we grab the vault timeout action we're checking the policy service and overriding if a policy is present
## Screenshots
<img width="1344" alt="image" src="https://user-images.githubusercontent.com/24985544/219391928-94b34d5d-85a9-461c-a1ef-7335c20cb91f.png">
<img width="1344" alt="image" src="https://user-images.githubusercontent.com/24985544/219394017-61dd87bc-6a82-4c9d-9506-90ea72ac5e5b.png">
<img width="378" alt="image" src="https://user-images.githubusercontent.com/24985544/219396767-706234d6-cb0b-4336-a2d7-9eee75a74828.png">
<img width="838" alt="image" src="https://user-images.githubusercontent.com/24985544/219397091-53f4cbb3-c256-4571-a851-78a58434f6db.png">
## Before you submit
- Please add **unit tests** where it makes sense to do so (encouraged but not required)
- If this change requires a **documentation update** - notify the documentation team
- If this change has particular **deployment requirements** - notify the DevOps team