As it seems you already figured out, logging in with SSO and Bitwarden two-step-login are two completely independent things.
If an account has Bitwarden two-step-login enabled you will always need to provide that second step to log in, regardless of SSO.
There is an enterprise policy to force users to enable two-step-login.
But I wish there was another policy to forbid users from enabling it.
I, as an admin of our IdP, would like to be able to:
- Force users to use MFA at the IdP level (I obviously can and do that already)
- Forbid users to enable Bitwarden two-step-login (that I can’t do it).
So that if a user loses his second factor I can help him recover his account. Now I can’t if he enabled Bitwarden two-step-login and lost it. His account is lost without hope.