Managing Users with Enterprise SSO and 2FA

Hello - I can’t seem to break out of this loop, and was hoping anyone else in the community here has any thoughts:

We want to enable the ‘require SSO’ feature as an enterprise policy; however, in the current form, when it’s enabled, it does not redirect the end-user to the SSO portal after the end-user enters their password, even though the email domain is verified.

It allows them to go from: enter email > enter master password > enter 2fa code before throwing an error and alerting the end-user they must log in with SSO. Ideally, if that policy setting is enabled, as soon as the end-user enters their email address, it should send them to our SSO system for authorization and authentication.

Has anyone else experienced this? How did you approach it?

The other thing that has come up is how to handle an end-user who loses/replaces their 2FA device – it appears that there is no current way to reset/remove an end-user 2FA administratively, so it would seem if they got a new phone, the only way to get them back in, is to delete their account, and re-create it, which also results in them losing any data they stored in their ‘personal’ vault.

Since the SSO login flow doesn’t seem to ‘flow’ so much, we are reluctant to push the 2FA part upstream to the SSO provider (where we can disable/reset for the end-user), and disable the ‘require 2FA’ policy on the Bitwarden side. This doesn’t even take into account anyone who would enable 2FA on their Bitwarden account on their own, even if there was no policy that requires 2FA.

IMO, these two things should be something that any Enterprise class software should have a method of addressing.

I’d appreciate any thoughts/insight the community has.


Hi @TPCoMatt! If you have not already, feel free to reach out to the Bitwarden team via the /help page for support on your SSO configuration. Most customers using SSO do rely on the 2FA of the SSO IdP.

Thanks @go12! Our SSO setup works, and we do want to push 2FA upstream to that platform, however, the process for an end-user to log in via SSO is not smooth/intuitive like it is on other platforms. For example, when someone enters their email address into Google (or Atlassian, or Dropbox, etc.), it will auto-redirect them to the SSO platform for authentication/authorization. Bitwarden does not do that. Bitwarden seems to rely on the end-user inherently knowing that they have to click on the “Log in with enterprise single-sign on” after entering their email address:

If a person does click on that button, it does take them to the SSO platform and then returns them back to the ‘master password’ page, but for an average user, nothing is compelling them to do that aside from an enabled ‘require SSO’ policy. However, when that policy is enabled, Bitwarden allows the person to enter their email, then master password, land them on the 2FA page and enter their 2FA code before throwing an error. If the flow went: enter email address > [SSO handshake process] > master password page, it would be much more user-friendly.

On the 2FA side of things, the inability of an admin/owner to administratively reset an end user’s 2FA device is not very ‘enterprise friendly’. Even if we disable the ‘require 2FA’ policy, that wouldn’t prevent an end user from enrolling themselves in 2FA, and I wouldn’t want to explicitly deny one’s ability to enroll in an additional layer of security – I just want the ability to support any user who loses/replaces their 2FA device without having to delete and re-create their account.