Multiple Organizations and SSO

Hi all,

I’ve implemented BW on site for my employer (we provide IT services) and we’re now wanting to use it for clients to access as well. In the majority of cases, these clients will have their own SSO auth to plug in so that they can manage their own passwords. We will want to be able to manage (and use) their passwords to support their infrastructure.

In saying all this, we require some users to be a part of multiple organizations, however we still need the SSO auth component to be mandatory. Is there a way to do this or another method others have done for a similar scenario?

To me, it doesn’t seem out of the ordinary to want to require SSO to be mandatory to authenticate but still be able to be a member of multiple organizations within Bitwarden but perhaps this is a unique use case.

1 Like

There isn’t currently a way to configure this, but we’re working on new functionality that should make this a lot easier, stay tuned!

1 Like

Appreciated. But that doesn’t get me to a solution with Bitwarden. Fortunately, we have another idea which I’m working on (that may be of use to others as well).

We already use Cloudflare for Teams as a product for handling ingress into our hosted services by use of their Argo Tunnel service. They also have a Multi-SSO component of this, which can potentially mean that we can have multiple client auth sources configured within it (not even just Azure but virtually any source they might want to use) and direct them to the right place via policies.

Then, with an internal Bitwarden policy which will ensure they end up in the right group for access to their own passwords and no one elses, we can make sure security is adhered to.

Now, this is all currently a theory as we’re going to start working on configuring it but it’s a start, at least.

This will also mean we only need one organization, can maintain the “single organization” policy as far as Bitwarden is concerned and still have multiple SSO sources.

1 Like

Has this moved up the timeline at all? The experiments haven’t worked and we’re stuck with still not being able to provide a multi-organizational setup with SSO enabled.

This would really be helpful! Any updates on this?

Thanks

We recently released our MSP Provider Portal, which allows users to exist across organizations, but without using those organizations to authenticate - allowing the Single Org + SSO requirement without preventing access. Check out the help article and the video below:

https://bitwarden.com/help/article/providers/

Thanks @tgreer

The use case is more a case of different departments under a single company. But, having to register as separate bitwarden organisations to allow for more autonomy (esp. wrt accesses/permissions) within their department’s own vault.

btw, that link doesn’t have anything about SSO.

Got it - we are working on more permission controls for inter-organization management. Perhaps that will give some additional flexibility until this feature is further along.

Correct, it’s a method to work around the need of being part of multiple organizations, allowing a user to be a part of one organization with required SSO, yet still access/support other organizations (like MSPs, MSSPs) - but I now understand that doesn’t cover your needs though :slight_smile:

Thanks for the continued conversation!

Thanks, always a pleasure conversing with you.

nice! is there a main thread where I could exert my 2cents on the granular permissions?

@haneef95 actually the permission work was internally inspired, I don’t recall there being a ‘main’ thread here - but this one may work:

1 Like

When is this becoming part of the self-hosted deployment? We’re really looking to deploy exactly what you’ve developed but are unable to use your cloud hosted version because of client requirements so need it available for the self-hosted licensing.

Just created this:

As it’s one of the key features I’m looking forward to.