I’ve implemented BW on site for my employer (we provide IT services) and we’re now wanting to use it for clients to access as well. In the majority of cases, these clients will have their own SSO auth to plug in so that they can manage their own passwords. We will want to be able to manage (and use) their passwords to support their infrastructure.
In saying all this, we require some users to be a part of multiple organizations, however we still need the SSO auth component to be mandatory. Is there a way to do this or another method others have done for a similar scenario?
To me, it doesn’t seem out of the ordinary to want to require SSO to be mandatory to authenticate but still be able to be a member of multiple organizations within Bitwarden but perhaps this is a unique use case.
Appreciated. But that doesn’t get me to a solution with Bitwarden. Fortunately, we have another idea which I’m working on (that may be of use to others as well).
We already use Cloudflare for Teams as a product for handling ingress into our hosted services by use of their Argo Tunnel service. They also have a Multi-SSO component of this, which can potentially mean that we can have multiple client auth sources configured within it (not even just Azure but virtually any source they might want to use) and direct them to the right place via policies.
Then, with an internal Bitwarden policy which will ensure they end up in the right group for access to their own passwords and no one elses, we can make sure security is adhered to.
Now, this is all currently a theory as we’re going to start working on configuring it but it’s a start, at least.
This will also mean we only need one organization, can maintain the “single organization” policy as far as Bitwarden is concerned and still have multiple SSO sources.
Has this moved up the timeline at all? The experiments haven’t worked and we’re stuck with still not being able to provide a multi-organizational setup with SSO enabled.
We recently released our MSP Provider Portal, which allows users to exist across organizations, but without using those organizations to authenticate - allowing the Single Org + SSO requirement without preventing access. Check out the help article and the video below:
The use case is more a case of different departments under a single company. But, having to register as separate bitwarden organisations to allow for more autonomy (esp. wrt accesses/permissions) within their department’s own vault.
Got it - we are working on more permission controls for inter-organization management. Perhaps that will give some additional flexibility until this feature is further along.
Correct, it’s a method to work around the need of being part of multiple organizations, allowing a user to be a part of one organization with required SSO, yet still access/support other organizations (like MSPs, MSSPs) - but I now understand that doesn’t cover your needs though
When is this becoming part of the self-hosted deployment? We’re really looking to deploy exactly what you’ve developed but are unable to use your cloud hosted version because of client requirements so need it available for the self-hosted licensing.
As a supporting owner of BW, I want to make sure the limited resources (i.e BW staff) don’t get too distracted or burned out, with all these feature requests.
Sure it’d be nice if BW did everything including SSO, etc, but at what cost? To engineer an app out of existence?
Right now many companies use apps like ImprivataID, RSA, PingID, etc, as part of their SSO functionality. I’m just concerned that trying to add this to BW would be a HUGE task and distract from other efforts.
It’s not a huge problem having a separate-Non BW app to handle SSO. How often do you sign in daily anyway?
