Need help with Azure AD based SSO configuration

Hi Everyone,

My organization is in the process of setting up the BitWarden Enterprise Trial, and we are having issues with connecting the BitWarden SSO with our Azure AD. Tried both OID and SAML, and getting the same error with both from Azure AD:

Sorry, but we’re having trouble signing you in.

AADSTS90015: Requested query string is too long.

The same Azure App registration works just fine with the BitWarden Directory Connector, but SSO is causing the error above.

Thanks in advance for the help.

Hi @Art_S, for now, please configure using SAML (not OIDC) and configure it for HTTP POST vs. Redirect. This will resolve that issue for you. We have a fix that will likely be going out next week for OIDC to support HTTP POST by default for OIDC.

Thanks @cscharf. This helped and it the MS Authentication pages load correctly now. The result is a bit surprising though, as after going through MS Auth, the user is asked to enter the master password. Almost appears as 3FA :smile:, if only you couldn’t login directly with the master password bypassing SSO.

I understand that you can enable MFA for the master password too, but then, when you use SSO with MFA, you would be doing what feels like 2x2FA (is that even a thing)?

I understand that this is a known issue, and really curious when BitWarden is planning to have it resolved.

Also, noticed another strange behavior with the desktop client with using SSO as it opens a browser tab to select the SSO organization, and leaves it open after completing the auth with the desktop client. I was personally expecting this to be handled inside the client without using the browser.

Thank you.

Art

Hi @Art_S, no matter what authenticates the user (SSO, etc.) we still need the master password because that is the base of your vault data’s encryption key (which we don’t know and can’t recovery automatically, etc.); the need for a master password isn’t going away yet, however it’s on our long-term roadmap to figure out a way for Org user vaults to generate keys/etc. w/o a master password using the SSO process itself.

The IdP can also have 2FA, so basically you can get into a 5FA which is AWESOME! lol… but it is what it is.

The desktop client, browser extension, CLI all use the same SSO pipeline through the browser vs. embedded frames, etc. Even mobile does this but does so in a web frame. The idea is that we have 1 set of code that manages the entire SSO pipeline regardless of the client app. We went for consistency and maintainability.

Thanks for the quick response and the help. We’ll be chatting again for sure. :smile:

As a brand new user of Bitwarden I am trying to install a self hosted instance. Everything seems to be working fine with the exception of SSO for the organization using SAML 2.0.
I have configured ADFS as best as I could from
https://bitwarden.com/help/article/saml-adfs/
but I am not able to make sense of the Business portal Single Sign-on page.
https://.../portal/sso
I just get the cryptic message in bright orange:
“An error occurred. Organization not found from identifier.”
I am not an ADFS wizard, so I suspect something is wrong with the links.
The Bitwarden Directory Connector appears to be working fine.