Need help with Bitwarden SSO using OKTA

Hi,

We are currently testing the Bitwarden Enterprise Trial, and we are having issues with connecting the SSO option with our OKTA using SAML 2.0.
We tried multiple configurations by changing the options, but we keep getting this error:

There was an unexpected error during single sign-on. Please close this page and try again. Unsolicited SAML response received, but no ReturnUrl is configured. When receiving unsolicited SAML responses (i.e. IDP initiated login), Saml2 will redirect the client to the configured ReturnUrl after successful authentication, but it is not configured. In code-based config, add a ReturnUrl by setting the options.SpOptions.ReturnUrl property. In the config file, set the returnUrl attribute of the <sustainsys.saml2> element.

Thanks in advance.

Hi!

Just to clarify, is this happening when you attempt to log in via the web vault or clients? or only upon IdP initiated login?

We don’t currently support IdP initiated login, but there is a workaround by using the full vault login URL as the login URL.

Hi,

Thanks for the quick reply, this happens when we try to login on the IdP interface (we have OKTA as IdP).
Could you please explain the workaround; And by login URL, do you mean the SSO URL in the configuration?

thank you,

Sure thing!

For now, the you can configure the Okta dashboard to link to https://vault.bitwarden.com/#/sso?identifier=YOUR_ORG_IDENTIFIER which will assist the user in logging in using SSO with Bitwarden. If it is a self-hosted server then of course you’ll use your vault’s FQDN + #/sso?identifier=YOUR_ORG_IDENTIFIER

1 Like

We have a self hosted server.
Ah thank you, it worked.
The only problem now is that we need to refresh the page, the first try gets us 404 error, but after refresh we get the company portal.

For now, the you can configure the Okta dashboard to link to https://vault.bitwarden.com/#/sso?identifier=YOUR_ORG_IDENTIFIER

@tgreer We are also suffering this issue and I wondered if you could be more explicit as to where this link should go in the app config for Okta? Should it be used for the “Single Sign On URL” (under SAML Settings > General) instead of the /Acs URL (as seen here: Okta SAML Implementation | Bitwarden Help & Support)?

In the end we used the Bookmark App to get https://vault.bitwarden.com/#/sso?identifier=YOUR_ORG_IDENTIFIER visible in the portal (and then we setup a hidden Bitwarden SAML app for the actual SSO)

1 Like

Sorry I missed this one! Glad you were able to get it configured!