I found [Withdrawn] Do not mandate use of the master password for webvault login but still not quite sure if or how to implement this?
When enabling SAML / SSO with MSFT/Azure, the user is prompted for their Microsoft credentials + any 2FA associated with that. Upon successful authentication, they are then prompted for their Bitwarden Master Password.
Is there any way to bypass that 2nd step (MP) and rely only on the IdP to unlock the vault?
This is on our radar - it’s tricky to do without one system (Bitwarden/IdP/middleware) having a path to deriving the encryption keys. Not impossible, but it’s not normally how zero-knowledge + E2EE usually operates
@tgreer I understand (I think) that never being able to decrypt with anything but the master key is more secure. I personally would never trust my vault to a 3rd party either, but… some businesses demand functionality like this and are willing to accept the compromise. So, glad to hear it’s on the radar. Thanks!
I am a huge proponent of OSS and have shouted the Bitwarden name from all rooftops, converting family and friends to this great tool (ctrl+shift+L traversing a list of logins was my big feature request early on that has really revolutionized my usage).
I just had an enterprise client that was using LastPass for all of their users/teams. I talked with them about switching, and after testing, they agreed that they really liked the interface. We implemented SSO with their Azure AD as IdP – as soon as they saw a Master Password was still required, they asked to switch back to LastPass, which they have now done. As an MSP, I like to see the client happy with a solution, so that was the best move.
As a manager for several different software development teams that work in the healthcare space, I understand why this is tricky, but it is also necessary. I hope this can be moved up the priority list. Having SSO but still needing a separately managed password is counter intuitive.
Am I safe in assuming that LastPass has sacrificed security for convenience with this SSO feature where they do not require an additional “vault” password for decryption?
We’ve actually released an option for this (currently available for self-hosted instances) - it’s called Key Connector.
This allows the company to leverage SSO without a master password.
Managing keys is incredibly important and we highly recommend this only be deployed by those who have comfort and experience managing mission critical security infrastructure.
With that said, give it a look! Hopefully it solves your customer’s request
Hey Trey – thanks for the quick reply here. We did look at Key Connector, and we heavily evaluated whether or not that was a direction they wanted to go. However, they were strongly opposed to adding more infrastructure for password vault management. They like the idea of backup and DR being managed by the Bitwarden teams vs us/them, since that would become one more point of failure. Additionally, they like knowing that even if their office/server infra loses Internet, they can still access their password vaults.
While the Key Connector is an option for some, I wouldn’t call it a complete solution. It is one option, but needing to take all of the Bitwarden vaults in-house isn’t ideal as an only option. I can’t imagine they/we are the only clients that feel this way, especially with more and more migration to the cloud.
I completely agree with you @RPC. I have been trialing the Enterprise version of Bitwarden for the past few days for my organization. I love the product but I already know that I am going to have a difficult time selling my leadership on this tool due to SSO still requiring an additional master password for every user to remember. It would be great if we could have a truly SSO option for Azure AD integrations.
We too are currently evaluating Bitwarden and were surprised to find SSO still requires a master password. Hosting Bitwarden isn’t an option for us so this is certainly putting the brakes on what I thought would be an easy move.