What will this feature do differently?
Currently, Administrators and Owners are allowed to bypass SSO and login directly to their vault. That allows recovery of the system in case SSO is down/broken. However, security best practice says that regularly used accounts shouldn’t have this ability. And, there is no category of user that allows user management but does not the ability to bypass SSO. So, there should at least be the option to disable SSO bypass for Administrators (and limit it only to Owners).
What benefits will this feature bring?
Enhanced security.
Remember to add a tag for each client application that will be affected
I believe the existing configuration allows administrators to bypass SSO on all clients.
Related topics + references
Are there any related topics that may help explain the need and function of this feature?
Are there any references to this feature or function on other platforms that may be helpful?
Otherwise, I do believe Bitwarden is working on changing User permissions and Roles as I understand, partly which will also allow for Owners not the automatically have access to all Collections, so this may be a good addition if is something not already on the radar.
I reviewed this workaround of using the custom role, however, there is no custom role that provides the functionality of owner, so at least one shared credentials user must be defined, a shared credential user violates any security practice out there, and should itself be managed by Bitwarden…
A security product should not have any exception for security features… in this case the SSO is the organization policy enforcer.
I got a response that this is required for fixing broken Idp integration, however, a complete breakage may be fixed by support or automation, for example sending a new DNS TXT record for ownership prof.