Prevent Administrators from bypassing SSO

Feature name

Prevent Administrators from bypassing SSO

Feature function

  • What will this feature do differently?
    Currently, Administrators and Owners are allowed to bypass SSO and login directly to their vault. That allows recovery of the system in case SSO is down/broken. However, security best practice says that regularly used accounts shouldn’t have this ability. And, there is no category of user that allows user management but does not the ability to bypass SSO. So, there should at least be the option to disable SSO bypass for Administrators (and limit it only to Owners).

  • What benefits will this feature bring?
    Enhanced security.

  • Remember to add a tag for each client application that will be affected
    I believe the existing configuration allows administrators to bypass SSO on all clients.

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?
  • Are there any references to this feature or function on other platforms that may be helpful?

Would having a backup Owner account, and regular admins are assigned custom role permissions which does allow for User Management work for this case?

If you are self-hosting this can also be enforced with the use of environmental variables as noted.

Variable Description
globalSettings__sso__enforceSsoPolicyForAllUsers= Specify true to enforce the Require SSO authentication policy for owner and admin roles.

Otherwise, I do believe Bitwarden is working on changing User permissions and Roles as I understand, partly which will also allow for Owners not the automatically have access to all Collections, so this may be a good addition if is something not already on the radar.

Yes, the Custom role is a workaround for this case. It’s still inappropriate for the default Administrator role to be able to bypass SSO.

I’ll be eager to learn more about the changes to permissions and Roles.

I reviewed this workaround of using the custom role, however, there is no custom role that provides the functionality of owner, so at least one shared credentials user must be defined, a shared credential user violates any security practice out there, and should itself be managed by Bitwarden…

A security product should not have any exception for security features… in this case the SSO is the organization policy enforcer.

I got a response that this is required for fixing broken Idp integration, however, a complete breakage may be fixed by support or automation, for example sending a new DNS TXT record for ownership prof.