Yes, this is expected behavior based on Bitwarden’s zero-knowledge encryption model. If you want to bypass the need for a master password, we also provide the option for organizations who self-host Bitwarden to connect login with SSO to your own self-hosted decryption key server using Key Connector.
If this is something you’re interested in setting up for your organization, please reach out to our support team for more details!
Q: Do I need to enter my SSO identifier every time I login?
A: Nope! Bookmarking the Enterprise Single Sign-On page with your SSO identifier included as a query string will save you the trouble of entering it each time. For example:
https://vault.bitwarden.com/#/sso?identifier=your-org-id for cloud-hosted instances
https://your.domain.com/#/sso?identifier=your-org-id for self-hosted instances