Sync users from Active Directory (with LDAPS), but how about SSO?

So we have a locally hosted bitwarden environment and a AD in place. I setup the sync application as is documented here:
https://help.bitwarden.com/article/ldap-directory/

That all works fine. But as I understand it, the application only syncs users to invite them to bitwarden. There is only a

My feature requests are:

  • make the documentation clearer on what the application actually does. I assumed some things and when I tried to find the functionality of the app, I couldn’t find it (even on github).
  • I would like to give my bitwarden users a ldap login and authenticate against AD (ldap) instead of just syncing the users, basicly a SSO. We now have different passwords for bitwarden and all our other Office services.

Bitwarden uses end-to-end encryption which requires the use of a master password. This type of design is not conducive with SSO integration to a directory since the user will always still be required to type their master password (encryption key) each time they log into the application to unlock the vault data. The directory sync tool provides the functions to automatically provision and deprovision users, groups, and group associations from your configured user directory. It is not an SSO solution.

1 Like

Now that SSO is on the roadmap, how is it planned to work?

@ptman - OpenID / SAML for authentication. End users will still leverage the security of their master password to decrypt their vaults.

For me at least, the key feature of SSO here is not whether the user needs to provide a master password, but that I can remove the user from our IdP and they no longer have access to their bitwarden account - with our without the master password. We have about 100 users and we need to make on/off boarding as quick as possible. Will the solution you’ve currently proposed work in this way?

Also - we don’t use ActiveDirectory, we use our Google accounts as a SAML IdP - will that be a problem?

@martinh - yep! When you’re off the IdP, you’re out. And to my knowledge, Google SAML should be just fine :+1: