Using regex with two page website logins

Hello All, i’m new to bitwarden and seeking a better way to manage multiple user identities within many separate accounts we support. All the instances have the same login url and a customerID distinguishes each account. Also, there is a two page login. The first page accepts the CustomerID and pops a login screen where the user password can be entered, the second screen has a different domain name but the customerID is available and the end of the url. Can this be used to match the credentials?

I’ve tried setting us two URI’s with regex on URI2 but it’s not working.
I’ve also looked at linked fields but since the domain names are different I don’t think that can work?

this is the first login URI:

https://signin.xxxxxxxx.com/?customerID=1156620645

The second login page (where the url goes) is:

https://accounts.xxxxxxxx.ca/WebSTS/Login?originalPathAndQuery=%2FWebSTS%2F%3Fwa%3Dwsignin1.0%26wtrealm%3Dhttps%253a%252f%252fsignin.xxxxxxxx.ca%252fCustomerPortal%252f%26wctx%3Drm%253d1%2526id%253dpassive%2526ru%253d%25252fCustomerPortal%25252fSignin%25253fcustomerID%25253d1156620645%26wct%3D2024-03-09T23%253a58%253a40Z%26wreply%3Dhttps%253a%252f%252fsignin.xxxxxxxx.ca%252fCustomerPortal%252f%26iepolicyaware%3D1%26customerID%3D1156620645&customerID=1156620645

Bitwarden can launch the first page and pass the customerID as a url parameter but is not proposing passwords on the second login screen. Also, it seems the only show the first five sites in its list from the domain however we have 20 or 30 separate sites with unique credentials to manage.

These are the regex ive tried:

^https://accounts.xxxxxxxx.ca/WebSTS/Login?
customerID=1156620645$

/^https://accounts.xxxxxxxx.ca/WebSTS/Login?.*customerID=1156620645$/gm

customerID=1156620645$

how exactly is this supposed to work, are there any worked examples we can see?

@spod_here Welcome to the forum!

There are several regex testers available online. Here is one:

Something like the following should work:

^https:\/\/accounts\.xxxxxxxx\.ca\/WebSTS\/Login\?.*customerID=1156620645$

Your main issue was that you need to escape characters like /, ., ?, etc. that have special meaning in the regex syntax. Use a backslash prefix (\) to escape such characters.

thanks, its kinda working. Some clients open to the second page with the user and pw matched but most are not populated. It’s like it only looks through the first 4 or 5 sites and leaves the rest un-searched, is there a way to increase that? On the second pages, if i go back into the vault then the regex is working and its matching but its not a seamless one step process, is this expected behaviour?

Unless there is some configuration error on your part, then I would expect Bitwarden to make available all successful URI matches.

First let me understand your situation. If the URL in the browser already has a specific customerID string, why would you have multiple login credentials in your vault for the same customer (on the same website)?

Second, as a quick diagnostic test, edit the 4-5 vault items that do match for a given site, and change the URI match detection from “Regular Expression” to “Never”. When you now return to the same site, do you get matches to a different set of 4-5 vault items? If so, this would suggest that there is some limit (whether intentional or unintentional) on the number of regex matches that can be processed.

Thanks for your help so far.

Indeed the credentials are the same and are only actually passed for authentication on the second page.
The first page is a landing page, it accepts a customer ID and generates a login page that is dynamic, there is a date time stamp in it meaning its different each time its generated
I want to use the regex to pass my credentials on the second page.
When the second page arrives, the credentials are not populated and there is not a BW icon present.
If i right click and open BW, i see the site and it will pass my credentials and i can login so i believe the regex is working because the list is filtered.

I feel there must be a limit that it can address?
The first time i set up an account, it works and populates my user and pw
But as i add the other accounts, it stop’s and i have to right click. Even if i set the default match to never on every other account then it does not populate the user+pw on the one remaining match.

Now i dont know, it seemed to be working initially, while the PW was not prompted i could right click and match on the site and then login. I thought that would be good enough so went through and added all the rest of the sites but now its stopped working again.

I just tried again, i went back to you regex and the first site worked but there were two sets of credentials to pick from (making me thing the regex is not filtering).

I added a third site and retested and it didn’t find my credentials again, but the first one still works (except it returns two accounts but only one should match)

This is the regex
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1446743123$

This is the URL for authentication
https://accounts.xxxxxx.ca/WebSTS/Login?originalPathAndQuery=%2FWebSTS%2F%3Fwa%3Dwsignin1.0%26wtrealm%3Dhttps%253a%252f%252fsignin.xxxxxx.ca%252fCustomerPortal%252f%26wctx%3Drm%253d1%2526id%253dpassive%2526ru%253d%25252fCustomerPortal%25252fSignin%25253fcustomerID%25253d1446743123%26wct%3D2024-03-12T23%253a47%253a01Z%26wreply%3Dhttps%253a%252f%252fsignin.xxxxxx.ca%252fCustomerPortal%252f%26iepolicyaware%3D1%26customerID%3D1446743123&customerID=1446743123

I’m still confused about the relationship between accounts and customers. For each Customer ID, are there multiple accounts? Or does each customer (Customer ID) correspond to a single account?

Again, you need to escape special characters using \.

I feel like there is a lot of different things going on at the same time, so I think it’s best of we try to simplify things:

• You mention absence of a “BW icon”. I assume that you are referring to the icon that is rendered inside the username or password field. This is a relatively new feature, and I recommend that you disable it (at least until your other issues are sorted out). Go to Settings > Auto-fill and set the option “Show Auto-Fill Menu on Form Fields” to “Off”.

• You mention credentials being not being “populated” when a page arrives. I assume that you are referring to the feature that automatically auto-fills login credentials when a page is loaded. For security reasons, and to simplify troubleshooting, I recommend that you disable this feature (at least until your other issues are sorted out). Go to Settings > Auto-fill and uncheck the checkbox for the option Auto-Fill on Page Load".

• To facilitate troubleshooting, go to Settings > Options and make sure that the option “Show Badge Counter” is enabled, and also make sure that the Bitwarden browser extension is pinned, so that you always see the Bitwarden icon at the top of your browser (next to the address bar).

• When you’re on a web page that is meant for inputting a username and/or password, look at the Bitwarden browser extension icon at the top of the browser. If there are any matching credentials in your vault, then the icon should have a small overlay in its corner, displaying the number of matching vault items.

• If the number of matching entries is larger than expected, then there is something misconfigured in those vault items that are matching even though they are not relevant for the web page at hand.

• If the number of matching entries is smaller than expected, then there is something misconfigured in those vault items that are missing from the list of matching vault items.

• To see the list of matching vault items for the currently loaded web page, either left-click the Bitwarden browser extension icon at the top of the browser, or right-click anywhere on the web page and select Bitwarden > Auto-fill Login.

Please answer my question (about the difference between customers and accounts), then make the changes suggested above, and let me know whether you are experiencing a problem of matches that are extraneous or missing.

The application is multitenant saas app that we support
A customer is a separate tenant ID in that app
For each customerID there are user names and PWs, sometime we have more than one identity in the customerID.

We need BW to pass the customerID on the first page, then on the second page it needs to match on the customerID.

I have set Show auto-fill menu on form fields: i have set it to OFF
Auto-fill on page load is already unchecked
Show badge counter is also already checked

Apologies, the sample regex I sent last was an old version, i should have sent. ^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1976666337$

When i visit this login page:

https://accounts.xxxxxx.ca/WebSTS/Login?originalPathAndQuery=%2FWebSTS%2F%3Fwa%3Dwsignin1.0%26wtrealm%3Dhttps%253a%252f%252fsignin.xxxxxx.ca%252fCustomerPortal%252f%26wctx%3Drm%253d1%2526id%253dpassive%2526ru%253d%25252fCustomerPortal%25252fSignin%25253fcustomerID%25253d1976666337%26wct%3D2024-03-14T03%253a09%253a42Z%26wreply%3Dhttps%253a%252f%252fsignin.xxxxxx.ca%252fCustomerPortal%252f%26iepolicyaware%3D1%26customerID%3D1976666337&customerID=1976666337

There are four other customer IDs showing in the badge counter, one is correct and the other three should not match

This the regex for the correct site
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1976666337$

But the list also shows these but i don’t know why. I checked the regex.101 on the login page and there is not a match and yet they show in the badge counter and in the right click, context menu, BW and Autofill login.

^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1342224223$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1446743123$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1355105906$

I also don’t understand why only those three are showing, there are 20 odd passwords all with distinct account id’s - why don’t these show up leading to my suspicion bit warden has a limit to how many times it will iterate through a list of possible regex?

^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1191794983$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1900941364$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1781834232$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1156620645$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1120449524$
^https://accounts.xxxxxx.ca/WebSTS/Login?.*customerID=1120109763$

Something odd, i was running through all the passwords to ensure the regex was consistent. As i updated for each customerID PW i refreshed and checked the badge count. Adding the next password did not increase the total count but when i added the very next pw, the count increase to 5. As i added the other PW’s the site count did not increase any more and some of the sites not showing already had the correct regex.

I have no idea why PW’s sometimes show and other times don’t. Here is my guess

The regex is working, each time i go to login to one of the customerID’s it returns the correct PW to login with their credentials. It also proposes another random three of four sites that are similar but should not match.

It should look as follows (with escape characters):

^https:\/\/accounts\.xxxxxx\.ca\/WebSTS\/Login\?.*customerID=1976666337$

I believe that the forum post editor is “unescaping” your escape characters, though. To avoid miscommunication, please use the editor’s “pre-formatted text” button </> to format any regex code in your comments.

For now, I will assume that your regex code is correct.

My next suggestion would be to open any one of the extraneous matches (that appear in the list of matching logins even though they are for a different customer ID), and check whether there is more than one URI value stored in those items. If so, it is likely that those other URIs (not the regex) is the cause of the false match. One way to test this is to set the URI match detection to “Never” for the regex URI. If the item is still matching, then it is one of the other URIs that is causing the item to match.

And is it correct that you no longer are having an issue with accounts that are not matching when they should (because they do have a matching customer ID)?

Each PW has two URI’s the first page where the custID is passed and the auth page. The two pages have separate domains so one can’t be finding the other and i also checked in regex 101 to ensure there is no match. Should BW be populating the PW on the second page because it does not, probably because there is not one match?

image1532×520 283 KB

image1482×1052 85.3 KB

Questions: If one record matched, would BW be expected to fill in the credentials and log me in? Another question please, if we set up SSO (as an enterprise customer) would that mean we don’t have to enter the master PW on every use (i see it can be extended but looking for something less reliant on having to remember a PW) or can it use Biometrics or anything else other that having the master PW written down/>

No. If you enable the option “Auto-fill on Page Load” (and set the “Default autofill setting for login items” value to “Auto-fill on Page Load” — or override the default autofill setting by editing the item-specific setting), then Bitwraden will auto-fill the most recently used login credentials automatically as soon as the webpage has been loaded (provided that the webpage is rendered in such a way that the username and/or password fields exist in a recognizable form when the page is first loaded). However, for security reasons Bitwarden will never auto-submit a login form.

For troubleshooting purposes, I’ve suggested that you disable “Auto-fill on Page Load” (and you indicated above that you’ve done so).

With Auto-Fill on Page Load disabled and inline auto-fill also disabled, you can still easily auto-fill using the keyboard combination Ctrl+Shift+L.

I don’t use the Enterprise plan, so I can’t answer your questions about SSO.

Back to your issue:

Can you provide some more information about how you’ve configured the URIs for the first page? You’ve said:

• What is the exact form of string that is stored in the vault item?
• What is the URI match detection setting associated with that URI?
• In this “first page” URI, is the value of xxxxxxxx in the xxxxxxxx.com domain the same as the value of xxxxxxxx in the xxxxxxxx.ca domain where the “second page” is located? And is it accurate that the only difference in those base domains is that the TLD is .com for the “first page” and .ca for the “second page”?