Windows client asks me to make new Master Password when logging into existing self-hosted SSO instance?

Hi, my organization uses a self-hosted instance, with SSO configured. I do not administer the service; I’m just a user.

Up until now I’ve always just used the web client (without any browser extension). It works as follows:

• I browse to our Bitwarden URL
• I enter my email address and click “Continue”
• I’m asked for my Master Password, but I click the “Enterprise single sign-on” button instead
• I enter our org’s SSO identifier and click “Log in”
• I get redirected through our SSO service
• I either authenticate as myself (with MFA), or it seamlessly uses my active SSO session
• I get redirected back to our Bitwarden URL
• I’m asked for my Master Password again
• I enter my Master Password, click “Unlock” and I’m logged in successfully

Today I decided to install the Windows client. When I launch the Windows client the following happens:

• I open the desktop app
• I enter my email address and click “Continue”
• I’m asked for my Master Password, but I click the “Enterprise single sign-on” button instead
• A browser window is launched (using my configured default browser) to a vault.bitwarden.com URL, which redirects to our SSO service
• I either authenticate as myself (with MFA), or it seamlessly uses my active SSO session
• The browser is redirected back to https://identity.bitwarden.com/sso/ExternalCallback
• The browser prompts me to allow the site to open the Bitwarden desktop app (unless I’ve already configured it to always allow this)
• Focus returns to the desktop app, where I am asked to create a new Master Password, regardless of the fact that I already have one.

Why am I being asked to create a new Master Password? Are we supposed to have a separate Master Password for each client (web vs. desktop vs. mobile)?

Thanks and regards,

Not totally sure, but one possibility is that the administrator of your organization has enabled or updated the master password policy to require stronger passwords for end users. In this case, the next time you log in you would be informed of this and prompted to set a new password. I would expect there to be a callout explaining the requirements.

Thanks for the response.

That wasn’t relevant, but I did figure it out. By default, the Windows client attempts to connect to bitwarden .com, and not to my own org’s self-hosted bitwwarden URL (obviously). I falsely assumed that it would somehow know the correct URL via the SSO process, but that is not the case, so I was being asked for my Master Password for the bitwarden .com cloud “instance”.

There is an easily-overlooked dropdown menu underneath the email address field when you first launch the client which says “Logging in on: [source]”. By default, “bitwarden .com” is selected here. I had to select “self-hosted” and fill out our org’s bitwarden URL in the dialog that pops up. It was also a bit finicky to get it to save this URL, but I eventually fumbled my way through it.

After doing that and continuing through the normal SSO process I was asked for my existing Master Password, as expected.

Part of the confusion here I suppose comes from the fact that I didn’t expect to be able to successfully authenticate to a bitwarden .com instance through our org’s SSO. I would have expected some error message saying that I don’t have an account with bitwarden .com or something. In reality I’m guessing we could probably log into the bitwarden .com cloud instance and use it if we really wanted to, though I have no interest in setting up a new Master Password to test that.

Ah, interesting! Technically, you were just in time provisioning as a new user to the cloud instance.