How to configure SSO login for Vaultwarden?

[cat1555]

Hello everyone, I would like to use the SSO feature in Vaultwarden, but I’m not sure how to configure it. I’ve looked up some information, but it’s quite scattered. Does anyone in the community have practical experience and could share some guidance?

[BlackDex]

See https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect

[cat1555]

Thank you, but it's my first time using it and I'm not sure what parameters need to be enabled

[Ra72xx]

I want to chime in on this discussion: The setup for SSO with Authentik worked quite flawlessly for me, however there are a few things which I don't understand:

• I now seem to have the option to a) login with SSO or b) log in with master password. Both login options seem to do the same, but in case of a) I also have to enter the master password after the SSO procedure. Is this expected behaviour, and, if yes, what is SSO good for then?
• I managed to get Brave browser plugin, Linux app and Android app to expect the master password only on the first login and then use biometrics and/or PIN instead. That's fine for me. However, using the web interface in a Brave browser window keeps logging me out all the time, even during active interaction with the web interface (and while the extension in the same browser instance keeps logged in). Why?

My environment:

SSO_ENABLED=true
SSO_ONLY=true
SSO_AUTH_ONLY_NOT_SESSION=true
SSO_AUTHORITY=xxx
SSO_CLIENT_ID=xxx
SSO_CLIENT_SECRET=xxx
SSO_SCOPES="profile email offline_access"

The SSO_AUTH_ONLY_NOT_SESSION I did add because I hoped this might stop Vaultwarden from logging me out all the time, but it didn't help.

Whatever, thank you for adding SSO to Vaultwarden.

[cat1555]

Hello, which image version are you using to configure SSO? After configuration, it shows "SSO sign-in is not available.

[BlackDex]

I'm not using SSO my self, and haven't really dived deep into all possible combinations to be fair, so not much i can help for that.

Regarding the master password, that is how it works, read the first note here https://bitwarden.com/help/about-sso/ , the actual password is needed to decrypt the keys.

Regarding browsers logging you out, that might be a browser setting or extension not storing cookies/local storage, or cleaning them up.

[Ra72xx]

That was a quick reply ;-).
I understand that (unfortunately, I might say) the master password is still necessary when using SSO. However, I don't understand why, with a given mail address as account name, I have the options to log in with master password or to login in with SSO (and then enter the master password afterwards nevertheless). Both variants seem to do the same in the end, but it makes me wonder why (this makes SSO obsolete again). Especially as I have enabled "SSO only" login.
The browser has no special extension, it's more or less vanilla Brave. My self-hosted site has been excluded from all Brave-specific privacy measures. Simply reloading a page logs me out.

[BlackDex]

Using SSO makes user management easier for companies.

Also, a refresh always logs you out as a security measures.
Also, it isn't logout, but lock i think. But maybe using SSO causes it to be different.