bitwarden/server
SSO / SAML
Active contributors: auth team.
Purpose
Bitwarden's enterprise customers can require their members to sign in with the company's SSO IdP. The flow is conceptually:
- The user clicks "Continue with SSO" in the web vault.
- The web vault redirects to
Identitywithgrant_type=sso(deferred — first the user has to actually log in via SSO). Identityredirects to the Sso host, which figures out the user's organization, looks up the SSO config, and redirects to the customer IdP (SAML 2.0 or OIDC).- The IdP returns the assertion / id-token.
Ssomints a one-shotSsoTokenableand redirects back toIdentity.Identityconsumes the tokenable viaSsoExtensionGrantValidatorand issues a Bitwarden access + refresh token.
If the org has the RequireSso policy on, master-password login is blocked for that org's members.
Where the code lives
| Concern | Path |
|---|---|
| Sso host | bitwarden_license/src/Sso/ (see apps/sso) |
| Identity host bridge | src/Identity/Startup.cs (AddOpenIdConnect("sso", ...)) |
| SSO domain | src/Core/Auth/Sso/, src/Core/Auth/Entities/SsoConfig.cs, SsoUser.cs |
| Tokenable | src/Core/Auth/Models/Business/Tokenables/SsoTokenable.cs |
| Grant validator | src/Core/Auth/IdentityServer/RequestValidators/SsoExtensionGrantValidator.cs |
| Web admin config | src/Api/AdminConsole/Controllers/SsoConfigsController.cs |
| Schema | src/Sql/dbo/Tables/SsoConfig.sql, SsoUser.sql |
Key abstractions
| Type | Description |
|---|---|
SsoConfig |
Per-organization SSO configuration (protocol, IdP entity-id, signing certs, claim mapping). Stored encrypted with data protection. |
SsoUser |
A confirmed mapping between an Organization member and a unique IdP claim (SsoUser.ExternalId). Created on first successful SSO login. |
SsoTokenable |
Signed payload Sso emits with the user id, org id, and an expiration. The only way Identity knows the customer IdP authenticated this user. |
SsoExtensionGrantValidator |
Validates the tokenable, checks the Identity-side org membership, applies the RequireSso policy, and produces the access token. |
RequireSsoPolicyValidator |
(src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/RequireSsoPolicyRequirement.cs) — gates master-password login when the org enforces SSO. |
How it works
sequenceDiagram
participant Web
participant Id as Identity
participant SSO as Sso host
participant IdP as Customer IdP
participant Db
Web->>Id: GET /sso/start?orgId=…
Id->>SSO: redirect (OIDC challenge)
SSO->>Db: load SsoConfig for org
SSO->>IdP: SAML AuthnRequest / OIDC redirect
IdP-->>SSO: SAML Response / id_token
SSO->>SSO: map claims, ensure SsoUser
SSO->>Id: redirect with SsoTokenable
Web->>Id: POST /connect/token (grant=sso, code=tokenable)
Id->>Db: SsoExtensionGrantValidator validates
Id->>Db: enforce RequireSso policy
Id-->>Web: access_token + refresh_token + userDecryptionOptionsIf the user is not yet an OrganizationUser, the flow can also create / accept the membership automatically based on SsoConfig settings (AutomaticInvite etc.).
SAML / OIDC libraries
- SAML —
Sustainsys.Saml2.AspNetCore2(currently 2.11.0, bumped in PR #6207, 2025-10-08). - OIDC — Microsoft's
Microsoft.AspNetCore.Authentication.OpenIdConnectregistered inbitwarden_license/src/Sso/Startup.cs.
The shared SAML / OIDC option builders that map SsoConfig to handler options live in bitwarden_license/src/Sso/Utilities/.
Self-host
A self-hosted enterprise customer can run Sso as part of the bundled stack. Configuration is per-organization, edited in the Web Vault Admin Console UI; the Api host writes the encrypted SsoConfig row.
Trusted Device Encryption
For SSO-only orgs that do not want users to remember a master password, the Trusted Device Encryption (TDE) flow ships the wrapped user key on a per-device basis. See auth.md and src/Core/Auth/UserFeatures/DeviceTrust/. The TDE off-boarding path lets a user opt back into a master password later; the related code lives under src/Core/Auth/UserFeatures/TdeOffboardingPassword/.
Entry points for modification
- Adding support for a new SAML profile or NameID format → extend
bitwarden_license/src/Sso/Utilities/Saml2OptionsBuilder.cs. - Tightening the SSO callback →
SsoExtensionGrantValidatorandSso/Controllers/AccountController.cs. - New per-org SSO setting → extend
SsoConfig(and the encrypted-payload modelSsoConfigurationData) plus the Admin Console UI. - Changing
RequireSsoenforcement →RequireSsoPolicyValidator.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.